[NTSysADM] RE: SIEM devices

[Brian Desmond]

Have you looked at competing cloud solutions (e.g. Microsoft OMS, Splunk, etc.)?

Thanks,
Brian

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Friday, January 26, 2018 1:54 PM
To: Benjamin Durham 
Subject: [NTSysADM] SIEM devices

I know we have discussed this before but I am up for hardware renewal of my 
LogRhythm.
Looking like I will go with a LogRhythm XM4411 device.

Does anyone have something better they use or have heard of from IBM, Splunk, 
or McAfee (The rest of the top 4 in the Leaders of the Magic Quadrant.)
Let me know in the next 2 weeks.
Looking to get my old LogRhythm LXR2 updated.


David McSpadden
Systems Administrator
Indiana Members Credit Union
P: 317.554.8190| F: 317.554.8106
[Description: imcu email icon]  [Description: facebook email 
icon]    [Description: twitter email 
icon] 
[Description: email logo]
[Image result for mcp 
logo]


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

RE: [NTSysADM] Server build recommendation

[Brian Desmond]

Pretty much.

I believe Essentials has the same license grant as standard (one guest server 
VM) but I wouldn't quote myself on that. You'd have to license additional VMs 
beyond that.

Thanks,
Brian


Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kurt Buff
Sent: Friday, January 26, 2018 1:21 PM
To: ntsysadm <ntsysadm@lists.myitforum.com>
Subject: Re: [NTSysADM] Server build recommendation

I've never played with Windows Essentials, and have very little experience with 
Hyper-V, so I'll need to do some more reading.

Let me parrot back to you, to make sure I understood what you said.

I can set up the new machine with Windows Essentials as a Hyper-V host, and use 
that, with the same media and license, to run a VM that will be the DC.

Is that correct?

If it is, could I also stand up a Win10 VM (with its own license, of course), 
and use that to run their property management software?

How many VMs does a license for Windows Essentials support? I don't see a need 
for more than two at this point, and the hardware will certainly support their 
needs, but I want to get myself educated before I go in there and make a mess.

Kurt

On Fri, Jan 26, 2018 at 7:57 AM, Susan Bradley <sbrad...@pacbell.net> wrote:
> In SMB space I don't see VMware as the virtualization platform of 
> choice. I see HyperV, not to mention in a single host, you either go 
> with what we used to do:  Host is not domain joined, hanging off the 
> dhcp/dns of the firewall with static entries.  Or what you can do what 
> we do now in the 2012 R2 and later era which is domain join the host 
> to the DC-VM and it doesn't freak out and boots just fine without DCHP/DNS.
>
> I wouldn't use VMware.  I would do HyperV, and I would make these VMs. 
> You never know even in SMB when you have a need for a virtual machine 
> to stand up and test something, or a need for another server to put 
> the application on.
>
>
> On 1/25/2018 8:29 PM, Kurt Buff wrote:
>
> VMware really wants a DNS server at boot time. If your DNS server is a 
> VM on that host, it isn't there for VMware.
>
> This is a problem, to say the least.
>
> It's really the only reason why I have a DC on it's own physical host 
> in my server room.
>
> Kurt
>
> On Thu, Jan 25, 2018 at 7:36 PM, Susan Bradley <sbrad...@pacbell.net> wrote:
>
> Why two hosts?
>
>
>
>
> On 1/25/2018 7:09 PM, Kurt Buff wrote:
>
> I had further discussion with them today.
>
> The LOB is Timberline property management software, and they're 
> adamant about keeping it in-house. They were also set on Dell, so we 
> finally settled on a Dell T430, with an H330 RAID card, and two 1tb 
> NLSAS drives, and 16gb RAM. The Windows Essentials will come from 
> Amazon for a lot less than what Dell was charging - and they weren't 
> bundling Essentials with this machine anyway.
>
> They have moved their email to gmail (which was news to me - last I 
> had heard from them they were still using their SBS 2003 Exchange).
>
> They also wanted to keep their RD1000 unit for backups, which seemed 
> pretty reasonable - actually, they'll be getting a new RD1000 bundled 
> into the new machine, and probably keep the old one for an emergency 
> spare.
>
> I'm going to turn that server into a combined AD/DNS/DHCP and file 
> server, and  I think I can convince them to keep their Timberline 
> software on a domain-joined Win10 machine - I just gives me the 
> shivers to install third party software on a DC.
>
> I didn't save them much on pricing (maybe $100-200), but I think I got 
> them a much better machine.
>
> And, as a followup, once they have ordered it and it's in house, I'll 
> be waling through their guy on setting it all up.
>
> If I could, I'd virtualize it all, but doing that right would involve 
> two hosts, and more servers than they need, I think that it's pretty 
> good the way we went.
>
> Kurt
>
> On Thu, Jan 25, 2018 at 9:11 AM, Susan E Bradley, CPA/CITP/CFF, GSEC 
> <sbrad...@pacbell.net> wrote:
>
> What LOB needs do they have?  What storage?
>
> Premise peeps:  The Gen 10 Microserver doesn't have the fans it once 
> had, my peeps are recommending HP ML110e
>
> Cloud peeps:  Do they really need a server or a rethinking of what 
> they do needs to be done and office 365/mapped drive to Sharefile or 
> Google drive would be a better plan going forward.  What LOB is 
> keeping the need for the on premise server?
>
> These days, check that chip to see if it will get a spectre/meltdown 
> patch.
>
>
> On 1/25/2018 8:18 AM, Rick Berry wrote:
>
> I'd suggest the consideration of something aftermarket as an o

RE: [NTSysADM] Problems enabling AD Recycle Bin

[Brian Desmond]

It is not possible to only enable this in one domain. It's a forest-level 
feature. Here's the sample syntax from the docs:

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional 
Features,CN=Directory Service,CN=Windows 
NT,CN=Services,CN=Configuration,DC=contoso,DC=com’ –Scope 
ForestOrConfigurationSet –Target ‘contoso.com’

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Thursday, October 12, 2017 2:08 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Problems enabling AD Recycle Bin

My AD is Win 2008 R2 (forest and domain level). I have a parent-child domain 
structure, and want to enable the AD Recycle Bin in the child domain. I am 
getting an error of "A referral was returned form the server".

Q: Do I need to be doing this on the child DC, or on the root DC?

Specifically, I am doing (in Active Directory Module for Powershell (as 
Administrator):

Enable-ADOptional Feature "Recycle Bin Feature" -Scope ForestorConfigurationSet 
-Target (Get-ADForect -Current LocalComputer)

I am doing this on the PDC of the child domain.

Do I need to be doing this on the Domain Naming Master, which is in the Root 
domain? And - if so - will enabling it there, then enable it for both domains?

[NTSysADM] RE: PowerShell brainfart

[Brian Desmond]

This works too

gwmi Win32_UserProfile | where { $_.Sid -eq 
[System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value }

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael B. Smith
Sent: Thursday, October 12, 2017 5:55 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: PowerShell brainfart

One liner:

Get-CimInstance Win32_UserProfile |? {
   $_.SID -eq (
  Get-CimInstance Win32_UserAccount |? {
 $_.Caption -eq ( Get-CimInstance 
Win32_ComputerSystem ).UserName
  }
   ).SID
}


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Thursday, October 12, 2017 4:24 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: PowerShell brainfart

Thankyou sir, that appears to work well indeed

A kick in the right direction would have sufficed, but that’s sorted me nicely 

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: 12 October 2017 21:10
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: PowerShell brainfart

This isn’t the fastest (using .NET would be), but it’s easy to understand:

$username = ( gwmi win32_computersystem ).username.ToString()
$sid = ( gwmi win32_useraccount |? { $_.Caption -eq $username } ).SID
gwmi win32_userprofile |? { $_.SID -eq $sid }


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Thursday, October 12, 2017 3:45 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] PowerShell brainfart

OK, I’m having a ditzy moment

I’m trying to query profile type in PowerShell using gwmi

Specifically gwmi win32_userprofile | select localpath, status

But this returns all users on the machine – how can I make it return just the 
current user? I’m having a severe blonde moment – help!

(Apologies to all blondes on the list)

Cheers,


[cid:image001.png@01D21FCA.D5DD9850]
[cid:image002.jpg@01D21FCA.D5DD9850]
[cid:image003.jpg@01D3438B.488E5940]






James Rankin CTA ACA vExpert
Technical Evangelist / Media Hound
Howell Technology Group
Office: 0191 4813446
Mobile: 07809 668579
Email: ja...@htguk.com<mailto:ja...@htguk.com>

www.htguk.com<http://www.htguk.com/> | Twitter<https://twitter.com/htguk> | 
Linkedin<https://www.linkedin.com/in/markhtg> | 
Facebook<https://www.facebook.com/HTGUK>


COMPANY INFORMATION
Howell Technology Group Ltd is a limited company registered in England with 
registered number 5520670 and VAT registered number GB 862 666 004. Our 
registered office is at 2.30 One Trinity Green, Eldon Street, South Shields, 
Tyne & Wear, NE33 1SA

CONFIDENTIALITY NOTICE
This message is intended solely for the addressee and may contain confidential 
information. If you have received this message in error, please send it back to 
us, and immediately and permanently delete it. Do not use, copy or disclose the 
information contained in this message or in any attachment.

PRIVACY POLICY
For information about how we process data and monitor communications please see 
our Privacy Policy.

To log a ticket please follow the link. https://htguk.on.spiceworks.com/portal

RE: [NTSysADM] Odd problems with account display after name change

[Brian Desmond]

I'd more wonder if the app doesn't have a database that it sticks some bits 
about the user in the first time they sign-in and never updates it again.

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kurt Buff
Sent: Friday, September 15, 2017 7:01 PM
To: ntsysadm <ntsysadm@lists.myitforum.com>
Subject: Re: [NTSysADM] Odd problems with account display after name change

No, I'm not sure the app isn't caching - this despite the web developer's 
assertion that it's a direct query to AD for each login.

I'm going to do an iisreset this weekend, and see if that resolves the problem.

Kurt

On Fri, Sep 15, 2017 at 4:18 PM, Brian Desmond <br...@briandesmond.com> wrote:
> Seems unlikely. Are you sure the app isn't caching something locally?
>
> Thanks,
> Brian Desmond
>
> w – 312.625.1438 | c – 312.731.3132
>
> -Original Message-
> From: listsad...@lists.myitforum.com 
> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
> Sent: Friday, September 15, 2017 6:03 PM
> To: ntsysadm <NTSysADM@lists.myitforum.com>
> Subject: [NTSysADM] Odd problems with account display after name 
> change
>
> All,
>
> I've got a couple of questions, but first what I'm seeing.
>
> One of our users went through a name change this week (from jmounts to 
> jmartin), and now she's seeing her old ID on a couple of internally developed 
> web sites (we show who's logged in on the landing page for each of them) that 
> get permissions from AD.
>
> I've looked over her account briefly (get-aduser -properties*), and see a 
> couple of places that still show the old ID:
>
>legacyExchangeDN  : /o=Exampe/ou=US/cn=Recipients/cn=JMounts
>msExchADCGlobalNames   :
> EX5:cn=JMounts,cn=Recipients,ou=US,o=Example:organizationalperson$pers
> on$top41538F7E51E1C701}
>
> The second one above also has NT5 and FOREST entries.
>
> I also see these entries:
>
>ProxyAddresses   X400:c=US;a= ;p=Example;o=US;s=Mounts;g=Jill;
>
> along with her smtp and sip addresses, and
>
>textEncodedORAddress   : X400:C=US;A= ;P=Zetron;O=ZETUS;S=Mounts;G=Jill;
>
> But since they don't show jmounts, I don't think they play a role here.
>
> So, the question:
> 1) would any of these fields be picked up by the web sites? Doesn't seem 
> likely to me.
>
> 2) Is there any other place I should be looking to track this down?
>
> Kurt
>
>

RE: [NTSysADM] Odd problems with account display after name change

[Brian Desmond]

Seems unlikely. Are you sure the app isn't caching something locally?

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kurt Buff
Sent: Friday, September 15, 2017 6:03 PM
To: ntsysadm <NTSysADM@lists.myitforum.com>
Subject: [NTSysADM] Odd problems with account display after name change

All,

I've got a couple of questions, but first what I'm seeing.

One of our users went through a name change this week (from jmounts to 
jmartin), and now she's seeing her old ID on a couple of internally developed 
web sites (we show who's logged in on the landing page for each of them) that 
get permissions from AD.

I've looked over her account briefly (get-aduser -properties*), and see a 
couple of places that still show the old ID:

   legacyExchangeDN  : /o=Exampe/ou=US/cn=Recipients/cn=JMounts
   msExchADCGlobalNames   :
EX5:cn=JMounts,cn=Recipients,ou=US,o=Example:organizationalperson$person$top41538F7E51E1C701}

The second one above also has NT5 and FOREST entries.

I also see these entries:

   ProxyAddresses   X400:c=US;a= ;p=Example;o=US;s=Mounts;g=Jill;

along with her smtp and sip addresses, and

   textEncodedORAddress   : X400:C=US;A= ;P=Zetron;O=ZETUS;S=Mounts;G=Jill;

But since they don't show jmounts, I don't think they play a role here.

So, the question:
1) would any of these fields be picked up by the web sites? Doesn't seem likely 
to me.

2) Is there any other place I should be looking to track this down?

Kurt

RE: [NTSysADM] Recommendations for a Security Software Reseller

[Brian Desmond]

You’re never going to get unbiased advice from someone that resells software. 
They’re going to recommend solutions they resell (which will never be the total 
scope of what’s out there) and ones that are advantageous to them to resell. If 
you want unbiased advice, I would urge you to find a consulting firm that is 
vendor agnostic (and thus doesn’t resell anything) to look at your requirements 
and make a set of recommendations.

Thanks,
Brian



Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Joe Tinney
Sent: Tuesday, September 5, 2017 4:56 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Recommendations for a Security Software Reseller

Hey folks,

I'm interested in working with a reseller that has a strong knowledge of 
current security software (anti-malware, app whitelisting, endpoint firewall, 
etc). Before I go with what I know (Symantec Endpoint Protection) I want to 
make sure I've vetted some of the newer offerings. I've seen lots of different 
suggestions come through from everyone and if you have any more of those that 
would be great as well.

Basically, I'm looking to provide a solid layer of prevention (right now we've 
invested heavily in response via logging and reporting tools like Netwrix, 
AlienVault, etc). By prevention I meant I'm interested in looking at a solution 
that provides endpoint network isolation, authorization management, application 
whitelisting, behavioral analysis, etc.

We've come out of contract with a vendor that was providing TrendMicro's cloud 
product and I was very underwhelmed. I've trialed Symantec Endpoint Cloud and 
again, the same. These small business products just aren't up to the task I'm 
looking to accomplish.

I believe that I do not have the time at the moment to learn, design and 
implement solutions using Group Policy nor do I have extensive MS licensing 
that would allow me to employ more advanced solutions like AppLocker. The 
implementation of products that I'm interested in may of course change my mind 
depending on how protracted the configuration can be.

If anyone has someone they enjoy working with and is sharp please let me know. 
This would be for a company based in the Midwestern Region of the US.

Regards,
Joe

[NTSysADM] RE: scheduling iSCSI connections

[Brian Desmond]

So what happens if your ransomware scenario occurs while the backup is running? 
That invalidates all your backups at that point as well.

Perhaps I'm thinking of something else but all the backup toolsets I've worked 
with all push the data over the network to a central system that interacts with 
the backend storage/media.

Thanks,
Brian


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of J- P
Sent: Saturday, August 12, 2017 10:39 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Re: scheduling iSCSI connections


not sure I follow, the backup runs to a "local disk  iscsi target" then 
replicates offsite- - but I'm  assuming (God forbid) ransomware hits the host 
then it would also encrypt  the  "local iscsi disk" -



tia




From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
<listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>> on 
behalf of Brian Desmond <br...@briandesmond.com<mailto:br...@briandesmond.com>>
Sent: Saturday, August 12, 2017 5:51 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: scheduling iSCSI connections


Wouldn't your backup tool be responsible for doing this? This seems very likely 
to fail in some way, shape, or form at some point.



Thanks,
Brian





Thanks,

Brian Desmond



w - 312.625.1438 | c - 312.731.3132



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of J- P
Sent: Friday, August 11, 2017 12:59 PM
To: NT <ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>>
Subject: [NTSysADM] scheduling iSCSI connections



Is it possible to schedule iSCSI connections  (connect at 11pm, disconnect 6 am)



We currently backup our hyper-v guests to our NAS which is presented to the 
host via iSCSI,



The goal is  to achieve the equivalent  of ejecting a tape after backup is 
complete, in case of a ransomware infection.



We do also have it offsite, however, I'd much rather restore 6tb locally than 
over the wire.



Any thoughts feedback are greatly appreciated

[NTSysADM] RE: scheduling iSCSI connections

[Brian Desmond]

Wouldn't your backup tool be responsible for doing this? This seems very likely 
to fail in some way, shape, or form at some point.

Thanks,
Brian


Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of J- P
Sent: Friday, August 11, 2017 12:59 PM
To: NT <ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] scheduling iSCSI connections


Is it possible to schedule iSCSI connections  (connect at 11pm, disconnect 6 am)



We currently backup our hyper-v guests to our NAS which is presented to the 
host via iSCSI,



The goal is  to achieve the equivalent  of ejecting a tape after backup is 
complete, in case of a ransomware infection.



We do also have it offsite, however, I'd much rather restore 6tb locally than 
over the wire.



Any thoughts feedback are greatly appreciated

RE: [NTSysADM] Advice on patching Domain Controllers via WSUS

[Brian Desmond]

This approach doesn’t really scale beyond a handful of servers…

Windows is well setup to have updates installed but pending a reboot – the 
servicing system is built to support that.

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Hank Arnold
Sent: Saturday, July 15, 2017 4:34 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Advice on patching Domain Controllers via WSUS

I never allow any server to auto install updates. I can’t allow them to reboot 
automatically. If they don’t reboot, then they are in what I consider an 
unstable environment. They all are set for Option 3 (download & inform).

Regards,
Hank Arnold
“Understanding is a 3-edge sword. Your side, my side and the truth.
J. Michael Straczynski
[MVP_Emblem_FINAL_0818]
My Blog: http://blogs.msmvps.com/hankshelp/
Twitter: @Hank_PCDoc
Facebook: https://www.facebook.com/hank.arnold.96

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Michael Leone
Sent: Wednesday, July 12, 2017 10:56 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] Advice on patching Domain Controllers via WSUS

Our policy has been that our DCs are not patched via WSUS, like other member 
servers, but instead that we manually install the current patches from 
Microsoft Update. But now, I would like to change this, and use WSUS to patch 
all the DCS to our production levels (meaning: one month behind on released 
patches).

I don't see any downsides to this. I would create a new GPO (rather than modify 
the Default Domain Controllers Policy). I think I might still set them to 
download only, not automatically install.

Thoughts?
Should I let them auto-install, like most of my other member servers?
Is that what you others do?
Do you let your DCs get their patches via WSUS?

(the more servers I don't have to manually install patches on, the happier I 
am. We have some servers that we must do manually, for reasons I won't go into)

RE: [NTSysADM] Advice on patching Domain Controllers via WSUS

[Brian Desmond]

You can configure clusters and maintenance windows in SCCM so it will only 
reboot a certain percentage of a given population of machines at one point also.


Thanks,
Brian Desmond

(w) 312.625.1438 | (c) 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Heaton, Joseph@Wildlife
Sent: Wednesday, July 12, 2017 10:07 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Advice on patching Domain Controllers via WSUS

I patch everything with SCCM.  Currently, all of my servers get updates 
deployed to them, with reboots being done manually by me after hours.  I have a 
little over 200 total, minus the 30 or so in my test group that gets done the 
previous week.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Michael Leone
Sent: Wednesday, July 12, 2017 7:56 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] Advice on patching Domain Controllers via WSUS

Our policy has been that our DCs are not patched via WSUS, like other member 
servers, but instead that we manually install the current patches from 
Microsoft Update. But now, I would like to change this, and use WSUS to patch 
all the DCS to our production levels (meaning: one month behind on released 
patches).

I don't see any downsides to this. I would create a new GPO (rather than modify 
the Default Domain Controllers Policy). I think I might still set them to 
download only, not automatically install.

Thoughts?
Should I let them auto-install, like most of my other member servers?
Is that what you others do?
Do you let your DCs get their patches via WSUS?

(the more servers I don't have to manually install patches on, the happier I 
am. We have some servers that we must do manually, for reasons I won't go into)

RE: [NTSysADM] Set-ImageSize Help

[Brian Desmond]

I wouldn’t really worry about it, but, the thing I see that’s not disposed is 
the $Graphics variable. You can tell it needs to be by looking up the class on 
MSDN<https://msdn.microsoft.com/en-us/library/system.drawing.graphics(v=vs.110).aspx>
 and seeing that it implements IDiposable.

From a pattern perspective, all the disposes should be wrapped in try {…} 
finally {$foo.Dispose()} blocks. In C#/VB you’d use a using {} block but AFAIK 
PowerShell doesn’t have an equivalent. For example:

$NewImage = $null
$Graphics = $null

try
{
$NewImage = new-object System.Drawing.Bitmap $NewWidth,$NewHeight

$Graphics = [System.Drawing.Graphics]::FromImage($NewImage)
$Graphics.InterpolationMode = 
[System.Drawing.Drawing2D.InterpolationMode]::HighQualityBicubic
$Graphics.DrawImage($OldImage, 0, 0, $NewWidth, $NewHeight)

$ImageFormat = $OldImage.RawFormat
}
finally
{
if ($Graphics -ne $null)
{
$Graphics.Dispose()
}

if ($NewImage -ne $null)
{
$NewImage.Dispose()
}
}



Thanks,
Brian Desmond

(w) 312.625.1438 | (c) 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Sean Martin
Sent: Monday, June 19, 2017 11:33 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Set-ImageSize Help

Hey Brian,

Thanks for the input. An initial batch of about 1500 photos will be run in a 
controlled scenario. For ongoing automation, the script will execute weekly and 
process an average of 5-10 photos per execution. Can you elaborate on your 
comment about the unmanaged resources? Any recommendation on releasing those 
resources?

- Sean

On Sat, Jun 17, 2017 at 7:42 AM, Brian Desmond 
<br...@briandesmond.com<mailto:br...@briandesmond.com>> wrote:
Also note that script does not dispose of all of the unmanaged resources it 
uses. For one-offs you’re never going to notice anything, but, if you’re going 
to run a ton of images through it at once or host it inside something other 
than a one-off PowerShell window, you may see memory and/or handle counts grow 
undesirably for the process.

Thanks,
Brian


Thanks,
Brian Desmond

w – 312.625.1438<tel:(312)%20625-1438> | c – 312.731.3132<tel:(312)%20731-3132>

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Sean Martin
Sent: Friday, June 16, 2017 6:03 PM

To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: Re: [NTSysADM] Set-ImageSize Help

Ah! That's where I was confused. That did the trick, thanks again for your help!

- Sean

On Fri, Jun 16, 2017 at 2:47 PM, Michael B. Smith 
<mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote:
Dot sourcing is “more-or-less” equivalent to ipmo.

So you need to separate that into 2 lines.

   . .\Set-ImageSize.ps1
   Set-ImageSize  -Image $Source -Destination $Destination -WidthPx 
$Width -HeightPx $Height


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Sean Martin
Sent: Friday, June 16, 2017 5:49 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: Re: [NTSysADM] Set-ImageSize Help

Thanks for the additional insight. Dot sourcing eliminated the error, but it's 
not actually performing the resize. I haven't had to use dot sourcing in the 
past, are there any particular considerations when passing parameters, or 
should it be as simple as the following line:

. .\Set-ImageSize.ps1 $Source -Destination $Destination -WidthPx $Width 
-HeightPx $Height

On Fri, Jun 16, 2017 at 12:10 PM, Michael B. Smith 
<mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote:
Don’t use ipmo. Use dot-sourcing.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Sean Martin
Sent: Friday, June 16, 2017 3:54 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: Re: [NTSysADM] Set-ImageSize Help

Commenting the line that loads system.windows.forms didn't make a difference.

My script, along with set-image.ps1 are in the same directory. I use 
"import-module .\set-imagesize.ps1 within a try/catch block and that succeeds. 
The script fails at the point where it runs:

set-imagesize $sourcephoto -destination $destination -Widthpx $Width -HeightPx 
$height

The variables are set as follows:

$sourcephoto = 
$destination = 
$width = "96"
$height = "96"

I was able to test interactively by setting the same variables and running the 
command. Kind of stumped as to why it won't run within my script.

On Fri, Jun 16, 2017 at 11:10 AM, Michael B. Smith 
&

RE: [NTSysADM] Q about GPO Security Filtering precendence

[Brian Desmond]

Precedence is controlled by the order of the links which you can see in GPMC. 
The settings are cumulative but where there’s a conflict the most precedent GPO 
will apply.

Given you have three time windows, I think you’ll need three groups and three 
GPOs.

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Monday, June 19, 2017 8:43 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Q about GPO Security Filtering precendence

So I finally got the OK to have some of our servers have their patches 
automatically installed via GPO. Right now, all applicable servers are in 1 OU. 
All are members of a specific AD group ("WSUS Members"). There is a GPO on that 
OU that has these WSUS settings:

Computer Configuration/Policies/Administrative Templates/Windows 
Components/Windows Update
- Configure Automatic Updates. Value: 2 (Notify for download and notify for 
install

And my WSUS server is set as the intranet MS update service location.

So now I want 10 servers (as a pilot group) to reboot Sun at 9AM (I will have a 
WSUS group that has these 10, and the specific patches to install).

So what I want to do is make a new GPO, filtered on a new AD group (with these 
10 servers as members), and the new GPO will have these settings:

Computer Configuration/Policies/Administrative Templates/Windows 
Components/Windows Update
- Always reboot at scheduled time; ENABLED
- Automatic Updates detection frequency: ENABLED (2 hours)
- Configure automatic updates. Value: 4(auto download and schedule the install
- Install during automatic maintenance: DISABLED
- Scheduled install day and time: Sunday, 9AM
- Turn on recommended updates via Automatic Updates: ENABLED

I've been trying some test VMs with a GPO with the above settings, and they 
seem to be what I want.

Here's the question (finally!):

On the Servers OU, make a new  (second)GPO with the above settings, and set 
security filtering to the new AD group.  So those 10 servers will be get the 
current GPO settings (just notify), AND get the new GPO settings (install and 
reboot on Sundays).

So which GPO takes precedence? Or are the settings cumulative (I think so)

Do I just need to make the new GPO, filtered to the new group? Or do I need to 
filter on membership in *both* groups ("WSUS Members" and "WSUS 9AM group")?

(eventually there will be 3 groups - 9AM, 9:30AM and 10AM - so I can stagger 
the reboots)

RE: [NTSysADM] Set-ImageSize Help

[Brian Desmond]

Also note that script does not dispose of all of the unmanaged resources it 
uses. For one-offs you’re never going to notice anything, but, if you’re going 
to run a ton of images through it at once or host it inside something other 
than a one-off PowerShell window, you may see memory and/or handle counts grow 
undesirably for the process.

Thanks,
Brian


Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Sean Martin
Sent: Friday, June 16, 2017 6:03 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Set-ImageSize Help

Ah! That's where I was confused. That did the trick, thanks again for your help!

- Sean

On Fri, Jun 16, 2017 at 2:47 PM, Michael B. Smith 
<mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote:
Dot sourcing is “more-or-less” equivalent to ipmo.

So you need to separate that into 2 lines.

   . .\Set-ImageSize.ps1
   Set-ImageSize  -Image $Source -Destination $Destination -WidthPx 
$Width -HeightPx $Height


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Sean Martin
Sent: Friday, June 16, 2017 5:49 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: Re: [NTSysADM] Set-ImageSize Help

Thanks for the additional insight. Dot sourcing eliminated the error, but it's 
not actually performing the resize. I haven't had to use dot sourcing in the 
past, are there any particular considerations when passing parameters, or 
should it be as simple as the following line:

. .\Set-ImageSize.ps1 $Source -Destination $Destination -WidthPx $Width 
-HeightPx $Height

On Fri, Jun 16, 2017 at 12:10 PM, Michael B. Smith 
<mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote:
Don’t use ipmo. Use dot-sourcing.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Sean Martin
Sent: Friday, June 16, 2017 3:54 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: Re: [NTSysADM] Set-ImageSize Help

Commenting the line that loads system.windows.forms didn't make a difference.

My script, along with set-image.ps1 are in the same directory. I use 
"import-module .\set-imagesize.ps1 within a try/catch block and that succeeds. 
The script fails at the point where it runs:

set-imagesize $sourcephoto -destination $destination -Widthpx $Width -HeightPx 
$height

The variables are set as follows:

$sourcephoto = 
$destination = 
$width = "96"
$height = "96"

I was able to test interactively by setting the same variables and running the 
command. Kind of stumped as to why it won't run within my script.

On Fri, Jun 16, 2017 at 11:10 AM, Michael B. Smith 
<mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote:
One of the problems is that the script loads system.windows.forms – which is 
inherently interactive. However, the script doesn’t appear to use it. So… take 
that line out.

Tell me more about your setup for “running your script”?



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Sean Martin
Sent: Friday, June 16, 2017 2:35 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] Set-ImageSize Help

Good morning/afternoon,

Looking for a bit of assistance. I'm writing a script to import photos into 
Active Directory and part of the process requires that the photos be resized, 
so I downloaded this gem: 
https://gallery.technet.microsoft.com/scriptcenter/Resize-Image-File-f6dd4a56

Importing and using the set-imagesize cmdlet works just fine when I run through 
the process interactively. However, I get the error "The term 'Set-ImageSize' 
is not recognized as the name of a cmdlet, function.." when I run my script.

I've verified the "module" imports successfully, so I've been banging my head 
on why the cmdlet isn't recognized.

Anyone run into a similar scenario?

RE: [NTSysADM] Group Policy management

[Brian Desmond]

+1

In general, the only time you should be signing in to your domain controllers 
is to do things like patch them. Likewise, your domain admin accounts should 
essentially only be necessary for managing the DCs and things related to them.

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Charles F Sullivan
Sent: Thursday, June 1, 2017 9:15 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Group Policy management

I think you have the right idea. We have a small, dedicated VM running AGPM. If 
I were starting now, I would definitely put it on Windows 2016 and make sure 
the AGPM Client is installed on Windows 10 1607 or later machines to do all the 
GPO editing. The migration is pretty easy, just find the MS article if you’re 
not already familiar with it.

Be sure to get AGPM 4, SP3 and this current update release:
https://support.microsoft.com/en-us/help/4014009/march-2017-servicing-release-for-microsoft-desktop-optimization-pack

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Heaton, Joseph@Wildlife
Sent: Wednesday, May 31, 2017 6:58 PM
To: 'NT System Admin Issues Discussion list' 
<ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>>
Subject: [NTSysADM] Group Policy management

Was curious how everyone has Group Policy Management setup.  I currently use 
one of my domain controllers as my “main” Group Policy management server, with 
AGPM installed there.  I’m preparing to install PolicyPak, and don’t want to do 
this on a domain controller, so I’m thinking that I’ll build just a really 
basic server, put PolicyPak on it, and AGPM, so that the traffic from clients 
to the PolicyPak server is not going to a domain controller trying to do other 
things.

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<http://saveourwater.com/>
SaveOurWater.com<http://saveourwater.com/> · 
Drought.CA.gov<http://drought.ca.gov/>

[NTSysADM] RE: Managed Service Accounts

[Brian Desmond]

Someone took the easy route and rather than figuring out what access the 
account actually needed, they added it to EAs to solve the problem at hand. You 
should figure out how to get the ID out of that group.

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Joseph L. Casale
Sent: Thursday, May 25, 2017 9:01 AM
To: 'ntsysadm@lists.myitforum.com' <ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: Managed Service Accounts

Bonnie,
The account type in terms of membership is no different than a regular account. 
When created, it starts out with minimal privileges, you can then apply 
membership as your requirement needs. They most certainly don't require EA 
membership for any fundamental operation.

jlc

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Miller Bonnie L.
Sent: Thursday, May 25, 2017 7:49 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: Managed Service Accounts

Thanks, and I already know what it's used for and it doesn't even need domain 
admin or local admin on the boxes it's used on.  I just don't have any others 
to compare it to but it didn't seem right.  So nobody else sees this with their 
managed service accounts, that they are in their enterprise admins group?

I'd love to use more, we just haven't upgraded/replaced any on-prem systems in 
a while that would need one.  Locking the groups down via restricted is 
something we've discussed before but haven't done, will bring it up again.

-Bonnie

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Joseph L. Casale
Sent: Wednesday, May 24, 2017 3:09 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: Managed Service Accounts

I make extensive use of them. Anytime I need a service account (for Windows 
based apps that can utilize them) I use an MSA or GMSA. They work great as they 
remove the manual password management task from you.

For example, I always install MSSQL servers with them, the required permissions 
are well documented in regards to what each service requires in which scenarios.

To be honest, I can't fathom any app needing that level of permission and I am 
not sure I would automate one that did...  Find out what uses it, I doubt once 
you know that you will have any trouble inferring the genuine permission 
requirements...

jlc

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Miller Bonnie L.
Sent: Wednesday, May 24, 2017 2:59 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] Managed Service Accounts

So, I'm doing a regular review of admin accounts and found something odd I want 
to ask about before I change that I can't find any reference to in Google-land. 
 Our "Enterprise admins" group has a managed service account in it, which I 
don't think should be there, but I really don't know as we had a new system 
installed this last year and it's actually our first managed service account, 
so I don't have another one to compare it to.  Although I have participated in 
the some of the later setup, another domain admin helped with this portion 
while I was out.

So, does anyone who is using managed service accounts see them show up in your 
Enterprise Admins group, or have any reference to documentation saying it 
should be there?  On the account properties there is no "member of" tab to look 
at.

If it's not supposed to be there I want to remove it and restart the related 
systems to make sure everything continues to work correctly, but wouldn't want 
to change it if it's supposed to be there.

Thanks,
Bonnie

RE: [NTSysADM] Is 9389 required for External Trust?

[Brian Desmond]

It’s used by the AD PowerShell cmdlets to connect the ADWS. If you wanted to do 
PowerShell from Forest A to Forest B, you’ll need that open.

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Micheal Espinola Jr
Sent: Wednesday, May 24, 2017 5:57 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Is 9389 required for External Trust?

AFAIK, 9389 shouldnt be. This may help you further sort out your port 
requirements:


https://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx

--
Espi


On Wed, May 24, 2017 at 8:50 AM, Christopher Bodnar 
<christopher_bod...@glic.com<mailto:christopher_bod...@glic.com>> wrote:
I’m setting up an external trust between two forests. There are firewalls 
between them. I’ve been using this as the basis for the firewall rules:

https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts#method3

It does NOT mention 9389 (AD DS Web Services). My understanding is that that is 
only needed for DC to DC communication within a Forest, not for a Trust. Can 
anyone confirm this?

Right now, I haven’t been able to get the trust to work yet, and I do see that 
the outgoing side of the trust is trying to get to the incoming side over 9389, 
which is currently blocked.


Thanks


Christopher Bodnar
Enterprise Architect II, Corporate Office of Technology:Enterprise Architecture 
and Engineering Services

Tel 610-807-6459<tel:(610)%20807-6459>
3900 Burgess Place, Bethlehem, PA 18017
christopher_bod...@glic.com<mailto:christopher_bod...@glic.com>

[cid:image001.png@01D1326B.600058E0]

The Guardian Life Insurance Company of America

www.guardianlife.com<http://www.guardianlife.com/>




- This message, and any attachments to 
it, may contain information that is privileged, confidential, and exempt from 
disclosure under applicable law. If the reader of this message is not the 
intended recipient, you are notified that any use, dissemination, distribution, 
copying, or communication of this message is strictly prohibited. If you have 
received this message in error, please notify the sender immediately by return 
e-mail and delete the message and any attachments. Thank you.

RE: [NTSysADM] Get group membership through powershell

[Brian Desmond]

MemberOf is a constructed attribute which the cmdlets may not be requesting 
correctly or at all. ADUC makes specific calls to AD to get that data.

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Russ
Sent: Monday, April 24, 2017 4:32 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Get group membership through powershell

I've often used powershell to get the groups that a user is a member of by 
using get-adprincipalgroupmembership.  It's always worked to my knowledge.

However, I've found one group which doesn't show up for anyone - so I was 
curious if anyone has run into this before.  If I run get-adgroupmember for the 
group, everyone shows up who should be there, but if I try to run the reverse 
on any of the users who are a member of the group, it doesn't show up - it just 
returns "domain users".

If I try get-aduser with -properties "memberof", nothing shows up for that 
property at all.  (not even domain users, but I think that's normal?).

If you go into ADUC and look up the user, the two groups (this one, and domain 
users) show up just fine.

Does anyone know of a circumstance why this wouldn't return a value?

[NTSysADM] RE: SID history report

[Brian Desmond]

Looking on Github, the misc::addsid function in mimikatz is currently commented 
out.

It is supposed to called DsAddSidHistory. I'd need to go look at the 
implementation for that and see if/what it does if you give it a SID from 
DomainA to copy to another principal in DomainA.

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Joseph L. Casale
Sent: Monday, April 3, 2017 1:42 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Re: SID history report


Brilliant,
That article and your notes shed a lot of light.

As an aside, have a peak at https://adsecurity.org/?p=1772, I wasn't able to 
get the tool to work, however the article itself outlines the vulnerabilities 
that could potentially manifest so I suppose it doesn't hurt to make the report 
without logical restrictions so it covers all cases.



Thanks a lot!
jlc


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
<listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>> on 
behalf of Brian Desmond <br...@briandesmond.com<mailto:br...@briandesmond.com>>
Sent: Monday, April 3, 2017 10:13 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: SID history report


See my notes below. There is a lot of good content on SID History here - 
https://msdn.microsoft.com/en-us/library/ms677982(v=vs.85).aspx



Thanks,

Brian Desmond



w - 312.625.1438[X] | c - 312.731.3132[X]



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Joseph L. Casale
Sent: Sunday, April 2, 2017 2:47 PM
To: 'ntsysadm@lists.myitforum.com' 
<ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>>
Subject: [NTSysADM] RE: SID history report



Hi Brian,

Forgive me, I don't exactly follow.

A user in DomainB could have one of the following scenario's:


1.  A sIDHistory entry for DomainA\GroupA.

[Brian Desmond] Hypothetically, yes this is possible. I'd question how/why this 
happened though.
2.  A sIDHistory entry for any user or group in DomainA or DomainB that is 
themselves implicitly or explicitly granted membership in DomainA\GroupA.

[Brian Desmond] it's not possible for an object in Domain B to have a SID 
History entry with a SID also from Domain B.



If that is correct, I imagine writing something that:
1.  Collect all SIDs of all objects in DomainA\GroupA, including then 
expanding groups tail recursively.
2.  Collect all groups recursively that are members of DomainA\GroupA.



Then finding any user in DomainB who has:
1.  A sIDHistory entry in the above collection.
2.  Group membership in any of the above groups.



This should find all scenarios of convoluted implicit membership? Or given the 
restrictions on sIDHistory values, does this overcomplicate it?



Thanks,
jlc



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Brian Desmond
Sent: Sunday, April 2, 2017 11:25 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: SID history report



You really only need to grab this step:



- Enumerate any users in DomainB whose sIDHistory collection contains one or 
more of any of the above cumulative SIDs.



SIDHistory in DomainA has the SID of the group in DomainB. You need to find 
anyone who is a member of the group in DomainB. That will give them implicit 
access via SIDHistory.  Everyone else just gets the access via normal group 
membership in the DomainA group.





Thanks,

Brian Desmond



w - 312.625.1438[X] | c - 312.731.3132[X]



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Joseph L. Casale
Sent: Thursday, March 30, 2017 5:05 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] SID history report



Hey guys,
I am trying to automate a report that a user has been instructed to reproduce 
on a continued basis.

Given a group "GroupA" in DomainA, I need to enumerate all users who have 
access implicitly through sIDHistory. Off the top of my head, does this miss 
anything:



- Enumerate all members of GroupA in DomainA recursively.
- Explicit users.
- Members implied through explicit group membership (recursively as well).



- Enumerate any users in DomainA whose sIDHistory collection contains one or 
more of any of the above SIDs.



- Enumerate any users in DomainB whose sIDHistory collection contains one or 
more of any of the above cumulative SIDs.



Does that cover it?

Thanks,
jlc

[NTSysADM] RE: SID history report

[Brian Desmond]

See my notes below. There is a lot of good content on SID History here - 
https://msdn.microsoft.com/en-us/library/ms677982(v=vs.85).aspx

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Joseph L. Casale
Sent: Sunday, April 2, 2017 2:47 PM
To: 'ntsysadm@lists.myitforum.com' <ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: SID history report

Hi Brian,
Forgive me, I don't exactly follow.

A user in DomainB could have one of the following scenario's:


  1.  A sIDHistory entry for DomainA\GroupA.
[Brian Desmond] Hypothetically, yes this is possible. I'd question how/why this 
happened though.

  1.  A sIDHistory entry for any user or group in DomainA or DomainB that is 
themselves implicitly or explicitly granted membership in DomainA\GroupA.
[Brian Desmond] it's not possible for an object in Domain B to have a SID 
History entry with a SID also from Domain B.

If that is correct, I imagine writing something that:

  1.  Collect all SIDs of all objects in DomainA\GroupA, including then 
expanding groups tail recursively.
  2.  Collect all groups recursively that are members of DomainA\GroupA.

Then finding any user in DomainB who has:

  1.  A sIDHistory entry in the above collection.
  2.  Group membership in any of the above groups.

This should find all scenarios of convoluted implicit membership? Or given the 
restrictions on sIDHistory values, does this overcomplicate it?

Thanks,
jlc

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Brian Desmond
Sent: Sunday, April 2, 2017 11:25 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: SID history report

You really only need to grab this step:


- Enumerate any users in DomainB whose sIDHistory collection contains one or 
more of any of the above cumulative SIDs.

SIDHistory in DomainA has the SID of the group in DomainB. You need to find 
anyone who is a member of the group in DomainB. That will give them implicit 
access via SIDHistory.  Everyone else just gets the access via normal group 
membership in the DomainA group.


Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Joseph L. Casale
Sent: Thursday, March 30, 2017 5:05 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] SID history report


Hey guys,
I am trying to automate a report that a user has been instructed to reproduce 
on a continued basis.

Given a group "GroupA" in DomainA, I need to enumerate all users who have 
access implicitly through sIDHistory. Off the top of my head, does this miss 
anything:



- Enumerate all members of GroupA in DomainA recursively.
- Explicit users.
- Members implied through explicit group membership (recursively as well).



- Enumerate any users in DomainA whose sIDHistory collection contains one or 
more of any of the above SIDs.



- Enumerate any users in DomainB whose sIDHistory collection contains one or 
more of any of the above cumulative SIDs.



Does that cover it?

Thanks,
jlc

[NTSysADM] RE: SID history report

[Brian Desmond]

You really only need to grab this step:


- Enumerate any users in DomainB whose sIDHistory collection contains one or 
more of any of the above cumulative SIDs.

SIDHistory in DomainA has the SID of the group in DomainB. You need to find 
anyone who is a member of the group in DomainB. That will give them implicit 
access via SIDHistory.  Everyone else just gets the access via normal group 
membership in the DomainA group.


Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Joseph L. Casale
Sent: Thursday, March 30, 2017 5:05 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] SID history report


Hey guys,
I am trying to automate a report that a user has been instructed to reproduce 
on a continued basis.

Given a group "GroupA" in DomainA, I need to enumerate all users who have 
access implicitly through sIDHistory. Off the top of my head, does this miss 
anything:



- Enumerate all members of GroupA in DomainA recursively.
- Explicit users.
- Members implied through explicit group membership (recursively as well).



- Enumerate any users in DomainA whose sIDHistory collection contains one or 
more of any of the above SIDs.



- Enumerate any users in DomainB whose sIDHistory collection contains one or 
more of any of the above cumulative SIDs.



Does that cover it?

Thanks,
jlc

[NTSysADM] RE: Question about Word

[Brian Desmond]

You can use content controls to do this. You have to turn the Developer tab on 
in Word to create them.

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of James Rankin
Sent: Monday, March 27, 2017 7:19 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Question about Word

My Microsoft Office skills are a bit limited and I can't seem to frame the 
Google query right today...

I am writing a template document. At the start of this I want to put a section 
for "Customer Name", the idea being that when a user uses the template they can 
simply put the correct customer name in here, and then it is updated in every 
part of the document where the customer name needs to appear.

What function is it I want to use here? I just can't seem to frame the right 
query to get Google to tell me the answer, and Alexa is simply telling me she 
doesn't understand...

TIA,




[cid:image001.png@01D21FCA.D5DD9850]
[cid:image002.jpg@01D21FCA.D5DD9850]
[cid:image003.jpg@01D2A6DB.C12F0AE0]






James Rankin CTA ACA
EUC Solutions Architect
Howell Technology Group
Office: 0191 4813446
Mobile: 07809 668579
Email: ja...@htguk.com<mailto:ja...@htguk.com>

www.htguk.com<http://www.htguk.com/> | Twitter<https://twitter.com/htguk> | 
Linkedin<https://www.linkedin.com/in/markhtg> | 
Facebook<https://www.facebook.com/HTGUK>


COMPANY INFORMATION
Howell Technology Group Ltd is a limited company registered in England with 
registered number 5520670 and VAT registered number GB 862 666 004. Our 
registered office is at 2.30 One Trinity Green, Eldon Street, South Shields, 
Tyne & Wear, NE33 1SA

CONFIDENTIALITY NOTICE
This message is intended solely for the addressee and may contain confidential 
information. If you have received this message in error, please send it back to 
us, and immediately and permanently delete it. Do not use, copy or disclose the 
information contained in this message or in any attachment.

PRIVACY POLICY
For information about how we process data and monitor communications please see 
our Privacy Policy.

To log a ticket please follow the link. https://htguk.on.spiceworks.com/portal

[NTSysADM] RE: TMG forefront server

[Brian Desmond]

Yes, you will.

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Friday, March 24, 2017 9:33 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: TMG forefront server

To use the WAP do I require a separate ADFS server as well?


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Brian Desmond
Sent: Sunday, March 12, 2017 11:37 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: TMG forefront server

Notice:  This email is from an outside source.  Please do not open any 
attachments, click on any hyperlinks, or respond without first confirming the 
authenticity of the email.


The Web Application Proxy role in Windows 2012 R2 (although preferably 2016 for 
EAS) will do this. If you're looking for an appliance, the Kemp devices are a 
good mix of capability and cost.

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of David McSpadden
Sent: Friday, March 10, 2017 6:13 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] TMG forefront server

I have a TMG forefront server that I use to pass my ActiveSync Exchange 2010 
mail through.
What is the recommended replacement for that server?


David McSpadden
System Administrator
Indiana Members Credit Union
P: 317.554.8190
[Description: Description: imcu email icon]<http://imcu.com/>  [Description: 
Description: facebook email icon] <https://www.facebook.com/IndianaMembersCU>   
[Description: Description: twitter email icon] 
<https://twitter.com/IndMembersCU>

[Description: Description: email logo]
[http://www.amuletsolutions.com/images/mcp.gif]<http://www.google.com/url?sa=i=j==s=images==rja=8=0ahUKEwjFztf-tePJAhXK5iYKHcPtAxEQjRwIBw=http://www.amuletsolutions.com/awards.aspx=bv.110151844,d.amc=AFQjCNHkrx8CednTEOOq4zUxYyrRUGzUsg=1450459757284499>


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

[NTSysADM] RE: Limit Remote DC to selectively replicate certain OUs?

[Brian Desmond]

This isn't possible. You can selectively replicate certain attributes, but you 
can't selectively replicate objects.

What is the replication issue you're having? What does the network connectivity 
look like - latency, utilization, bandwidth, etc.?

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Fut Dey
Sent: Saturday, March 25, 2017 3:10 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Limit Remote DC to selectively replicate certain OUs?


Hi,



Current AD environment has a single forest and domain with 55 OUs on Server 
2012 R2 at 2012 forest and domain functional levels.



One of the departments, ( aka OU), will be split up between 2 locations (half 
in the US, half in Asia) and will share local and remote resources. The staff 
in the US and Asia will rotate quarterly.



We do have VPN in place and the remote office is having  AD related latency 
issues among other things. Upper management has suggested the possibility of 
hosting a Read-only DC in the remote location and have that DC replicate only 
objects for that one single OU.



Management has no interest in multi-forest nor multi-domain, etc.



Is it possible to configure such a setup?



Thanks,

Fut

RE: [NTSysADM] RE: Persisting access to an Azure shared folder

[Brian Desmond]

Can you not supply the creds to your service or make your service dependent on 
another one so that it starts later?

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of James Rankin
Sent: Friday, March 17, 2017 11:46 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: Persisting access to an Azure shared folder

OK, the problem with this seems to be timing.

Running a "cmdkey" command at logon allows the user access to the Azure share, 
but by then my service has already tried and failed to connect. So unless I can 
delay that action, I'm kinda snookered here. Either that or find some way to 
run the cmdkey command ridiculously early in the logon process, but even using 
tooling like AppSense this seems to be impossible.

Adding the credentials to the system default profile also seems to be a 
non-starter - the username for the share seems to persist, but the password is 
still prompted for. I'm thinking that stored password credentials are somehow 
hashed for or tied to the originating user, which to be honest I'd expect, 
otherwise credential theft would be incredibly easy.

Think I'm going to write this one off as unachievable in the present state - 
thanks all for suggestions.


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: 17 March 2017 14:04
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [NTSysADM] RE: Persisting access to an Azure shared folder


This sender failed our fraud detection checks and may not be who they appear to 
be. Learn about spoofing<http://aka.ms/LearnAboutSpoofing>

Feedback<http://aka.ms/SafetyTipsFeedback>

I did try Group Policy with the delay set to 0, but it didn't manage to get in 
soon enough. However I didn't configure any of the other settings, let me give 
that a try.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Stephen Gestwicki
Sent: 17 March 2017 13:49
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [NTSysADM] RE: Persisting access to an Azure shared folder


  *   You can use Group Policy to change the logon script delay but that only 
applies to Server 2012 R2+ and Windows 8.1+.

 *   Computer Configuration > Policies > Administrative Templates > System 
> Group Policy > Configure Logon Script Delay = Enabled and set to 0 minutes

  *   You can also try having the computer always wait for the network.

 *   Computer Configuration > Policies > Administrative Templates > System 
> Logon > Always wait for the network at computer startup and logon = Enabled

  *   Another thing you can try is forcing each script to finish before 
allowing Group Policy to move on.

 *   Computer Configuration > Policies > Administrative Templates > System 
> Scripts > Run startup scripts asynchronously = Disabled

Those settings may give you a shot at having Group Policy run the script first 
but they will also slow down your logins.


  *   I also like applying these settings to a test OU so I can see what is 
going on during my tests:

 *   Computer Configuration > Policies > Administrative Templates > System 
> Display highly detailed status messages = Enabled
 *   Computer Configuration > Policies > Administrative Templates > System 
> Scripts > Display instructions in shutdown scripts as they run = Enabled

*   Warning: users can close out your script before it finishes.

 *   Computer Configuration > Policies > Administrative Templates > System 
> Scripts > Display instructions in startup scripts as they run = Enabled

*   Warning: users can close out your script before it finishes.

I hope that helps.

- Stephen

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: Friday, March 17, 2017 6:37 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [NTSysADM] RE: Persisting access to an Azure shared folder

Given Windows post-XP tendency to delay logon scripts, etc., I would fully 
expect that the scheduled task route would run earlier than a logon script. 
Whether would run soon enough remains to be tested, but in my experience they 
seem to run first before anything else I've found.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Friday, March 17, 2017 12:18 AM
To: ntsysadm@lists.myitforum.co

[NTSysADM] RE: TMG forefront server

[Brian Desmond]

The Web Application Proxy role in Windows 2012 R2 (although preferably 2016 for 
EAS) will do this. If you're looking for an appliance, the Kemp devices are a 
good mix of capability and cost.

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Friday, March 10, 2017 6:13 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] TMG forefront server

I have a TMG forefront server that I use to pass my ActiveSync Exchange 2010 
mail through.
What is the recommended replacement for that server?


David McSpadden
System Administrator
Indiana Members Credit Union
P: 317.554.8190
[Description: Description: imcu email icon]<http://imcu.com/>  [Description: 
Description: facebook email icon] <https://www.facebook.com/IndianaMembersCU>   
[Description: Description: twitter email icon] 
<https://twitter.com/IndMembersCU>

[Description: Description: email logo]
[http://www.amuletsolutions.com/images/mcp.gif]<http://www.google.com/url?sa=i=j==s=images==rja=8=0ahUKEwjFztf-tePJAhXK5iYKHcPtAxEQjRwIBw=http://www.amuletsolutions.com/awards.aspx=bv.110151844,d.amc=AFQjCNHkrx8CednTEOOq4zUxYyrRUGzUsg=1450459757284499>


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

[NTSysADM] RE: Office 365 licensing question

[Brian Desmond]

Every user needs to have an Azure AD account to use any Office 365 service. 
Whether that account is mastered in Azure AD (e.g. you create it directly 
there), or it's synchronized from your on-premises AD is up to you.

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Heaton, Joseph@Wildlife
Sent: Friday, February 24, 2017 4:59 PM
To: 'NT System Admin Issues Discussion list' <ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] Office 365 licensing question

For the E1 licensing, I've heard a rumor that they have to be tied to Azure AD, 
not on-prem AD.  Does anyone know if that's correct?  We have several hundred 
employees that don't need a computer or Office, but do need e-mail, for 
timesheet purposes.  We want to give those folks E1 licenses.


Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<http://saveourwater.com/>
SaveOurWater.com<http://saveourwater.com/> * 
Drought.CA.gov<http://drought.ca.gov/>

RE: [NTSysADM] Blocking AD Client Traffic to a Certain Site

[Brian Desmond]

AD will match the most specific subnet so in this case the 10.0.0.0/16 subnet 
will match anyone who is  10.0.X.X. IP.

Thanks,
Brian Desmond

(w) 312.625.1438 | (c) 312.731.3132

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kurt Buff
Sent: Tuesday, February 7, 2017 6:55 PM
To: ntsysadm <ntsysadm@lists.myitforum.com>
Subject: Re: [NTSysADM] Blocking AD Client Traffic to a Certain Site

And there's your problem, if you didn't typo your response.

10.0.0.0/8 overlaps with (actually includes) 10.0.0.0/16

That's why some clients will go to your second site (AWS) at random.

You probably need to list out your subnets more carefully for your main site.

Kurt

On Tue, Feb 7, 2017 at 11:33 AM, Charles F Sullivan <charles.sulliva...@bc.edu> 
wrote:
> I’ve only been able to do very limited testing.
>
>
>
> -  I had about 8 member servers in a site which were actually all in
> the same subnet as each of and the one DC we had for testing, let’s 
> call the subnet 198.168.17.0/24. In that site I included the usual private 
> ranges:
> 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8
>
> -  At AWS I had a subnet with one DC and just a couple of member
> servers in the 10.0.0.0/16 subnet, which was defined as the only AWS site.
>
> Note that the AWS subnet is a subset of one that I defined at the main 
> site, but this absolutely is supported by MS and others have told me 
> that this works for them. Despite all of this I did see one member 
> server in the main site use the AWS DC after a reboot even though the 
> local DC was clearly present and being used by the other member 
> servers. So that means 1 out 8 member servers I had for testing 
> crossed sites. This made me wonder how often it might happen in our 
> production environment where there are thousands of member computers.
>
>
>
> I do have to say that I recently got to test this again, this time 
> having 5 DCs at the main site and 2 at AWS. Again, I had just a 
> handful of member servers and a workstation and this time I didn’t see 
> any of them using an AWS DC. The AWS admin didn’t see his one member 
> server use anything besides an AWS DC.
>
>
>
> From: listsad...@lists.myitforum.com 
> [mailto:listsad...@lists.myitforum.com]
> On Behalf Of Michael B. Smith
> Sent: Tuesday, February 7, 2017 1:32 PM
> To: ntsysadm@lists.myitforum.com
> Subject: RE: [NTSysADM] Blocking AD Client Traffic to a Certain Site
>
>
>
> Doesn’t make sense to me.
>
>
>
> The only reason you should have cross-site connections at this point 
> is because you don’t have all of the relevant subnets defined in ADS
>
>
>
> From: listsad...@lists.myitforum.com 
> [mailto:listsad...@lists.myitforum.com]
> On Behalf Of Charles F Sullivan
> Sent: Tuesday, February 7, 2017 11:40 AM
> To: ntsysadm@lists.myitforum.com
> Subject: [NTSysADM] Blocking AD Client Traffic to a Certain Site
>
>
>
> I’d like to get some ideas and opinions regarding this, especially if 
> anyone has had a similar need…..
>
>
>
> Our AD topology to this point has been as simple as can be. Since just 
> about everything on our extended network is connected at high speeds, 
> we have never had to have more than one AD site. We are about to put a 
> couple of DCs at AWS, which of course will require a second site to be 
> defined. This will still be pretty straightforward. Everything but AWS 
> will be on the one existing site and a second site will be added for the one 
> subnet at AWS.
>
>
>
> I know that even with the two sites defined, some clients may at times 
> use the remote site. This is what I have seen in testing, for whatever 
> reason, but I don’t consider it to be a real problem because I assume 
> it would not happen often. The problem is that our director wants 
> absolutely no cross-site traffic except in the case of a disaster.
>
>
>
> It is being proposed that the firewall between the sites allow only AD 
> traffic between the DCs themselves. AD clients would be stopped at the 
> firewall. I’m not comfortable with that as a solution because I’m 
> concerned that when clients do try to use DCs at the remote site, it 
> will cause slowness if not failure. Does this seem like a bad idea for 
> that or any other reason?
>
>
>
> I was thinking that maybe I could use weight and priority within SRV 
> records so that the DCs at AWS would be weight=0 and priority=65535. 
> If I did that, would the clients at AWS honor the site rules over the 
> SRV records weight and priority? I’m guess that would be 
> unpredictable, thus also not a good solution.
>
>
>
> Thanks in advance for any help.
>
>
>
>
>
> Charlie Sullivan
>
> Sr. Windows Systems Administrator
>
>

RE: [NTSysADM] Blocking AD Client Traffic to a Certain Site

[Brian Desmond]

Since there’s only two sites, site link bridging won’t help you here. With Site 
Link bridging, if you have say A—B--C, by default it’s implied that A can talk 
to C. With Bridge All Site Links disabled, A can only talk to B unless you add 
the two site links to a bridge.

Thanks,
Brian Desmond

(w) 312.625.1438 | (c) 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Miller Bonnie L.
Sent: Tuesday, February 7, 2017 11:58 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Blocking AD Client Traffic to a Certain Site

If you really must, read up on site link bridging.  I’ve personally never had 
to disable it, but it sounds like what you’re looking for.
https://technet.microsoft.com/en-us/library/cc753638(v=ws.10).aspx

-Bonnie

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Charles F Sullivan
Sent: Tuesday, February 7, 2017 8:40 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] Blocking AD Client Traffic to a Certain Site

I’d like to get some ideas and opinions regarding this, especially if anyone 
has had a similar need…..

Our AD topology to this point has been as simple as can be. Since just about 
everything on our extended network is connected at high speeds, we have never 
had to have more than one AD site. We are about to put a couple of DCs at AWS, 
which of course will require a second site to be defined. This will still be 
pretty straightforward. Everything but AWS will be on the one existing site and 
a second site will be added for the one subnet at AWS.

I know that even with the two sites defined, some clients may at times use the 
remote site. This is what I have seen in testing, for whatever reason, but I 
don’t consider it to be a real problem because I assume it would not happen 
often. The problem is that our director wants absolutely no cross-site traffic 
except in the case of a disaster.

It is being proposed that the firewall between the sites allow only AD traffic 
between the DCs themselves. AD clients would be stopped at the firewall. I’m 
not comfortable with that as a solution because I’m concerned that when clients 
do try to use DCs at the remote site, it will cause slowness if not failure. 
Does this seem like a bad idea for that or any other reason?

I was thinking that maybe I could use weight and priority within SRV records so 
that the DCs at AWS would be weight=0 and priority=65535. If I did that, would 
the clients at AWS honor the site rules over the SRV records weight and 
priority? I’m guess that would be unpredictable, thus also not a good solution.

Thanks in advance for any help.


Charlie Sullivan
Sr. Windows Systems Administrator

[NTSysADM] RE: Deny read on an OU Tree

[Brian Desmond]

Unless your AD is in List Object Mode (unlikely and not really recommended 
usually), the ACL on every single object isn't evaluated before returning 
search results.

Deny's also work a little differently in AD than on the file system so this 
probably isn't something you want.

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Thursday, January 19, 2017 1:17 PM
To: 'ntsysadm@lists.myitforum.com' <ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] Deny read on an OU Tree


Putting up a wireless SSID for staff using a Cisco WCL. Best way to do this is 
a straight OU lookup but I can only point it at one OU.  There are multiple 
OU's I need to target that are all under 'Elyriaschools'







[cid:image001.jpg@01D2725D.32CB6080]


As you can see Students have sub ou's for the year they are allegedly going to 
graduate.  I want to deny read to all those years, the entirety of the Students 
OU.  You would think a deny on the account that does the LDAP lookups on 
'Students' would deny on all the sub OU's.

But it doesn't, I have to put a deny on each Year.

Am I missing something, can I do a single deny somehow on Students?  Each 
school year a new folder is created in Students for the incoming Kindergarten 
folksyou know we will forget to do this next fall.

RE: [NTSysADM] migrating to iPhone

[Brian Desmond]

There's no central Apple ID management system, but you can force the phones to 
be MDM enrolled (and they can't be unenrolled) via Apple's DEP program which 
removes the need to have an Apple ID. If you want your people to be able to 
install Apps and such though they'll still need one.

Intune is the platform I deploy for this.

As difficult as Apple is to deal with, the Androids are often an even larger 
headache because "Android" doesn't actually mean you'll get any specific 
baseline of capabilities unless you go down the Samsung Knox route, 
realistically.

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kish N Kepi
Sent: Sunday, December 25, 2016 12:45 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] migrating to iPhone

Hello All,

As we reach the point where we need to upgrade our phones, currently the LG G3 
Android phones, we're considering offering the iPhone as well as a current 
Android model


1.   Can anyone recommend resources specifically devoted to the migration 
from Android to iPhone

2.   Is there a way to centrally create and manage Apple IDs? Is it even 
desirable, or do I let everyone manage themselves?

3.   Any recommendations for Mobile Device Management?

Happy Holidays to all
Kish n Kepi

[NTSysADM] RE: Simple, Simple CRM

[Brian Desmond]

I use www.pipedrive.com<http://www.pipedrive.com> and have been really happy 
with it, especially as "simple" goes.

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Stefan Jafs
Sent: Thursday, December 8, 2016 2:14 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Simple, Simple CRM

We are looking for a very simple CRM, out telemarketer enter some info, if it 
becomes warm they will forward / mention it to the appropriates sales person, 
we have about 20 sales people There should be a flag for follow up.
We have tried Microsoft CRM in the past but t many buttons to push ( from 
the sales guys).

Could be freestanding or a plugin to Outlook, or a plugin to SAP A-1 (our ERP 
system).

Any suggestions would be appreciated.

__
Stefan Jafs

RE: [NTSysADM] External trust issue

[Brian Desmond]

RODCs won’t help because RODCs don’t have trust passwords cached locally.

If this is done via Kerb there shouldn’t be any communication from the resource 
in the “project” forest to a DC in the “corp” forest. The client in the corp 
forest will need to contact a “project” DC, though.



Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Eric Wittersheim
Sent: Thursday, December 8, 2016 11:27 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] External trust issue

Melvin,

I'm not sure about Federation.  I'll toss out the idea of a RODC, that might be 
possible.

Thanks,

Eric

On Thu, Dec 8, 2016 at 11:00 AM, Melvin Backus 
<melvin.bac...@byers.com<mailto:melvin.bac...@byers.com>> wrote:
Just spitballing here, but would federation help that?  Or put an RODC for 
company.corp on location at custproj.corp



--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Eric Wittersheim
Sent: Thursday, December 8, 2016 11:36 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] External trust issue

I have a interesting project that I'm working on and I believe I have hit a 
snag that is going to throw a big monkey wrench in the deal.

Here is what I have to work with.

2 domains in separate forests.

Company.corp
CustProj.corp

I have created a one way trust that allows users from Company.corp to 
authenticate to users in CustProj.corp.  Inside of CustProj.corp there are a 
number of servers that users can authenticate using Company.corp credentials.  
The rub is when a user is logging into server1.CustProj.corp using Company.corp 
credentials the authentication request goes to a DC in Company.corp.  This I 
believe is by design from Microsoft but requirements for this project dictate 
that there cannot be authentication requests from [servers].CustProj.corp to 
any DCs at Company.corp. The hope was to have the DC at CustProj.corp relay the 
auth requests on behalf of the client.  Is there anyway to force this?  Am I 
missing something that I can set this? Any ideas or third party products that 
might help?

Eric

[NTSysADM] RE: Windows Hello for Business

[Brian Desmond]

It currently requires Azure AD at a minimum. On-premises AD is an optional 
component.

The best resource for this is the feature PM's blog - he has a handful of posts 
that lay out how all the plumbing works in significant detail - 
https://jairocadena.com/

Thanks,
Brian


Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of dylan.mar...@bench.com
Sent: Thursday, December 8, 2016 8:40 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Windows Hello for Business

Hi all,

Has anyone looked into Windows Hello for Business with Windows 10? Trying to 
find out how it works and what is necessary to deploy it into the actual domain 
and not only for local sign on.
However, Technet is quite unhelpful regarding this all, can't seem to find any 
actual clear answers on wether it's AD only with Server 2016 or AD with Azure 
AD AND Server 2016, different articles state different requirements without any 
actual clear answer.

Would be a really bad implementation if it's Azure AD ONLY in my opinion, 
reading the different documentation parts right now does seem to point towards 
that though...

Any help/guidance would be appreciated.

- Dylan

RE: [NTSysADM] OT: IT Philosophy

[Brian Desmond]

For #3, that seems like a discussion around acceptable use and risk for your 
attorneys rather than IT. The others I would generally agree with your manager.

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kish N Kepi
Sent: Wednesday, December 7, 2016 10:24 PM
To: Kish N Kepi <kishnk...@gmail.com>
Subject: [NTSysADM] OT: IT Philosophy

We keep a lax environment - our users are local admins on their Windows laptops 
and we not stop them from installing any software they want - the only caveat I 
ever say is 'don't be stupid'. And yes, we are a hi-tech house, well beyond the 
startup stage.

During a conversation about potential changes to the way we do backups today, I 
stated that the current back up routine specifically excludes most media files, 
and also that I'd used psexec to kill utorrent processes. My boss, who is 
actually quite knowledgeable in IT matters, had a response surprised me: why? 
Why not backup the media files? Why not allow torrent traffic? His points were 
as follows:

1.   We give them laptops and smartphones and expect them to be available 
at all hours of the day - that's convergence of home and office life - why 
shouldn't we backup the photos of their kids, pets and vacations too?

2.   Do we have bandwidth issues? We have a broad link to the internet and 
only at periodic peaks do we hit anywhere near our limit

3.   Legality of torrents? Really? How many people care about the legality?

4.   Malware? We have other protections in place.

I couldn't come up with any answers that sounded reasonable to me, so at this 
stage, we're planning increase our backup storage capacity.

Does anyone here have answers that I lack? Sorry for cross-posting, but I this 
question is bothering me, and I know that many people in this for a have 
strong, well-formed (and well-expressed) opinions

Kish n Kepi

[NTSysADM] RE: code-signing cert for PS untrusted

[Brian Desmond]

Is there a behavior difference whether it's in the local user or local machine 
Trusted Publishers store? I haven't done much with this but that comes to mind 
as something to check.

Also don't forget to timestamp the signature when you do the signing.

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Miller Bonnie L.
Sent: Tuesday, December 6, 2016 4:03 PM
To: ntsysadm <ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] code-signing cert for PS untrusted

I feel like I must be missing a step here, so am hoping someone has seen this.  
I'm most of the way through standing up a new internal CA root/subordinate 
combo for our internal AD and migrating certificates, but have run into a 
problem with code signing certs.

The new servers are 2012 R2, done mostly to best practice with root not in the 
domain (offline) and subordinate in the domain for issuing certs.  The old 
single server is 2008 R2.  I already have most of our certs migrated and 
working, including those for Kerberos (Domain controllers) authentication, 
client pcs, web server, etc.  The Root CA is showing up in the client's Trusted 
root store, and both the root and subordinate are in the Intermediate 
Certificates store.

I've published a new template for (powershell) code signing today from the new 
intermediate server, and was able to follow all of the same steps to get a cert 
enrolled for my user account that I had done with 2008 R2.  I see the new cert 
in the Personal store and have imported it into Trusted publishers.

But, if I sign some code with the new cert, I still get prompted by powershell 
with "Do you want to run software from this untrusted publisher?".  I've tried 
deleting the old cert from Personal and from Trusted publishers, and even 
re-signed the code to verify it's using the new one that I think it is.

Is there another place I need to be adding the cert that I'm missing here?  Is 
there an issue with signing it from the Intermediary vs the root CA when it 
comes to code signing?

I'm not a PS guru and there are really only two of us using this, in an attempt 
to not allow unrestricted PS on our domain workstations.  Code signing certs 
have worked fine from our 2008 R2, but there is only the one server involved.

Any pointers would be appreciated.

-Bonnie

[NTSysADM] RE: Group Policy cleanup/maintenance

[Brian Desmond]

GPOs I look at whether or not the GPO is referenced in the gpLink attribute of 
any OUs. If it is, I also look to see if all of its links are disabled.

Empty GPOs also are candidates to go.

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Heaton, Joseph@Wildlife
Sent: Thursday, November 17, 2016 11:21 AM
To: 'NT System Admin Issues Discussion list' <ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] Group Policy cleanup/maintenance

How do you guys deal with Group Policy objects, in regards to discovery and 
cleanup of "stale" objects?  I have to come up with a procedural document for 
this process.

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<http://saveourwater.com/>
SaveOurWater.com<http://saveourwater.com/> * 
Drought.CA.gov<http://drought.ca.gov/>

RE: [NTSysADM] Kerberos over UDP on Windows 10 and Server 2012 R2

[Brian Desmond]

Inline

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Christopher Bodnar
Sent: Tuesday, November 15, 2016 10:01 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Kerberos over UDP on Windows 10 and Server 2012 R2

If anyone is still interested in this…….I did some testing in a lab environment 
with 2008R2 machines that do NOT have the MaxPacketSize registry value.  Here 
are the results:

With both DC and member server, with no MaxPacketSize registry value, all 
Kerberos 88 traffic is over TCP, not UDP
[Brian Desmond] It defaults to 0 if not set
With the MaxPacketSize registry value  on the member server set to 2, I see 
packets coming in to the domain controller, but the DC responds with 
KRB_ERROR_RESPONSE_TOO_BIG and the handshake switches over to TCP
With the MaxPacketSize registry value  on both server set to 2, I see 
packets coming in to the domain controller, but the DC responds with 
KRB_ERROR_RESPONSE_TOO_BIG and the handshake switches over to TCP
[Brian Desmond] There’s a check to see if it’s over a max size. I’d have to go 
look again to see what it is but it looks for invalid values.




From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Brian Desmond
Sent: Sunday, November 13, 2016 12:18 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [NTSysADM] Kerberos over UDP on Windows 10 and Server 2012 R2

I just looked and I can confirm that the client side default is 0 bytes on a 
Win7+ client for the max packet size to fallback to TCP. The server side 
default is still 1465 bytes as shown in the screenshot below.

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Christopher Bodnar
Sent: Thursday, November 10, 2016 1:40 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [NTSysADM] Kerberos over UDP on Windows 10 and Server 2012 R2

OK, based on this, I think he is correct:

I’ve been running a WireShark trace on a few DCs today (2008 domains and 2012 
domains), and not seeing any UDP 88 traffic. I did find this:

[cid:image001.jpg@01D23F37.27E97C50]

https://technet.microsoft.com/en-us/library/cc738673(v=ws.10).aspx

So basically since Vista, and 2008, if a Kerberos packet is over 1 byte (which 
will be everything) it will send it as TCP instead of UDP, since this registry 
key now is part of the operating system.



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
Sent: Thursday, November 10, 2016 12:53 PM
To: ntsysadm <ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>>
Subject: Re: [NTSysADM] Kerberos over UDP on Windows 10 and Server 2012 R2

I'd ask that colleague where he got the idea. I'm not seeing any documentation 
on this either.
But, I did see this, which is interesting, even if unrelated:
http://blogs.msmvps.com/acefekay/2016/11/01/active-directory-flexible-authentication-secure-tunneling-fast/
Kurt

On Thu, Nov 10, 2016 at 6:29 AM, Christopher Bodnar 
<christopher_bod...@glic.com<mailto:christopher_bod...@glic.com>> wrote:
A colleague told me that these operating systems no longer use UDP 88 for 
Kerberos, that they only use TCP. Is that correct? If so, can someone point me 
to an MS document that discusses this? I’ve looked and haven’t been able to 
find anything.  I am aware that you can force Kerberos to use TCP:


https://support.microsoft.com/en-us/kb/244474

But that isn’t what he is talking about.

Thanks


Christopher Bodnar
Enterprise Architect II, Corporate Office of Technology:Enterprise Architecture 
and Engineering Services

Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
christopher_bod...@glic.com<mailto:christopher_bod...@glic.com>



The Guardian Life Insurance Company of America

www.guardianlife.com<http://www.guardianlife.com/>




- This message, and any attachments to 
it, may contain information that is privileged, confidential, and exempt from 
disclosure under applicable law. If the reader of this message is not the 
intended recipient, you are notified that any use, dissemination, distribution, 
copying, or communication of this message is strictly prohibited. If you have 
received this message in error, please notify the sender immediately by return 
e-mail and delete the message and any attachments. Thank you.


- This message, and any attachments to 
it, may contain information that is privileged, confidential, and exempt fr

RE: [NTSysADM] Kerberos over UDP on Windows 10 and Server 2012 R2

[Brian Desmond]

I just looked and I can confirm that the client side default is 0 bytes on a 
Win7+ client for the max packet size to fallback to TCP. The server side 
default is still 1465 bytes as shown in the screenshot below.

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Christopher Bodnar
Sent: Thursday, November 10, 2016 1:40 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Kerberos over UDP on Windows 10 and Server 2012 R2

OK, based on this, I think he is correct:

I’ve been running a WireShark trace on a few DCs today (2008 domains and 2012 
domains), and not seeing any UDP 88 traffic. I did find this:

[cid:image001.jpg@01D23D9F.8C9B7B60]

https://technet.microsoft.com/en-us/library/cc738673(v=ws.10).aspx

So basically since Vista, and 2008, if a Kerberos packet is over 1 byte (which 
will be everything) it will send it as TCP instead of UDP, since this registry 
key now is part of the operating system.



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
Sent: Thursday, November 10, 2016 12:53 PM
To: ntsysadm <ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>>
Subject: Re: [NTSysADM] Kerberos over UDP on Windows 10 and Server 2012 R2

I'd ask that colleague where he got the idea. I'm not seeing any documentation 
on this either.
But, I did see this, which is interesting, even if unrelated:
http://blogs.msmvps.com/acefekay/2016/11/01/active-directory-flexible-authentication-secure-tunneling-fast/
Kurt

On Thu, Nov 10, 2016 at 6:29 AM, Christopher Bodnar 
<christopher_bod...@glic.com<mailto:christopher_bod...@glic.com>> wrote:
A colleague told me that these operating systems no longer use UDP 88 for 
Kerberos, that they only use TCP. Is that correct? If so, can someone point me 
to an MS document that discusses this? I’ve looked and haven’t been able to 
find anything.  I am aware that you can force Kerberos to use TCP:


https://support.microsoft.com/en-us/kb/244474

But that isn’t what he is talking about.

Thanks


Christopher Bodnar
Enterprise Architect II, Corporate Office of Technology:Enterprise Architecture 
and Engineering Services

Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
christopher_bod...@glic.com<mailto:christopher_bod...@glic.com>



The Guardian Life Insurance Company of America

www.guardianlife.com<http://www.guardianlife.com/>




- This message, and any attachments to 
it, may contain information that is privileged, confidential, and exempt from 
disclosure under applicable law. If the reader of this message is not the 
intended recipient, you are notified that any use, dissemination, distribution, 
copying, or communication of this message is strictly prohibited. If you have 
received this message in error, please notify the sender immediately by return 
e-mail and delete the message and any attachments. Thank you.


- This message, and any attachments to 
it, may contain information that is privileged, confidential, and exempt from 
disclosure under applicable law. If the reader of this message is not the 
intended recipient, you are notified that any use, dissemination, distribution, 
copying, or communication of this message is strictly prohibited. If you have 
received this message in error, please notify the sender immediately by return 
e-mail and delete the message and any attachments. Thank you.

[NTSysADM] RE: PowerShell Help

[Brian Desmond]

If you grab the user via ADSI:

$myUser = [ADSI]”LDAP://CN=David Lum,OU=MyHouse,OU=World,DC=domain,DC=net”

You can then call $myUser.Parent.Properties[“name”].Value and get just the 
MyHouse part.

I forget if you need the .Value on the end or not – you’ll have to test that if 
it doesn’t work.

Thanks,
Brian



Thanks,
Brian Desmond

(w) 312.625.1438 | (c) 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Dave Lum
Sent: Wednesday, November 2, 2016 5:45 PM
To: 'ntsysadm@lists.myitforum.com' <ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] PowerShell Help

I want to use PowerShell to get the immediate OU a user is in an drop it into 
said users’ description. I can do Set-ADUSer easily enough, I just want to be 
able to through only the direct OU and not the entire DN into the description. 
So, instead of 'OU=MyHouse,OU=World,DC=domain,DC=net' I want to just drop in 
“MyHouse” (the desired description will me “disabled account from myHouse OU”.

Some “ForEach” thing, right?

David Lum
Systems Administrator III
P: 503.943.2500
E: l...@ochin.org<mailto:l...@ochin.org>
A: 1881 SW Naito Parkway, Portland, OR 97201

[Facebook Link]<https://www.facebook.com/OCHINinc>[Twitter 
Link]<https://twitter.com/ochininc>[Linkedin 
Link]<http://www.linkedin.com/company/ochin> 
www.ochin.org<https://www.ochin.org/>
[OCHIN email]



Attention: Information contained in this message and or attachments is intended 
only for the recipient(s) named above and may contain confidential and or 
privileged material that is protected under State or Federal law. If you are 
not the intended recipient, any disclosure, copying, distribution or action 
taken on it is prohibited. If you believe you have received this email in 
error, please contact the sender with a copy to 
complia...@ochin.org<mailto:complia...@ochin.org>, delete this email and 
destroy all copies.

[NTSysADM] RE: AAD Connect question

[Brian Desmond]

My understand is there is not a supported way to do this. What I would do is 
install a new AAD Connect server in Staging Mode, import any custom rules you 
have (you can export those to PowerShell in the Rules Editor), run it, and get 
it so you have zero unexpected deltas in the Sync Manager. At that point, you 
can shutdown the old AAD Connect, and rerun the wizard and take your new one 
out of Staging Mode.

You should have practically zero downtime with this approach.

Thanks,
Brian Desmond

(w) 312.625.1438 | (c) 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Christopher Bodnar
Sent: Friday, October 14, 2016 4:57 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] AAD Connect question

Does anyone know if you can install AAD Connect with the default SQL Express 
and then later move the database to a SQL server? I know you can do this going 
from WID to SQL on ADFS:

http://social.technet.microsoft.com/wiki/contents/articles/948.ad-fs-2-0-migrate-your-ad-fs-configuration-database-to-sql-server.aspx

But I can’t find anything about this on AAD Connect, which makes me think it’s 
not supported.

Thanks


Christopher Bodnar
Enterprise Architect II, Corporate Office of Technology:Enterprise Architecture 
and Engineering Services

Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
christopher_bod...@glic.com

[cid:image001.png@01D1326B.600058E0]

The Guardian Life Insurance Company of America

www.guardianlife.com<http://www.guardianlife.com/>




- This message, and any attachments to 
it, may contain information that is privileged, confidential, and exempt from 
disclosure under applicable law. If the reader of this message is not the 
intended recipient, you are notified that any use, dissemination, distribution, 
copying, or communication of this message is strictly prohibited. If you have 
received this message in error, please notify the sender immediately by return 
e-mail and delete the message and any attachments. Thank you.

[NTSysADM] RE: Modified date on distribution group AD object

[Brian Desmond]

If you do a repadmin /showobjmeta on the object, it will give you timestamps 
per attribute which would be a good starting point.

Thanks,
Brian Desmond

(w) 312.625.1438 | (c) 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Heaton, Joseph@Wildlife
Sent: Thursday, October 13, 2016 11:30 AM
To: 'NT System Admin Issues Discussion list' <ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] Modified date on distribution group AD object

We have 16 distribution groups that are showing the exact same Modified 
timestamp.  A couple of these are used for automated message delivery for 
different applications.  Since this change date, those messages are no longer 
being delivered.  I use Netwrix to audit things, and it doesn't have anything 
for these distribution groups changing in that whole week.

What causes that modified timestamp to change?  Where else can I look to try 
and see what got modified?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<http://saveourwater.com/>
SaveOurWater.com<http://saveourwater.com/> * 
Drought.CA.gov<http://drought.ca.gov/>

RE: [NTSysADM] RE: exchange OOF

[Brian Desmond]

Is the issue that OOF messages aren't sent or that you can't configure it in 
Outlook? The latter is indicative of your Exchange Web Services URL being 
configured incorrectly.

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Joseph L. Casale
Sent: Thursday, August 18, 2016 6:07 PM
To: 'ntsysadm@lists.myitforum.com' <ntsysadm@lists.myitforum.com>
Subject: RE: [NTSysADM] RE: exchange OOF

Well you said auto discovery is not working on the internal side (which 
operates differently than external clients). Have you verified all the dns 
entries that may be utilized?

What does message tracking have to say it?

jlc

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Darren Martin
Sent: Thursday, August 18, 2016 4:45 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: exchange OOF

All the URLs have been updated, just wondering if changing the internal to the 
external URL used by OWA would fix the internal issue. All of the URLs have 
been updated. Everything works fine internally for the most part, just not the 
out of office reply.

D


IT Support
North Sound Behavioral Health Organization, LLC
301 Valley Mall Way, Suite 110
Mount Vernon,  WA 98273
it_supp...@northsoundbho.org
Office: 360.416.7013 x749
Direct: 360.419.5649
Fax: 360.416.7017
  _  

CONFIDENTIALITY NOTE: This message is intended for use only by the individual 
or entity to which it is addressed, and may contain information which is 
privileged, confidential, and exempt from disclosure under applicable law. If 
the reader of this message is not the intended recipient, or the employee or 
agent responsible for delivering the message to the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this 
communication or any attachments is strictly prohibited.


-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Joseph L. Casale
Sent: Thursday, August 18, 2016 3:26 PM
To: 'ntsysadm@lists.myitforum.com'
Subject: RE: [NTSysADM] RE: exchange OOF

Sounds like you answered it right there, u have not updated all the url's...

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Darren Martin
Sent: Thursday, August 18, 2016 4:16 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: exchange OOF

We changed our SMTP domain name and installed an updated wildcard certificate, 
but not a UCC certificate with the old domain in it, as our organization name 
changed. Autodiscover is failing on the internal LAN with Outlook 2010, and 
trying to set out of office replies from Outlook fails with a server 
unavailable error. OWA works fine, which is the workaround I am having folks 
use In the meantime. 

Would this be as simple as changing the internal OOF URL to the external one 
used by OWA??

I hope this makes better sense...

Any ideas?

Thanks,

D

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Andrew S. Baker
Sent: Thursday, August 18, 2016 3:01 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] RE: exchange OOF

You may want to offer some more substantive details in this request...


Regards,


 ASB
 http://XeeMe.com/AndrewBaker 

 Providing Expert Technology Consulting Services for the SMB market… 

 GPG: 1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A





 
<https://track.mixmax.com/api/track/v2/ugIGdGKo8OIbesT49/gIt92YuwWah12ZAVmbvpnYzFmI/i02bj5Sb1J3bmRXa51mLzR3cpxGQtRWYzl3c05mI>
 







On Thu, Aug 18, 2016 5:43 PM, Darren Martin darren_mar...@northsoundbho.org 
wrote:


Does anyone have any Exchange out of office issues after installing an 
updated wildcard certificate and changing their SMTP address domain names? OWA 
works fine, just not on internal LAN.




Thanks,




D

RE: [NTSysADM] Outlook desktop alert changes

[Brian Desmond]

Mine does this when a whole bunch of mail piles in at once. Otherwise I get 
individual toasts.

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kevin Lundy
Sent: Wednesday, August 17, 2016 4:04 PM
To: NTSysADM@lists.myITforum.com
Subject: [NTSysADM] Outlook desktop alert changes

Since the list has been very quiet lately, I'll ask a user level question.

My Outlook 2016 has recently stopped showing a preview of the message in the 
toast desktop alert.  It now just says "there are new items in your mailbox"

Did any of the recent Office patches take away the preview capability?

Kevin

[NTSysADM] RE: OT: WAM replacement

[Brian Desmond]

F5 and Ping are the two of that list I see frequently, F5 the most. Microsoft 
w/ AAD-P also has some interesting capabilities in this space as well.

Thanks,
Brian Desmond

(w) 312.625.1438 | (c) 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Christopher Bodnar
Sent: Tuesday, July 26, 2016 12:30 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] OT: WAM replacement

Sorry for the OT:

Anyone recently look at replacing their existing WAM system (IBM, Oracle, CA)? 
We started looking at PingAccess, F5’s APM, and OpenAM. Had a call with Gartner 
and was very surprised how much traction OpenAM seems to be getting. Interested 
to hear anyone else’s thoughts who has gone through this in the last year or so.

Thanks


Christopher Bodnar
Enterprise Architect II, Corporate Office of Technology:Enterprise Architecture 
and Engineering Services

Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
christopher_bod...@glic.com

[cid:image001.png@01D1326B.600058E0]

The Guardian Life Insurance Company of America

www.guardianlife.com<http://www.guardianlife.com/>




- This message, and any attachments to 
it, may contain information that is privileged, confidential, and exempt from 
disclosure under applicable law. If the reader of this message is not the 
intended recipient, you are notified that any use, dissemination, distribution, 
copying, or communication of this message is strictly prohibited. If you have 
received this message in error, please notify the sender immediately by return 
e-mail and delete the message and any attachments. Thank you.

[NTSysADM] RE: Powershell question

[Brian Desmond]

You can't link a GPO to a computer. Given that, is the requirement that you 
want to find all the computers that a given GPO applies to? How many OUs is the 
GPO linked to? Does it have security or WMI filtering applied? What about Group 
Policy Preferences with item level targeting?

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Monday, July 18, 2016 10:43 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Powershell question

I would like to find all computernames that have a specific GPO linked to them?
Get-GPO
Get-ADComputer


Just not sure where to go?


David McSpadden
System Administrator
Indiana Members Credit Union
P: 317.554.8190
[Description: Description: imcu email icon]<http://imcu.com/>  [Description: 
Description: facebook email icon] <https://www.facebook.com/IndianaMembersCU>   
[Description: Description: twitter email icon] 
<https://twitter.com/IndMembersCU>

[Description: Description: email logo]
[http://www.amuletsolutions.com/images/mcp.gif]<http://www.google.com/url?sa=i=j==s=images==rja=8=0ahUKEwjFztf-tePJAhXK5iYKHcPtAxEQjRwIBw=http://www.amuletsolutions.com/awards.aspx=bv.110151844,d.amc=AFQjCNHkrx8CednTEOOq4zUxYyrRUGzUsg=1450459757284499>


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

[NTSysADM] RE: KMS vs AD

[Brian Desmond]

So that you don’t need to support KMS servers? It also requires that all 
clients be authenticated, which KMS did not.

If all your clients and apps (Office) are uplevel and support AD activation, I 
don’t see any reason to maintain a KMS server…

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Monday, July 18, 2016 8:18 AM
To: 'ntsysadm@lists.myitforum.com' <ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] KMS vs AD


So I am re-rolling my KMS sever.  Why would I want to use AD activation instead 
of KMS?

RE: [NTSysADM] RE: PowerShell weaknesses

[Brian Desmond]

One of my customers uses a product from a company called Symprex that does 
exactly this. It’s very inexpensive and you wouldn’t have to invent anything.

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of James Rankin
Sent: Monday, June 27, 2016 10:58 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: PowerShell weaknesses

Actually might be worth extending this debate slightly…

I’m trying to build Outlook signature files on the fly using AD attributes. So 
I basically need to grab certain AD attributes and set them as variables. This 
is not a problem.

However, as I am doing this at user first logon, I need to query the AD 
attributes in the context of the user. Get-ADUser is the cmdlet I’m using, but 
this is unavailable on my Windows 10 clients unless I install the RSAT. So…

Is there a way to programmatically install the RSAT feature on Windows 10 with 
the AD PowerShell stuff enabled? I’d rather not have to go back and create a 
new image.

I found Enable-WindowsOptionalFeature but don’t seem to be able to crack the 
right syntax for it…

Cheers,



JR

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Charles F Sullivan
Sent: 27 June 2016 16:29
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [NTSysADM] RE: PowerShell weaknesses

I was going to suggest:

Get-ADUser -identity jrankin -Properties mail

That will get you the defaults plus Mail.
I mention this because I find it easier to remember, though of course it’s a 
matter of preference.


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of James Rankin
Sent: Monday, June 27, 2016 10:41 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: PowerShell weaknesses

Doh!

Put it in brackets would be the thing I’m missing

(Get-ADUser -filter jrankin -Properties mail).mail

Never mind…. ☺


From: James Rankin
Sent: 27 June 2016 15:39
To: 'ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>' 
<ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>>
Subject: PowerShell weaknesses

How can I used Get-ADUser to query a single attribute for a specific user? If I 
use something like

Get-ADUser -filter jrankin -Properties mail

To query the email address in AD, I don’t just get that attribute returned, I 
get a bunch of default stuff too…

DistinguishedName : CN=James Rankin,OU=Desktop1,OU=Standard Users,OU=User 
Accounts,DC=JRR,DC=test,DC=local
Enabled   : True
GivenName : James
mail  : ja...@htguk.com<mailto:ja...@htguk.com>
Name  : James Rankin
ObjectClass   : user
ObjectGUID: 694d15e1-d550-483a-8f21-cb7415f05342
SamAccountName: jrankin
SID   : S-1-5-21-2950944927-1203068717-1704750700-1114
Surname   : Rankin
UserPrincipalName : jran...@jrr.test.local<mailto:jran...@jrr.test.local>

Am I missing something blatantly obvious here?

Cheers,


James Rankin
EUC Solutions Architect | 07809 668579 | ja...@htguk.com<mailto:ja...@htguk.com>
One Trinity Green, Eldon Street, South Shields, Tyne & Wear, NE33 1SA
Tel: 0191 481 3446

[NTSysADM] RE: Active Directory LDAP MaxPageSize limit

[Brian Desmond]

My thoughts exactly. 1000>5000 isn't much on its own, but, as soon as you raise 
this once, you set the precedent for the next thing to come along and insist on 
this.

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael B. Smith
Sent: Thursday, June 16, 2016 2:45 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Active Directory LDAP MaxPageSize limit

This is a very bad idea.

Fix the application.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Dave Lum
Sent: Thursday, June 16, 2016 3:31 PM
To: 'ntsysadm@lists.myitforum.com'
Subject: [NTSysADM] Active Directory LDAP MaxPageSize limit

I've had a request to increase the LDAP MaxPageSize to 5000 (from 1000) due to 
an application limitation - DC's are 2012 (non-R2). I see the hard coded limit 
is 2.

The environment in question is fairly small, and the DC's are multi CPU VM's 
with 8GB RAM and there are under 2000 user objects currently, so I assume my 
change will have pretty much zero impact on my DC's, yes?

Dave
Attention: Information contained in this message and or attachments is intended 
only for the recipient(s) named above and may contain confidential and or 
privileged material that is protected under State or Federal law. If you are 
not the intended recipient, any disclosure, copying, distribution or action 
taken on it is prohibited. If you believe you have received this email in 
error, please contact the sender with a copy to 
complia...@ochin.org<mailto:complia...@ochin.org>, delete this email and 
destroy all copies.

[NTSysADM] RE: Reminders for SSL certs (and other things)

[Brian Desmond]

You might look at how you could centralize where these certs are installed 
(e.g. a load balancer/reverse proxy) so you only have one place to check as 
opposed to having things scattered around.

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jonathan Raper
Sent: Wednesday, June 15, 2016 12:40 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Reminders for SSL certs (and other things)

Hi all,

We've been bitten by an internal cert or two expiring that caught us off guard. 
We're rying to come up with a way to have  centrally managed reminder system in 
place to make sure this doesn't happen again. This is for a large-ish network 
with a handful of people who could be managing this at any given time.

An Excel spreadsheet just doesn't scale well for this, and Outlook tasks seems 
kind of clumsy.

Obviously paid certs you generally get a reminder because GoDaddy wants the 
revenue, and Web server certs generate an event in the event log, but not every 
SSL cert is going to generate an event.and not every cert is a paid cert

We also have some other events and contracts that we'd like reminders for - so 
this isn't exclusive to SSL certs, though that is a driving factor.

How are you all handling this? An application? A web-based "aaS" reminder 
system of some sort?

Thanks,

Jonathan
NOTE: This message and any attachments is intended solely for the use of the 
individual or entity to which it is addressed and may contain information that 
is non-public, proprietary, legally privileged, confidential, and/or exempt 
from disclosure. If you are not the intended recipient, you are hereby notified 
that any use, dissemination, distribution, or copying of this communication is 
strictly prohibited. If you have received this communication in error, please 
notify the original sender immediately by telephone or return email and destroy 
or delete this message along with any attachments immediately.

RE: [NTSysADM] SSL Certificate

[Brian Desmond]

Aside from compromising your DigiCert account, compromising a host where the 
key can be exported from is the more likely approach. Having a PFX file with 
the key sitting around on a share (something that isn't as uncommon as you'd 
think unfortunately) is another possible angle. 

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Ferguson, Chris
Sent: Tuesday, May 24, 2016 1:36 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] SSL Certificate

That would require them to have the private key though. 

I spoke with Digicert a few minutes ago about this topic as I freaked out a 
little not understanding the risk. 

Their response was: 
- Your Digicert account would have to be compromised
- They can revoke any certificate that is compromised
- I can revoke any certificate compromised if able to
- Best Practice: always get a duplicate wildcard certificate with a separate 
SAN  for each host

Chris Ferguson
IT Manager, Infrastructure and Operations | NEPC, LLC
P: +1 (617) 395-7329 | M: +1 (978) 257-9789


-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Brian Desmond
Sent: Tuesday, May 24, 2016 1:35 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] SSL Certificate

A wildcard cert asserts a certain level of assurance that the party on the 
other end is say contoso.com for any name under contoso.com. If you lose the 
cert, someone can impersonate you for any name they want as long as that cert 
isn't revoked. More of a keep track of where you have the cert installed thing 
than anything else. Ideally it lives in one place - e.g. a load 
balancer/reverse proxy - rather than being distributed across a ton of servers. 

Thanks,
Brian Desmond

(w) 312.625.1438 | (c) 312.731.3132

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Ferguson, Chris
Sent: Tuesday, May 24, 2016 12:24 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] SSL Certificate

With the duplicate, you're actually putting a name in the SAN, so I'm not sure 
that this particular use case exists with Digicert?  

Or, probably more accurately, I don't understand your risk...

Chris Ferguson
IT Manager, Infrastructure and Operations | NEPC, LLC
P: +1 (617) 395-7329 | M: +1 (978) 257-9789

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Brian Desmond
Sent: Tuesday, May 24, 2016 12:59 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] SSL Certificate

Just keep good track of the wildcard. The downside of losing a single name cert 
is somebody can go be foo.contoso.com, when you misplace a wildcard (until it 
gets revoked), someone can go be *.contoso.com.

Thanks,
Brian Desmond

(w) 312.625.1438 | (c) 312.731.3132

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Ferguson, Chris
Sent: Tuesday, May 24, 2016 10:44 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] SSL Certificate

Ah, yes... Another +10 for the wildcard cert - makes deployment far easier. 


> On May 24, 2016, at 11:40 AM, Melvin Backus <melvin.bac...@byers.com> wrote:
> 
> +10 for Digicert. They are a bit more expensive than GoDaddy, but way cheaper 
> than Verisign / Thawte.  I cannot possibly say enough about their support 
> team.  I've had cases where they actually called me to help before I even 
> open a ticket.  They also have free duplicates so if  you have a need for a 
> wildcard, etc., it makes it really easy to deal with across multiple 
> platforms.
> 
> --
> There are 10 kinds of people in the world...
> those who understand binary and those who don't.
> 
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Ferguson, Chris
> Sent: Tuesday, May 24, 2016 10:27 AM
> To: ntsysadm@lists.myitforum.com
> Subject: Re: [NTSysADM] SSL Certificate
> 
> I use Digicert.  They have a great customer service model. If I make a 
> mistake, they walk me through it without charge. 
> 
> If I have trouble installing a certificate, they help me out there too. 
> 
> 
>> On May 24, 2016, at 9:23 AM, Liby Philip Mathew <lmat...@path-solutions.com> 
>> wrote:
>> 
>> Hi,
>> I want to purchase an SSL certificate for one of our support web site.
>> Which is the most preferred SSL certificate provider?  What will be the 
>> approximate cost?
>> Anything specific to be considered while purchasing the certificate?
>> This is the first time I am going to purchase/use a third party certificate.
>> Appreciate any assistance.
>> TI

RE: [NTSysADM] SSL Certificate

[Brian Desmond]

A wildcard cert asserts a certain level of assurance that the party on the 
other end is say contoso.com for any name under contoso.com. If you lose the 
cert, someone can impersonate you for any name they want as long as that cert 
isn't revoked. More of a keep track of where you have the cert installed thing 
than anything else. Ideally it lives in one place - e.g. a load 
balancer/reverse proxy - rather than being distributed across a ton of servers. 

Thanks,
Brian Desmond

(w) 312.625.1438 | (c) 312.731.3132

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Ferguson, Chris
Sent: Tuesday, May 24, 2016 12:24 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] SSL Certificate

With the duplicate, you're actually putting a name in the SAN, so I'm not sure 
that this particular use case exists with Digicert?  

Or, probably more accurately, I don't understand your risk...

Chris Ferguson
IT Manager, Infrastructure and Operations | NEPC, LLC
P: +1 (617) 395-7329 | M: +1 (978) 257-9789

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Brian Desmond
Sent: Tuesday, May 24, 2016 12:59 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] SSL Certificate

Just keep good track of the wildcard. The downside of losing a single name cert 
is somebody can go be foo.contoso.com, when you misplace a wildcard (until it 
gets revoked), someone can go be *.contoso.com.

Thanks,
Brian Desmond

(w) 312.625.1438 | (c) 312.731.3132

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Ferguson, Chris
Sent: Tuesday, May 24, 2016 10:44 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] SSL Certificate

Ah, yes... Another +10 for the wildcard cert - makes deployment far easier. 


> On May 24, 2016, at 11:40 AM, Melvin Backus <melvin.bac...@byers.com> wrote:
> 
> +10 for Digicert. They are a bit more expensive than GoDaddy, but way cheaper 
> than Verisign / Thawte.  I cannot possibly say enough about their support 
> team.  I've had cases where they actually called me to help before I even 
> open a ticket.  They also have free duplicates so if  you have a need for a 
> wildcard, etc., it makes it really easy to deal with across multiple 
> platforms.
> 
> --
> There are 10 kinds of people in the world...
> those who understand binary and those who don't.
> 
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Ferguson, Chris
> Sent: Tuesday, May 24, 2016 10:27 AM
> To: ntsysadm@lists.myitforum.com
> Subject: Re: [NTSysADM] SSL Certificate
> 
> I use Digicert.  They have a great customer service model. If I make a 
> mistake, they walk me through it without charge. 
> 
> If I have trouble installing a certificate, they help me out there too. 
> 
> 
>> On May 24, 2016, at 9:23 AM, Liby Philip Mathew <lmat...@path-solutions.com> 
>> wrote:
>> 
>> Hi,
>> I want to purchase an SSL certificate for one of our support web site.
>> Which is the most preferred SSL certificate provider?  What will be the 
>> approximate cost?
>> Anything specific to be considered while purchasing the certificate?
>> This is the first time I am going to purchase/use a third party certificate.
>> Appreciate any assistance.
>> TIA
>> 
>> Regards
>> Mathew
>> Disclaimer
>> 
>> [The information contained in this e-mail message and any attached files are 
>> intended solely for the use of the individual or entity to whom they are 
>> addressed. This transmission may contain information that is confidential, 
>> Path Solutions Private, or exempt from disclosure under applicable law 
>> and/or Path Solutions information security policy. The receiver of this 
>> communication shall not transmit any part of this message unless the email 
>> subject clearly classify it as "Public" or a written permission has been 
>> given by the information assets owner. If you have received this e-mail in 
>> error, please notify the sender immediately and delete all copies, any 
>> disclosure, copying, distribution, or use of the information contained 
>> herein is STRICTLY PROHIBITED. Path Solutions accepts no responsibility for 
>> any errors, omissions, computer viruses and other defects.]
>> 
>> P Protect our planet: Do not print this email unless necessary.
> 
> 
> 
> 
> 

RE: [NTSysADM] SSL Certificate

[Brian Desmond]

Just keep good track of the wildcard. The downside of losing a single name cert 
is somebody can go be foo.contoso.com, when you misplace a wildcard (until it 
gets revoked), someone can go be *.contoso.com.

Thanks,
Brian Desmond

(w) 312.625.1438 | (c) 312.731.3132

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Ferguson, Chris
Sent: Tuesday, May 24, 2016 10:44 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] SSL Certificate

Ah, yes... Another +10 for the wildcard cert - makes deployment far easier. 


> On May 24, 2016, at 11:40 AM, Melvin Backus <melvin.bac...@byers.com> wrote:
> 
> +10 for Digicert. They are a bit more expensive than GoDaddy, but way cheaper 
> than Verisign / Thawte.  I cannot possibly say enough about their support 
> team.  I've had cases where they actually called me to help before I even 
> open a ticket.  They also have free duplicates so if  you have a need for a 
> wildcard, etc., it makes it really easy to deal with across multiple 
> platforms.
> 
> --
> There are 10 kinds of people in the world...
> those who understand binary and those who don't.
> 
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Ferguson, Chris
> Sent: Tuesday, May 24, 2016 10:27 AM
> To: ntsysadm@lists.myitforum.com
> Subject: Re: [NTSysADM] SSL Certificate
> 
> I use Digicert.  They have a great customer service model. If I make a 
> mistake, they walk me through it without charge. 
> 
> If I have trouble installing a certificate, they help me out there too. 
> 
> 
>> On May 24, 2016, at 9:23 AM, Liby Philip Mathew <lmat...@path-solutions.com> 
>> wrote:
>> 
>> Hi,
>> I want to purchase an SSL certificate for one of our support web site.
>> Which is the most preferred SSL certificate provider?  What will be the 
>> approximate cost?
>> Anything specific to be considered while purchasing the certificate?
>> This is the first time I am going to purchase/use a third party certificate.
>> Appreciate any assistance.
>> TIA
>> 
>> Regards
>> Mathew
>> Disclaimer
>> 
>> [The information contained in this e-mail message and any attached files are 
>> intended solely for the use of the individual or entity to whom they are 
>> addressed. This transmission may contain information that is confidential, 
>> Path Solutions Private, or exempt from disclosure under applicable law 
>> and/or Path Solutions information security policy. The receiver of this 
>> communication shall not transmit any part of this message unless the email 
>> subject clearly classify it as "Public" or a written permission has been 
>> given by the information assets owner. If you have received this e-mail in 
>> error, please notify the sender immediately and delete all copies, any 
>> disclosure, copying, distribution, or use of the information contained 
>> herein is STRICTLY PROHIBITED. Path Solutions accepts no responsibility for 
>> any errors, omissions, computer viruses and other defects.]
>> 
>> P Protect our planet: Do not print this email unless necessary.
> 
> 
> 
> 
> 

RE: [NTSysADM] SSL Certificate

[Brian Desmond]

+1 for the folks at DigiCert

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Ferguson, Chris
Sent: Tuesday, May 24, 2016 9:27 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] SSL Certificate

I use Digicert.  They have a great customer service model. If I make a mistake, 
they walk me through it without charge. 

If I have trouble installing a certificate, they help me out there too. 


> On May 24, 2016, at 9:23 AM, Liby Philip Mathew <lmat...@path-solutions.com> 
> wrote:
> 
> Hi,
> I want to purchase an SSL certificate for one of our support web site.
> Which is the most preferred SSL certificate provider?  What will be the 
> approximate cost?
> Anything specific to be considered while purchasing the certificate?
> This is the first time I am going to purchase/use a third party certificate.
> Appreciate any assistance.
> TIA
> 
> Regards
> Mathew
> Disclaimer
> 
> [The information contained in this e-mail message and any attached files are 
> intended solely for the use of the individual or entity to whom they are 
> addressed. This transmission may contain information that is confidential, 
> Path Solutions Private, or exempt from disclosure under applicable law and/or 
> Path Solutions information security policy. The receiver of this 
> communication shall not transmit any part of this message unless the email 
> subject clearly classify it as "Public" or a written permission has been 
> given by the information assets owner. If you have received this e-mail in 
> error, please notify the sender immediately and delete all copies, any 
> disclosure, copying, distribution, or use of the information contained herein 
> is STRICTLY PROHIBITED. Path Solutions accepts no responsibility for any 
> errors, omissions, computer viruses and other defects.]
> 
> P Protect our planet: Do not print this email unless necessary.

[NTSysADM] RE: Domain controller updates

[Brian Desmond]

I agree with Bob. Take the time to patch them to SP2+ before you do this.

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Free Jr., Bob
Sent: Friday, May 20, 2016 12:08 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Domain controller updates

If they are truly at 2003 RTM, my money would be on you having difficulties, 
potentially serious.

I have done several AD upgrades from 2003-2008 & 2003-2012 and if it was an 
environment of any consequence, I  wouldn't touch this with a 10 foot pole (or 
whatever the metric equivalent is.)

There are articles outlining which additional patches and measures you should 
have on a *fully patched* systems before introducing up-level DCs.

Even then, there are specific problems you may encounter with mixed DCs even 
though the 2003's are patched.

Study the TechNet article(s) about updating 2003 domains and follow carefully. 
You will  be able to rule some, or a lot of it out for your environment but 
there are multiple potential gotchas.

Ensure you have the AD specific patches that aren't necessarily in WU. We had 
to pull some down manually that our SCCM guys weren't getting from WU.

It very well might be easier and less risky to do a slam-bang upgrade to 2012R2 
and skip the co-existence phase but I don't know your environment or 
constraints.



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Gavin Wilby
Sent: Friday, May 20, 2016 6:28 AM
To: 'ntsysadm@lists.myitforum.com'
Subject: [NTSysADM] Domain controller updates

Hi,

I have got a 2003 functional level forest/ domain with 2x 2003 servers and 1x 
2008 server acting as DC's. One of the 2003 servers holds all of the FSMO roles.

I have stood up a new 2012R2 server, fully patched it and added the ADDS role 
to it, but not yet promoted it. It will also take over the FSMO roles in time.

Having checked it appears that none of the current DC's have ever been updated 
from the day they were put in. Now bearing in mind they are all to be 
de-commisioned in the long term is there any point in patching them before 
adding the new 2012r2 DC, or if I leave them at RTM, am I going to experience 
issues with bringing a new DC online?

Anyone done this?

Gavin Wilby
IT Support Engineer

SMP Partners Ltd
Clinch's House, Lord Street,
Douglas, Isle of Man IM99 1RZ
Tel +44 1624 682214
Mob +44 7624 480575
gavin.wi...@smppartners.com<mailto:gavin.wi...@smppartners.com> 
www.smppartners.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.smppartners.com_=CwMFAg=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI=TA_mjBT8bS0r8rLrnubGjA=zoEmnM7lVEvepk8HWXSaniQiNqI207JnnxX3GG1tH0E=lDY2-UTtNBUojvUCBGEdjlvCjOgk_ZIk5XW6VcOiXBU=>

A member of the SMP Partners Group of Companies

SMP Partners Limited, SMP Trustees Limited and SMP Fund Services Limited are 
licensed by the Isle of Man Financial Services Authority. SMP Accounting & Tax 
Limited is a member of the ICAEW Practice Assurance Scheme.
SMP Partners Limited registered in the Isle of Man, Company Registration No: 
000908V
Directors: M.W. Denton, M.J. Derbyshire, S.E McGowan, O. Peck, J.J. Scott, S.J. 
Turner
SMP Trustees Limited registered in the Isle of Man, Company Registration No: 
068396C
Directors: A.C. Baggesen, J.M. Cubbon, M.W. Denton, K.M. Goldie, O Peck, J. 
Watterson
SMP Fund Services Limited registered in the Isle of Man, Company Registration 
No: 120288C
Directors: V. Campbell, R.K. Corkill, M.W. Denton, D.A. Manser, S.E McGowan, 
J.J. Scott, E. Tansell
SMP Accounting & Tax Limited registered in the Isle of Man, Company 
Registration No: 001316V
Directors: I.F. Begley,  A.J. Dowling, P. Duchars, J.J. Scott, S.J. Turner
SMP Capital Markets Limited registered in the Isle of Man, Company Registration 
No: 002438V
Directors: M.W. Denton, M.J. Derbyshire, D.F Hudson, S.E McGowan, O. Peck, S. 
J. Turner
SMP Partners Limited, SMP Trustees Limited, SMP Fund Services Limited, SMP 
Accounting & Tax Limited and SMP Capital Markets Limited are members of the SMP 
Partners Group of Companies.
This email is confidential and is subject to disclaimers. Details can be found 
at: 
http://www.smppartners.com/disclaimer.html<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.smppartners.com_disclaimer.html=CwMFAg=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI=TA_mjBT8bS0r8rLrnubGjA=zoEmnM7lVEvepk8HWXSaniQiNqI207JnnxX3GG1tH0E=OarI17lNXMOzJq1NodFONn64lHefkDd9XYKmdfdw9gI=>
__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit 
http://www.symanteccloud.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.symanteccloud.com=CwQFAg=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI=TA_mjBT8bS0r8rLrnubGjA=

[NTSysADM] RE: badPwdCount clarification

[Brian Desmond]

Is this correct so far? And if so, at the next attempt the account enters a 
valid password, again to DC2, the new values will be:

PDCe1=0
DC2=0
DC3=0
DC4=0

I’d expect the new values to be

PDCe1=2
DC2=0
DC3=1
DC4=1

I can’t think of why the successful login with chain to the PDCe, which is what 
would decrement its’ local count.

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Christopher Bodnar
Sent: Monday, May 16, 2016 2:05 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] badPwdCount clarification

Can someone clarify this for me, a little confused on this.

Let’s say I have 4 domain controllers (all 2008 R2) in a single site (PDCE1, 
DC2, DC3, DC4). And let’s say account lockout is set to 5, and there are no 
RODCs in the environment. Here are the various badPwdCount values on the domain 
controllers for a test account:

PDCe1=1
DC2=2
DC3=1
DC4=1

If the test account enters another bad password, the logon sever that services 
the request (say DC2) will increment by 1, as well as the PDCe1. So the new 
values will be:

PDCe1=2
DC2=3
DC3=1
DC4=1
Is this correct so far? And if so, at the next attempt the account enters a 
valid password, again to DC2, the new values will be:

PDCe1=0
DC2=0
DC3=0
DC4=0

Or will they be:

PDCe1=0
DC2=0
DC3=1
DC4=1

So should the value get reset on all domain controllers, or just the PDCE and 
the DC servicing the request?

Thank you,




Christopher Bodnar
Enterprise Architect II, Corporate Office of Technology:Enterprise Architecture 
and Engineering Services

Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
christopher_bod...@glic.com

[cid:image001.png@01D1326B.600058E0]

The Guardian Life Insurance Company of America

www.guardianlife.com<http://www.guardianlife.com/>




- This message, and any attachments to 
it, may contain information that is privileged, confidential, and exempt from 
disclosure under applicable law. If the reader of this message is not the 
intended recipient, you are notified that any use, dissemination, distribution, 
copying, or communication of this message is strictly prohibited. If you have 
received this message in error, please notify the sender immediately by return 
e-mail and delete the message and any attachments. Thank you.

[NTSysADM] RE: ADFS 2.0 - Tracing Log - MSIS3020, MSIS3055, MSIS7012

[Brian Desmond]

Chris-

Best way to troubleshoot this (at least to start) is to use Fiddler to get the 
actual SAML Request from a browser and then compare it to the settings on the 
RP Trust. You want to look at the identifiers tab more than likely.

Thanks,
Brian Desmond

(w) 312.625.1438 | (c) 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Ferguson, Chris
Sent: Thursday, May 5, 2016 3:14 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] ADFS 2.0 - Tracing Log - MSIS3020, MSIS3055, MSIS7012

Hi All:

I've searched the googles and came up short, so I'm reaching out to the group.
We're having a problem with ADFS.  We want to let $cloud.service to use ADFS to 
SSO authenticate users.  We've exchanged metadata with $cloud.service and 
confirmed identities in the ADFS configuration, but we're still unable to get 
cloud service to load. We're presented with the error when trying to 
authenticate over SSO.

sso.[domain].com
There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the 
reference number to identify the problem.
Reference number: [session_number]

When I check the ADFS Debug logs, I see a few errors that don't make sense to 
me and the googles only made the problem clear as mud:

MSIS3020: The relying party trust with identifier '$cloud.service' could not be 
located.
MSIS3055: The requested relying party trust '$cloud.service' is unspecified or 
unsupported. If a relying party trust was specified, it is possible the user 
does not have permission to access the relying party trust

Detailed Exception before setting on http context 
'Microsoft.IdentityServer.Web.RequestFailedException: An error occurred during 
the return of an error to the SAML Service Provider. ---> 
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error 
occurred while processing the request. Contact your administrator for details. 
---> System.ServiceModel.FaultException: The creator of this fault did not 
specify a Reason.
   at 
Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message
 request)
   at 
Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest
 samlRequest)
   at 
Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest
 samlRequest)
   at 
Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage
 httpSamlMessage, SamlStatus status)
   at 
Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus
 status)
   --- End of inner exception stack trace ---
   at 
Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus
 status)
   at 
Microsoft.IdentityServer.Web.Dispatchers.SamlErrorDispatcher.DispatchInternal(PassiveContext
 context)
   --- End of inner exception stack trace ---'.

I've checked and the relay party identified IS listed in the configuration

The ADFS server is already utilizing SSO for another cloud.service and is 
working without issue.

Server: Server 2008 R2 Enterprise
Application: ADFS 2.0

Any troubleshooting steps would be appreciated.

Thanks,
Chris

Chris Ferguson
IT Manager, Infrastructure and Operations

NEPC, LLC
255 State Street
Boston, MA  02109
P: +1 (617) 374-1300
M: +1 (978) 257-9789
www.nepc.com

YOU DEMAND MORE.  So do we.

RE: [NTSysADM] ADMT and a Copied DC

[Brian Desmond]

So the parent company is willing to give you physical access to a domain 
controller (via this copy), but they won’t stand up a trust? That doesn’t seem 
logical to me when you look at the two risks. What are they concerned about 
with the trust?

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jeremiah Rumball
Sent: Monday, March 30, 2015 8:29 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] ADMT and a Copied DC

Hi all,

I'm reviewing a possible solution to a problem we are facing and would like to 
get some of your input. We have a client, I'll refer to them as the source, 
that we will be migrating to our destination. The source is a child of a 
parent company, though from an AD standpoint it was not setup this way. The 
same, single domain for both parent and child employees. The domain belongs to 
the parent. The current issue is how to migrate just the child company AD 
objects to the AD destination we've built. They will be moving to a new forest 
but would like to maintain SIDs, passwords, etc. for all AD user 
accounts/groups. The first solution that came up was ADMT via a trust to the 
source domain.  However, the parent company will not allow this. Option 2 is to 
get a copy of a DC from the source (VM), spool it up in the destination 
environment and then implement the trust/ADMT process locally. I've got some 
concern about this process but would love to get some feedback from anyone who 
has ever run into this (or something similar) before.

Thanks!

Jeremiah

RE: [NTSysADM] RE: mapped drives GPO

[Brian Desmond]

Since these are GPPrefs, have you enabled logging for the drive mapping part of 
the CSE? You can have it log verbose data which might point you in the right 
direction.

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Wednesday, April 1, 2015 6:23 AM
To: 'ntsysadm@lists.myitforum.com'
Subject: RE: [NTSysADM] RE: mapped drives GPO

I have been looking in events and so far nothing .

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Wednesday, April 01, 2015 7:16 AM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: mapped drives GPO

Usually when a Group Policy Preferences Action fails (I'm assuming that's what 
you're using) it writes something to the event logs. Is this happening in this 
case?

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of David McSpadden
Sent: 01 April 2015 11:59
To: NT
Subject: RE: [NTSysADM] RE: mapped drives GPO

Hardware is identical on all 13 machines.
No extra drive letters.


From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of J- P
Sent: Tuesday, March 31, 2015 9:44 PM
To: NT
Subject: RE: [NTSysADM] RE: mapped drives GPO

Is the hardware identical on all machines, are there perhaps other drives 
(usb,card reader, etc..) using the same drive letter?

does disk mgmt show anything , can you try changing he drive letter on the 
script?


Jean-Paul Natola


From: dav...@imcu.commailto:dav...@imcu.com
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: mapped drives GPO
Date: Tue, 31 Mar 2015 23:31:26 +
Manually works fine.
There are 13 pc's in this OU.
11 are working for any user.
2 are not working for any user.

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Aakash Shah
Sent: Tuesday, March 31, 2015 5:35 PM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: mapped drives GPO

Depending on how it is mapped, sometimes you need to enable always wait for 
the network at startup.

Also, I assume that you can manually connect when logged in as the user?  If 
not, check permissions/firewall rules, etc.

-Aakash

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of David McSpadden
Sent: Tuesday, March 31, 2015 1:04 PM
To: 'ntsysadm@lists.myitforum.com'
Subject: [NTSysADM] mapped drives GPO

I have two PC's in one OU our of 13 and they are not mapping their drives like 
all other PC's
AD 2012 R2
Windows 7 32 bit
I have the gpsvc.log from the PC. It appears that these drives should be 
mapping but they do not appear in My Computer?

This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.

Please consider the environment before printing this email.
This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.

Please consider the environment before printing this email.

This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

This e-mail and any files transmitted with it are property

[NTSysADM] RE: DCDiag error: Error BUILTIN\Administrators doesn't have Replicating Directory Changes All access rights for the naming context

[Brian Desmond]

I don't know offhand but it's possible that something failed when they did 
adprep /forestprep and it missed that step (I assume that's where it's added). 
I would expect you could just add it to the Config NC head and be on your way.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Webster
Sent: Wednesday, February 4, 2015 6:15 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] DCDiag error: Error BUILTIN\Administrators doesn't have 
Replicating Directory Changes All access rights for the naming context

Working with a company that is just now starting their WinXP to Win7 migration. 
 All their servers are still Server 2003 so all 18 of the domain controllers 
are Server 2003.  Their FFL is Server 2003.

When I run DCDiag, all 18 DCs get the following error:

Error BUILTIN\Administrators doesn't have Replicating Directory Changes All 
access rights for the naming context:
 CN=Configuration,DC=web,DC=com

According to http://support.microsoft.com/kb/829306 , this should happen when 
running the Server 2003 version of dcdiag.exe when there are no 2003 DCs.  Not 
the case here.

I haven't seen an all Server 2003 environment in a while, so I am assuming all 
they need to do is use ADSIEdit and make sure BUILTIN\Administrators has the 
Replicate Directory Changes permission?

Thanks


Webster

RE: [NTSysADM] Dynamic Access control in Windows Server 2012 R2 question

[Brian Desmond]

Correct – the claims are part of the user’s Kerb ticket. So even after that 
attribute changes, they’ll maintain access for the lifetime of their existing 
ticket.

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Charles F Sullivan
Sent: Friday, January 2, 2015 1:26 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Dynamic Access control in Windows Server 2012 R2 
question

I can only guess at this, but if you were using the old method of simply 
relying on group membership and you had removed the user from a group which had 
access while they were logged on to a computer, they would still have access 
from that computer (based on the access token they got when they logged while 
having membership in the group).  As far as I know from my own experience, they 
would continue to have access until they logged off from the machine, or until 
their Kerberos ticket reached its end of life.  I think, though I’m not sure, 
that DAC also relies on the user’s access token.

I’m hoping someone else has a more definitive answer.  One thing that makes me 
question my own contention is that it was only 10 minutes, though it’s possible 
that the Kerberos ticket only had 10 minutes left to its TTL.

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com] 
On Behalf Of Christopher Bodnar
Sent: Friday, January 2, 2015 10:45 AM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Dynamic Access control in Windows Server 2012 R2 question

Just got around to playing with this in a Dev environment. Very interesting 
stuff. Got it all to work perfectly. Just have one question.

So for my Dev environment I had a test setup where it would allow access to a 
share based on the “department” attribute in AD. If in “Sales” or “HR”, allow. 
Worked great. Then what I did was modify one of the “Sales” users department 
attribute. So they had access before…. Then after the change it should have 
denied them access. I found in testing (using the effective permissions tab on 
the file server) that it took about 10 minutes for this to deny the user. That 
surprised me. It wasn’t a change to any of the DAC items (policy, list, etc…), 
nor was it a Group Policy change. It was a change to the attribute of the user. 
So where was that being cached, that it took 10 minutes? In my test environment 
I only have 1 DC.

Also, from what I have read…. a Windows 7 client should work with this. So far 
I’ve only tested with a 2012 R2 client. Can anyone confirm that?

Thanks

Christopher Bodnar
Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture 
and Engineering Services

Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
christopher_bod...@glic.commailto:

[cid:image001.png@01D026A2.E5625A90]

The Guardian Life Insurance Company of America

www.guardianlife.comhttp://www.guardianlife.com/




- This message, and any attachments to 
it, may contain information that is privileged, confidential, and exempt from 
disclosure under applicable law. If the reader of this message is not the 
intended recipient, you are notified that any use, dissemination, distribution, 
copying, or communication of this message is strictly prohibited. If you have 
received this message in error, please notify the sender immediately by return 
e-mail and delete the message and any attachments. Thank you.

RE: [NTSysADM] Windows CA Server

[Brian Desmond]

I’d ask the question of why you need a CA for this?

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Matthew W. Ross
Sent: Monday, October 13, 2014 5:58 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Windows CA Server

We have been happily getting by without doing SSL inspection on our content 
filter. Now, it seems that we may need to take that next step.

I'm making a windows CA server on our VMWare cluster now.

Before I get too deep, any gotchas I should be looking for? Looking into 
this, it looks like I might be diving right into the deep end. Time for a lot 
of reading...


--Matt Ross
Ephrata School District

RE: [NTSysADM] Windows Service account management

[Brian Desmond]

IIS App Pools
Window Services
Scheduled Tasks

All support them. If you can use them, do it – they solve a gap.

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael B. Smith
Sent: Wednesday, October 8, 2014 5:44 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Windows Service account management

IIS app pools support them.

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Wednesday, October 8, 2014 5:03 PM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Windows Service account management

Including GMSAs? I was thinking about using one for the IIS load balanced 
services that communicate with NetScaler, should I check it out more heavily 
before testing?

On 8 October 2014 22:00, Michael B. Smith 
mich...@smithcons.commailto:mich...@smithcons.com wrote:
Uh… MSAs have limited support with enterprise applications and services.

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com] 
On Behalf Of James Rankin
Sent: Wednesday, October 8, 2014 4:53 PM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Windows Service account management

Didn't know about thoseawesome. Shall be experimenting tomorrow!

On 8 October 2014 21:50, Dave Lum 
li...@theitgarage.commailto:li...@theitgarage.com wrote:
Here's a read for you along those lines:
http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx

 Slight thread hijack - does anyone use the Managed Service Accounts
 feature
 of AD? I always thought it was a good idea, but it couldn't really stretch
 to the scope I wanted. Wondering if anyone is finding use for it.



 On 8 October 2014 21:40, Dave Lum 
 li...@theitgarage.commailto:li...@theitgarage.com wrote:

 I've been tasked to create documentation on creation and management of
 Windows Service accounts, does anyone here have something I can use and
 modify?

 TIA,
 Dave







 --
 *James Rankin*
 -
 RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization
 Practice Analyst - Desktop Virtualization
 http://appsensebigot.blogspot.co.uk






--
James Rankin
-
RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization 
Practice Analyst - Desktop Virtualization
http://appsensebigot.blogspot.co.uk



--
James Rankin
-
RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization 
Practice Analyst - Desktop Virtualization
http://appsensebigot.blogspot.co.uk

RE: [NTSysADM] AD OU Modeling tools

[Brian Desmond]

Just saw this thread as well...

Couple thoughts:

1. Hopefully your design is repeatable/predictable enough that you shouldn't 
need to show every single OU to communicate the design philosophy.
2. Plan on using multiple drawings for different components (structure, 
delegation, Group Policy, etc.). You can play with layers in Visio also if you 
want as an alternative. 
3. I've more or less fired Visio as the tool for this and do most of it in 
PowerPoint now. I have the whole design deliverable packaged up in a nice deck. 
It's easy to quickly customize and present to different audiences and it's 
straight to the point. I used to have this 100 page Word Document I always 
delivered but I have more or less put that thing in the graveyard.

Thanks,
Brian





Thanks,
Brian Desmond
br...@briandesmond.com
 
w - 312.625.1438 | c - 312.731.3132

 -Original Message-
 From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com]
 On Behalf Of Ken Schaefer
 Sent: Monday, July 14, 2014 5:10 PM
 To: ntsysadm@lists.myitforum.com
 Subject: RE: [NTSysADM] AD OU Modeling tools
 
 My advice is not to try to line things up in Visio using a mouse - use the 
 shape
 size/position window and pick nice round numbers e.g.
 
 X:0   Y:0 for the first OU
 X:20  Y:0 for the second OU
 X:30  Y:0 for the third OU
 
 Indent by e.g. 10mm for each sub OU
 
 Create a couple of trees  so that you don't end up with one huge long 
 list of
 OUs
 
 Visio 2013 will provide auto-guides to help line up subsequent objects after
 you've done the first few, with the same spacing etc.
 
 I've done AD OU designs for pretty large orgs (up to 80K users) in Visio 
 without
 issues, and 50 OUs isn't really that much.
 
 I wouldn't try to do the design on a projector in real-time though. Get your
 design principles, delegation model, security requirements etc. signed off 
 first,
 and then the OU design naturally flows from that. You should be able to print
 out 1-2 A3 sheets, and get that signed off.
 
 Cheers
 Ken
 
 -Original Message-
 From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com]
 On Behalf Of Mark Liechty
 Sent: Tuesday, 15 July 2014 9:47 AM
 To: ntsysadm@lists.myitforum.com
 Subject: Re: [NTSysADM] AD OU Modeling tools
 
 My starting point is something like 400 OU, finish gin will be less than 50.
 
 Trying to get that many lined up in Visio becomes a major pain for little 
 value (I
 think) compared to being easily able to build and rename folders in explorer 
 at
 will.Again, I am not sure if the idea is good or bad and am open to 
 whatever
 ideas others have done.
 
 
 The exports of the current config to Visio have been priceless.  The export 
 of the
 as-built to Visio will also be great.  It is the design and modeling that I am
 looking for ideas on.
 
 They fired the last guy who was working on the design when the visa model he
 tried to present printed to 20 plus pages...  he was trying too please 
 everyone
 and it did not work out well.   I figure we will debate crap like OU names 
 and if i
 can have a quick and easy interface to do so on the projector things will end
 better for me :)
 
 
 
 
 On Jul 14, 2014, at 4:40 PM, Ken Schaefer k...@kj.net.au wrote:
 
  Why does building a new model suck in Visio?
 
  Cheers
  Ken
 
  -Original Message-
  From: listsad...@lists.myitforum.com
  [mailto:listsad...@lists.myitforum.com] On Behalf Of Mark Liechty
  Sent: Tuesday, 15 July 2014 8:41 AM
  To: ntsysadm@lists.myitforum.com
  Subject: Re: [NTSysADM] AD OU Modeling tools
 
  On Jul 14, 2014, at 3:29 PM, Kurt Buff kurt.b...@gmail.com wrote:
 
  Perhaps this:
  http://www.microsoft.com/en-us/download/details.aspx?id=13380
 
   The Microsoft Active Directory Topology Diagrammer reads  an Active
  Directory configuration using LDAP, and then  automatically generates
  a Visio diagram of your Active  Directory and /or your Exchange
  Server topology. The  diagramms may include domains, sites, servers,
  organizational units, DFS-R, administrative groups, routing  groups
  and connectors and can be changed manually in Visio  if needed.
  #
 
  Thanks Kurt, at least I am on the right track.
 
  I have played with that tool a bit. The problem seems to be that when you 
  get
 a couple of hundred OU the diagrams are really hard to work with and building 
 a
 new model sucks in Visio.  Hence my thought that for the purpose of putting 
 the
 concepts together explorer and folders may be workable.
 
  Lot of people have done a lot of cool things and i figured asking here may 
  stir
 up answers that I have both thought of.
 
 
 
 
 
 
 
 
 
 

RE: [NTSysADM] Where are cluster share definitions kept? (registery, etc)

[Brian Desmond]

I assume under the Cluster key that gets replicated?



Thanks,
Brian Desmond
br...@briandesmond.com
 
w – 312.625.1438 | c – 312.731.3132

 -Original Message-
 From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com]
 On Behalf Of Michael Leone
 Sent: Friday, August 8, 2014 11:37 AM
 To: ntsysadm@lists.myitforum.com
 Subject: [NTSysADM] Where are cluster share definitions kept? (registery, etc)
 
 Further to my recent discussion about saving share definitions by saving the
 registry key they are stored in, where are the share definitions and 
 permissions
 kept for a cluster? They're not in the same registry key as non-clustered 
 shares,
 but I can't find out where they are, to export and save those. And my web
 searches are failing me.
 
 Anyone know what registry key I might be able to save, that has the share
 definitions and permissions?
 

RE: [NTSysADM] it contracts

[Brian Desmond]

I generally won't touch anything - big or small - without an MSA and SOW in 
place. The MSA the customer signs once and then each engagement covered by the 
MSA has a separate SOW that gets signed.

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Adam Greene
Sent: Monday, August 4, 2014 9:07 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] it contracts

Hi all,

We provide IT support to customers on both a recurring (managed services) model 
and a non-recurring (break-fix and/or project) model. We have a nice complete 
contract covering all the bases for the managed services customers, but in the 
case of the break-fix customers, the only thing we make them sign are quotes 
(on the projects). Random one-off support items are not generally included 
under any kind of legal document.

We're about to do a big project for a break-fix customer, and we're thinking it 
would be wise to accompany our quote with some boiler-plate legalese, too. Key 
parameters would probably include a limitation of liability clause (i.e. our 
financial liability is limited to the $$ paid us for the project or particular 
support we perform; we can't be responsible for $$ lost due to lost business, 
etc.), force majeure; etc..

Do you all require a contract of some kind on your projects? Or even just your 
break-fix work? If so, what key parameters do you include?

Thanks,
Adam

RE: [NTSysADM] service account question

[Brian Desmond]

At service start it’s going to logon and get a token.

You can use Process Explorer to look at a process’ security token.

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Christopher Bodnar
Sent: Thursday, July 10, 2014 3:08 PM
To: NTSysADM@lists.myitforum.com
Subject: [NTSysADM] service account question

I've got an application that uses a domain account to run a service. I needed 
to add that account to an additional group...when does group membership 
evaluation happen for a service account? when the service it stareted and 
restarted? Not at computer reboot? right?

Also is there a way to see this. for example can I see the current group 
membership that the currently running service thinks it has? before the restart 
of the services? I know I can logon as that account and get the information, 
but that will evaluate new, not what is currently running in the service.

Would Process Explorer show me this?

Thanks
Christopher Bodnar
Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture 
and Engineering Services

Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
christopher_bod...@glic.commailto:

[cid:image001.jpg@01CF9C54.698518F0]

The Guardian Life Insurance Company of America

www.guardianlife.comhttp://www.guardianlife.com/




- This message, and any attachments to 
it, may contain information that is privileged, confidential, and exempt from 
disclosure under applicable law. If the reader of this message is not the 
intended recipient, you are notified that any use, dissemination, distribution, 
copying, or communication of this message is strictly prohibited. If you have 
received this message in error, please notify the sender immediately by return 
e-mail and delete the message and any attachments. Thank you.

[NTSysADM] RE: Alright brainiacs - anyone good with powershell and sorting array's?

[Brian Desmond]

So what are you trying to print out in a sorted fashion? I don't see anything 
at the bottom other than some blank space and invalid statuses.

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Danvers, Jim
Sent: Monday, June 23, 2014 10:59 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Alright brainiacs - anyone good with powershell and 
sorting array's?

Right on - thanks.  See below:

#
# Create user accounts in AD, Exchange and Lync.
# This script will take input from the host and create user accounts based on 
that information.
#
# Requirements:
#  [+] Exchange Management Console installed.
#  [+] Lync Powershell module installed.

import-module lync;

$cfgTab = [char]9
$cfgCompany = Big Company Inc;
$cfgMailDomain = @bigco.com; #E-Mail Domain

#=
# A series of hash tables for office information.
#=
$cfgAlbany = @{
  OU = OU=Users,OU=Albany,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgAllentown = @{
  OU = OU=Users,OU=Allentown,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgArizona = @{
  OU = OU=Users,OU=Arizona,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgArkansas = @{
  OU = OU=Users,OU=Arkansas,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgBinghamton = @{
  OU = OU=Users,OU=Binghamton,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgBinghamtonTransportation = @{
  OU = OU=Users,OU=Binghamton Transportation,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgBurlington = @{
  OU = OU=Users,OU=Burlington,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgChesterfield = @{
  OU = OU=Users,OU=Chesterfield,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgCincinnati = @{
  OU = OU=Users,OU=Cincinnati,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgHatfield = @{
  OU = OU=Users,OU=Hatfield,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgKentucky = @{
  OU = OU=Users,OU=Kentucky,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgLaFargeville = @{
  OU = OU=Users,OU=LaFargeville,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgLas Vegas = @{
  OU = OU=Users,OU=Las Vegas,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgLevittown = @{
  OU = OU=Users,OU=Levittown,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgLycoming = @{
  OU = OU=Users,OU=Lycoming,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgOneida = @{
  OU = OU=Users,OU=Oneida,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgPaterson = @{
  OU = OU=Users,OU=Paterson,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgPhilly = @{
  OU = OU=Users,OU=Philly,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgPlattsburgh = @{
  OU = OU=Users,OU=Plattsburgh,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgPortland = @{
  OU = OU=Users,OU=Portland,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgRemotes = @{
  OU = OU=Users,OU=Remotes,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgSacramento = @{
  OU = OU=Users,OU=Sacramento,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgSodus = @{
  OU = OU=Users,OU=Sodus Corp,OU=Sodus,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgSuffield = @{
  OU = OU=Users,OU=Suffield,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgSyracuse = @{
  OU = OU=Users,OU=Syracuse,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgUniontown = @{
  OU = OU=Users,OU=Uniontown,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgVernonPlant = @{
  OU = OU=Users,OU=Vernon Plant,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgVernonTrans = @{
  OU = OU=Users,OU=Vernon Trans,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgWestchester = @{
  OU = OU=Users,OU=Westchester,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgWinchester = @{
  OU = OU=Users,OU=Winchester,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgYork = @{
  OU = OU=Users,OU=York,DC=bigco,DC=com;
  DC = bigdaddydc1 };
$cfgYoungstown = @{
  OU = OU=Users,OU=Youngstown,DC=bigco,DC=com;
  DC = bigdaddydc1 };

#=
# Creates an array of the above hash tables.
#=
$cfgOffices = @{
  Albany = $cfgAlbany;
  Allentown = $cfgAllentown;
  Arizona = $cfgArizona;
  Arkansas = $cfgArkansas;
  Binghamton = $cfgBinghamton;
  Binghamton Transportation = $cfgBinghamtonTransportation;
  Burlington = $cfgBurlington;
  Cincinnati = $cfgCincinnati;
  Chesterfield = $cfgChesterfield;
  Hatfield = $cfgHatfield;
  Kentucky = $cfgKentucky;
  LaFargeville = $cfgLaFargeville;
  Las Vegas = $cfgLas Vegas;
  Levittown = $cfgLevittown;
  Lycoming = $cfgLycoming;
  Oneida = $cfgOneida;
  Paterson = $cfgPaterson;
  Philly = $cfgPhilly;
  Plattsburgh = $cfgPlattsburgh;
  Portland = $cfgPortland;
  Remotes = $cfgRemotes;
  Sacramento = $cfgSacramento;
  Sodus = $cfgSodus;
  Suffield = $cfgSuffield;
  Syracuse = $cfgSyracuse;
  Uniontown = $cfgUniontown;
  Vernon Plant = $cfgVernonPlant;
  Vernon Trans = $cfgVernonTrans

RE: [NTSysADM] KeePass to all users?

[Brian Desmond]

Have you looked at some of the IaaS services? OneLogin I know, for example, 
lets users define their own sites (e.g. the bank) and OneLogin will vault the 
credential and let them login to a single panel with their corp cred. Azure AD 
has that too. 

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Dave Lum
Sent: Tuesday, May 27, 2014 4:07 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] KeePass to all users?

The short answer to Bob's email is just end user passwords. The HR was an 
example I just threw out there but it doesn't really apply to me.

In my specific case I have two users that handle accounting functions that need 
to log into a Wells Fargo bank website, and all users login into a LOB app that 
is AD-unaware. While I have no idea what credentials/passwords they use (other 
than it's not LDAP), I would like to suggest a tool to help them be less 
inclined to use the same password across the board.

Many of these folks are open to ideas like this, and I was mainly wondering if 
anyone had tried to roll this out to non-IT folks. IT teams have no problems 
all using KeePass or Secret Server and the like, it's the non-IT folks I'd like 
to drive towards the same thing.

Dave

 Aside from Bob's excellent input, the quoted use case in the original 
 message is what concerns me. What is causing the HR department have a 
 pile of disjointed passwords rather than a single corporate credential?

 Thanks,
 Brian Desmond
 br...@briandesmond.com

 w - 312.625.1438 | c - 312.731.3132

 -Original Message-
 From: listsad...@lists.myitforum.com
 [mailto:listsad...@lists.myitforum.com] On Behalf Of Free, Bob
 Sent: Tuesday, May 27, 2014 11:51 AM
 To: ntsysadm@lists.myitforum.com
 Subject: RE: [NTSysADM] KeePass to all users?

 What is your overall goal? Just end user passwords or a more 
 comprehensive solution?

 If the latter, look up privileged account management or privileged 
 identity management. A LOT can be done in that space if you have the 
 wherewithal.

 We are deploying a comprehensive solution for PAM and have a password 
 vault solution for end users available for them to install from SCCM RAP.

 -Original Message-
 From: listsad...@lists.myitforum.com
 [mailto:listsad...@lists.myitforum.com] On Behalf Of I.T. Garage
 Sent: Tuesday, May 27, 2014 9:01 AM
 To: ntsysadm@lists.myitforum.com
 Subject: [NTSysADM] KeePass to all users?

 Have any of you deployed a password management tool to every user in 
 your environment? Or perhaps specific departments? While I wouldn't 
 expect 100% usage to everyone that had it, I'm thinking it might be worth the 
 effort.
 Something like:

 You're in HR and have access to confidential data, please use KeePass 
 if you need to keep track of multiple password for apps and websites...?

 Thoughts, comments?

 Dave





 PGE is committed to protecting our customers' privacy.
 To learn more, please visit
 http://www.pge.com/about/company/privacy/customer/

[NTSysADM] RE: Print Drivers - v3 vs v4 With Server 2012r2 Print Server and Windows 7 Clients

[Brian Desmond]

Right - you need a cluster. It needs a small bit of shared storage for the 
spooler service, and a disk based quorum if you're using that, plus you get the 
shared name everyone connects to.

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Miller Bonnie L.
Sent: Monday, April 21, 2014 3:19 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Print Drivers - v3 vs v4 With Server 2012r2 Print 
Server and Windows 7 Clients

The closest thing is going to be Windows Failover Clustering - we have it with 
2008 R2, and I'm sure it's likely similar with 2012 R2.  Our two backend 
servers have individual names, but the print server is a shared resource name 
that fails over between the nodes.  Thankfully that isn't the print server I'm 
upgrading this summer (yet...)

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: Monday, April 21, 2014 12:31 PM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Print Drivers - v3 vs v4 With Server 2012r2 Print 
Server and Windows 7 Clients

Since we're on this topic, (and not to hijack the thread, it seems sort 
related) :) ,  is there a print equivalent to DFS which would make the target 
server transparent to the user?  (Or is that what the 'point  print' is 
supposed to do?

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Aakash Shah
Sent: Monday, April 21, 2014 3:06 PM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Print Drivers - v3 vs v4 With Server 2012r2 Print 
Server and Windows 7 Clients

For the server that I set up this weekend, I ended up using the v4/Class built 
in drivers for the Brother MFC units.  There was a Dell printer that did not 
appear to have Class drivers, so I used a v3 driver for that.  Testing appeared 
to work over the weekend, but we will see if any problems crop up in the coming 
days/weeks.

I'm still interested in hearing if anyone else has any positive or negative 
experience with the v4/Class drivers (either built in or model specific 
drivers) with Win7 clients (and Win8 too).

From some reading I did, some Class drivers sometimes do not offer all of the 
functionality that the v3 drivers do, and so there may be cases where the v3 
drivers are needed:
http://social.technet.microsoft.com/Forums/en-US/80e00b43-0945-40ff-be18-68b6f7f2ac5b/server-2012-ms-class-drivers-for-printing-no-envelope-feeders?forum=winserverprint

Xerox appears to have a nice matrix that indicates what specific Class driver 
is supported by each of their units:
http://download.support.xerox.com/pub/drivers/Compatibility_Matrix/other/win8/en/Windows8_Matrix.pdf
However, Windows detected the appropriate Class driver for the few printers I 
set up, so this was not neccessary.

-Aakash Shah

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Miller Bonnie L.
Sent: Monday, April 21, 2014 10:06 AM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Print Drivers - v3 vs v4 With Server 2012r2 Print 
Server and Windows 7 Clients

I'm also interested in what you find on this, even if there are no replies 
here, as I will be replacing a WS08 R2 SP1 print server with WS12R2 this 
summer.  Same scenario, the server will be serving mostly Win7 clients for a 
while, but also some 8.1.

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Aakash Shah
Sent: Sunday, April 20, 2014 3:44 PM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Print Drivers - v3 vs v4 With Server 2012r2 Print Server 
and Windows 7 Clients

I am setting up a new Server 2012r2 print server.  All of the clients on the 
network are currently Windows 7.

Is anyone using the newer v4 print drivers, or are people still installing the 
legacy v3 drivers?

For anyone using the newer v4 print drivers, has anyone experienced any 
problems with Windows 7 clients when using the Microsoft enhanced Point and 
Print compatibility driver (this is what Windows 7 appears to use by default 
when connecting to a printer share from a Server 2012r2 server that uses a v4 
print driver)?

Thanks,

-Aakash Shah

RE: [NTSysADM] Home router

[Brian Desmond]

I've got a 1U Cisco router I use courtesy of ebay - it's been working for many 
years in the corner. Keep in mind when you buy commercial gear, the support 
cost goes way up, and when it breaks and you're not home, it's not exactly end 
user serviceable as the label says. Running a full linux box or something is 
going to run your power bill up too.



Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Todd Lemmiksoo
Sent: Tuesday, April 8, 2014 9:46 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Home router

I am having trouble searching the list archives for a thread on home routers. 
In that thread was a linux box for $125 that I would like to find. Does anyone 
remeber that?

--
T. Todd Lemmiksoo

[NTSysADM] RE: Searching for an account attribute in a multi-site environment

[Brian Desmond]

Not sure I understand the question. Are you asking what the expected 
replication latency is? Perhaps you could describe the topology in a bit more 
detail.



Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Joseph L. Casale
Sent: Monday, April 7, 2014 8:09 PM
To: 'NTSysADM@lists.myitforum.com'
Subject: [NTSysADM] Searching for an account attribute in a multi-site 
environment

I have a situation in a multi-site environment where I am needing to perform 
some logic against an
account depending on the value (if any) of the targetAddress attr. I am seeing 
some potential issues
in corner cases where either an ldap query for the account object itself 
returns object not found when
it was just created, or the account is found but the targetAddress attr is 
blank when it was populated
on another dc.

What metrics can I use to quantify expected delays for these two scenarios in a 
given environment and
given the cases, how have others dealt with this in large environments?

Thanks,
jlc

RE: [NTSysADM] Windows Thin PC Licensing

[Brian Desmond]

The underlined part is your answer. SA is not a one-off that you can purchase 
with anything and get all the SA benefits of another product. You have it over 
server licenses but not over your PCs.

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Hank Arnold
Sent: Thursday, March 27, 2014 4:35 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Windows Thin PC Licensing

At the Hospice I support, we have a significant number of XP machines that we 
are trying to mothball, but being a non-profit, money is *VERY* tight. One 
option we are looking into is the Windows Thin PC. We were told that it was 
available only if you have SA. I've read the literature from MS and I'm 
wondering if we are eligible. We do have SA, but it was purchased with some 
Windows 2012 Server licenses. The documentation mentions:

 Customers with active SA coverage on their PCs will be able to install WinTPC 
on those devices. Customers without active SA coverage on their PCs can get SA 
by purchasing a Windows Virtual Desktop Access (VDA) subscription, which 
includes SA benefits such as WinTPC.


Regards,
Hank Arnold
[cid:image001.png@01CF499E.30B59260]

Twitter: @Hank_PCDoc

Facebook: https://www.facebook.com/hank.arnold.96

My Blog: http://it.toolbox.com/blogs/personal-pc-assistant/

inline: image001.png

RE: [NTSysADM] RE: How much to implement a Cisco telephone implementation

[Brian Desmond]

Never had any of these issues with Lync. I use it with a headset as my primary 
phone all the time – both at my desk and when I’m traveling with my laptop. I’m 
often on VPN as well.

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Richard Stovall
Sent: Wednesday, March 26, 2014 8:55 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: How much to implement a Cisco telephone 
implementation


More time between flights now.

When we went with shoretel, we went 100% softphone. It was fine for most local 
users at our main location, but not all. It was a disaster for remote users who 
were using VPN for voice.  Call quality was all over the place. The headsets 
would drop off of the list of default devices, and my users could never 
remember how to get them working again. Help desk calls for this went through 
roof. The minute we ditched softphones for handsets, all my problems went away. 
Not having a user's (particularly a remote user's) phone tied to his computer 
has been very successful.
On Mar 26, 2014 6:55 PM, Richard Stovall 
rich...@gmail.commailto:rich...@gmail.com wrote:

Ours were ShoreTel softphones. Very sketchy with the Plantronics USB headsets 
we bought.
On Mar 26, 2014 6:41 PM, Michael B. Smith 
mich...@smithcons.commailto:mich...@smithcons.com wrote:
Would you develop that thought further?

I use Lync and Skype extensively as softphones, and I’m pretty happy with their 
performance….

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com] 
On Behalf Of Richard Stovall
Sent: Wednesday, March 26, 2014 6:36 PM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] RE: How much to implement a Cisco telephone 
implementation


Softphones are, umm, interesting. Definitely do a trial with a number of 
different types of users before going whole hog.
On Mar 26, 2014 2:16 PM, Stefan Jafs 
sj...@amico.commailto:sj...@amico.com wrote:
Yes strictly Outlook and Exchange, and this is also about UM, not just a phone 
system. The client for smart devices is very important and you are correct we 
do not need phones for all desks, may use Softphones on quit a few. We do not 
really care much for video and web conferencing, however we are planning to use 
the Desktop sharing.

__
Stefan Jafs

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com] 
On Behalf Of Frank Ress
Sent: March 26, 2014 12:20 PM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: How much to implement a Cisco telephone implementation

Depends on a lot of considerations that you don’t mention.  Are you an 
Outlook/Exchange shop?  How much value is there in unified messaging and the 
features that go with it (e.g. voice-to-text and vice versa)?

Do you even WANT desk sets? (We’re looking at the same migration, and intend to 
almost completely move to soft phones and headsets.)  It’s not either-or, you 
can save a lot with soft phones, but use desk sets where you’d like.

What about web and video conferencing?  Again, that’s one of the attractive 
features to us in a Lync solution.  We could do more self-hosting for these 
services.

We looked at Cisco several years ago, when we first entertained our PBX 
replacement.  They didn’t yet offer soft phones, and the Cisco desk sets were 
pretty expensive.  I have no idea how well they’d interoperate with the rest of 
a Microsoft environment today – and I don’t know how much you care.

We’re a fairly pure Windows/Exchange/SQL Server/Sharepoint/Office environment.  
Lync fits well.  I just wish that I had a budget.  Unfortunately, management 
usually perceives this as a pure voice play, and it’s anything but these days.

Frank Ress

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Stefan Jafs
Sent: Wednesday, March 26, 2014 10:35 AM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: [NTSysADM] How much to implement a Cisco telephone implementation

We are looking at replacing our old Nortel BCM 450 for about 275 users.
The shortlist is Cisco and Microsoft Lync. We are leaning towards Cisco a bit 
more expensive but also only 1 vendor (the President likes the “hardware” 
platform, even though Cisco runs with VM’s).
Anyhow implementation is about $66k (Lync is about $56k), to me that sounds 
like about twice too much, has anyone have done a similar implementation, and / 
or is it a fair price? And we would do the placement of the phones ourselves.

__
Stefan Jafs

[NTSysADM] RE: How much to implement a Cisco telephone implementation

[Brian Desmond]

This is a services figure or hardware/licensing or?



Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Stefan Jafs
Sent: Wednesday, March 26, 2014 10:35 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] How much to implement a Cisco telephone implementation

We are looking at replacing our old Nortel BCM 450 for about 275 users.
The shortlist is Cisco and Microsoft Lync. We are leaning towards Cisco a bit 
more expensive but also only 1 vendor (the President likes the hardware 
platform, even though Cisco runs with VM's).
Anyhow implementation is about $66k (Lync is about $56k), to me that sounds 
like about twice too much, has anyone have done a similar implementation, and / 
or is it a fair price? And we would do the placement of the phones ourselves.

__
Stefan Jafs

[NTSysADM] RE: How much to implement a Cisco telephone implementation

[Brian Desmond]

That number sounds pretty reasonable to me. I'm not sure what the vendor's 
rates are, but assuming one FTE is working on it:

@ $150 = 11 weeks
@ $175 = 9.5 weeks
@ $200 = 8.25 weeks

You're looking at 2 - 3 months there to get this done from start to finish. If, 
say they have 1.5 people working on this full time then you're looking at 1 - 2 
months of time.



Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Stefan Jafs
Sent: Wednesday, March 26, 2014 1:17 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: How much to implement a Cisco telephone implementation

No equipment and licenses = $145k, with 5 years SmartNet and Implantation is 
$66k

__
Stefan Jafs

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Brian Desmond
Sent: March 26, 2014 2:13 PM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: How much to implement a Cisco telephone implementation

This is a services figure or hardware/licensing or?



Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Stefan Jafs
Sent: Wednesday, March 26, 2014 10:35 AM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: [NTSysADM] How much to implement a Cisco telephone implementation

We are looking at replacing our old Nortel BCM 450 for about 275 users.
The shortlist is Cisco and Microsoft Lync. We are leaning towards Cisco a bit 
more expensive but also only 1 vendor (the President likes the hardware 
platform, even though Cisco runs with VM's).
Anyhow implementation is about $66k (Lync is about $56k), to me that sounds 
like about twice too much, has anyone have done a similar implementation, and / 
or is it a fair price? And we would do the placement of the phones ourselves.

__
Stefan Jafs

RE: [NTSysADM] gotchas on adding 2012 r2 DC to a 2008 r2 domain??

[Brian Desmond]

The wizard runs it for you when you promote the first uplevel DC - the steps 
still exist. IIRC the manual process is still available if you want to break it 
apart.



Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Webster
Sent: Monday, March 24, 2014 12:28 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] gotchas on adding 2012 r2 DC to a 2008 r2 domain??


No longer necessary when adding a 2012 R2 DC.





Webster



From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com on 
behalf of Richard Stovall rich...@gmail.commailto:rich...@gmail.com
Sent: Monday, March 24, 2014 12:23 PM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] gotchas on adding 2012 r2 DC to a 2008 r2 domain??

Don't forget about domainprep and forestprep.  Might want to do this ahead of 
time to let the schema changes replicate to all your existing DCs.

On Mon, Mar 24, 2014 at 1:16 PM, David McSpadden 
dav...@imcu.commailto:dav...@imcu.com wrote:
Any tools or gotchas that anyone has for adding a 2012 r2 DC to a 2008 r2 
domain would be awesome.
Thanks
David McSpadden

This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

RE: [NTSysADM] FIM 2010 R2 SP1 in 2003 domain?

[Brian Desmond]

It will work just fine.

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Christopher Bodnar
Sent: Tuesday, March 18, 2014 9:31 AM
To: NTSysADM@lists.myitforum.com
Subject: [NTSysADM] FIM 2010 R2 SP1 in 2003 domain?

Any FIM experts out there today?

Looking to stand up FIM for directory synchronization to Office 365. Is there 
any requirement for the DFL or FFL that the FIM infrastructure is a member of? 
Currently we are 2003, and just want to make sure that 2008 is not a 
requirement for the DFL/FFL.

Thanks

Christopher Bodnar
Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture 
and Engineering Services

Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
christopher_bod...@glic.commailto:

[cid:image001.jpg@01CF4290.E9B0DDC0]

The Guardian Life Insurance Company of America

www.guardianlife.comhttp://www.guardianlife.com/




- This message, and any attachments to 
it, may contain information that is privileged, confidential, and exempt from 
disclosure under applicable law. If the reader of this message is not the 
intended recipient, you are notified that any use, dissemination, distribution, 
copying, or communication of this message is strictly prohibited. If you have 
received this message in error, please notify the sender immediately by return 
e-mail and delete the message and any attachments. Thank you.
inline: image001.jpg

RE: [NTSysADM] Making user accounts members of Guests

[Brian Desmond]

Adding Domain Users is a hammer solution - there's no out for a one off. I'd 
create some AD groups for this even if you temporarily nest domain users in the 
AD group, you can change who is in scope later without reconfiguring any 
images, templates, etc.

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of James Rankin
Sent: Sunday, March 16, 2014 9:30 AM
To: NTSysADM@lists.myitforum.com
Subject: [NTSysADM] Making user accounts members of Guests

We generally configure a lot of our implementations where we like to use a 
local profile (for reasons of certificates, and also to avoid storing template 
profiles on the network), but we like the profile to be discarded at logoff 
time as we use third-party software for saving profile settings. Previously we 
used to do this by spoofing a temporary profile - when the user logs off, we 
edit the Registry key that tells Windows what the profile type is, changing it 
to temporary so that the OS flushes the profile when the user logs off.

However - I could just do this by making all users members of the Guests group, 
as Guest profiles are automatically flushed at logoff too (unless they're 
Administrators).

So, my question is - are there any possible unforeseen side-effects from making 
all my Domain Users members of the local Guests group on all my XenApp servers?

Cheers,



--
James Rankin
-
RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization 
Practice Analyst - Desktop Virtualization
http://appsensebigot.blogspot.co.uk

RE: [NTSysADM] DNS for Domain Controlles

[Brian Desmond]

You could do that or make the children point at each other as well - they'll 
have forwarders to the parents on them and you might as well replicate the root 
domain DNS zone to all DCs also.

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of CSSU NetAdmin
Sent: Wednesday, March 5, 2014 9:16 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] DNS for Domain Controlles

We have a Win 2008 AD forest.  Two DC's are at the parent level and two at the 
child level.  It isn't clear to us what the DNS entries should be the AD 
controllers.  Should the children point to the parents and the parents to each 
other?
Thanks for your help.

RE: [NTSysADM] Spoolsv issue

[Brian Desmond]

Use Process Monitor to get a file system trace when the problem repros and see 
what it's looking for - assuming the error isn't completely misleading, which 
it could be.

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Cameron Cooper
Sent: Thursday, February 13, 2014 12:54 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Spoolsv issue

Checked and the spool folder is in the right location on the cluster storage.

When the resources have failed over to the secondary node, the server name and 
disk drives show an Online status except the Print Spooler Service shows an 
Offline status.

On the Nodes, Storage and Network tabs everything is online on the secondary 
node.

Here's what is in the cluster events (the events below only appear on the 
secondary node):


-  Cluster resource 'Print Spooler' in clustered service or application 
'appPS' failed.  Event ID: 1069

-  The Cluster service failed to bring clustered service or application 
'appPS' completely online or offline. One or more resources may be in a failed 
state. This may impact the availability of the clustered service or 
application.  Event ID: 1205


Cameron

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Miller Bonnie L.
Sent: Thursday, February 13, 2014 12:18 PM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Spoolsv issue

No, that is the correct location for the spoolsvc.exe file.  I was referring to 
the actual folder for spooling files to and where the drivers go, which should 
be on the shared storage that fails over.  In failover cluster manager, expand 
your cluster name, services and applications, then click on your virtual print 
server name on the left.  On the right, where you see the print spooler 
service, if you right-click and choose properties you will see the spool folder 
location.

In that same area (viewing the resources), is anything else showing as offline? 
 If you go to the storage or networks tabs, anything offline there for the 
problem node?  Any recent cluster events?

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Cameron Cooper
Sent: Thursday, February 13, 2014 9:09 AM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Spoolsv issue

The cluster setup isn't new, but the secondary node was just replaced less than 
7 months ago.  When the new secondary node was put in place, all the resources 
would failover from one node to the other and vice versa.

The service does start on the primary node when the resources are brought back 
online on that node.

For the DAS (sorry for the mis-type there... been a long several days) we have 
is a Dell MD3000.

The file server is what we use for all our network drives for sharing between 
users, which is separate from the storage that the print server uses (although 
on the same DAS unit).

The file the print spooler is looking for on both cluster nodes  is located in 
the following location: %systemroot%\system32.  Should this be different?

Cameron

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Miller Bonnie L.
Sent: Thursday, February 13, 2014 10:47 AM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Spoolsv issue

Is this a brand new setup that has never worked, or was working prior to the 
last failover?  Does the service start again on the primary node?

We have a failover cluster WS08 R2 just for printing, connected to Dell 
Equallogic for the iscsi SAN, so somewhat similar.  I'm not sure what you're 
using for your SAN storage, but the spool folder associated with the cluster is 
relocated on a shared SAN storage drive, so it moves during the failover-can't 
tell if that's what you mean by knowing the File server is online on the 
secondary node?

-Bonnie

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Cameron Cooper
Sent: Thursday, February 13, 2014 3:45 AM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Spoolsv issue

From what I've read in the setting up a clustered print server (from MS), 
LocalSystem is stated.

To compare, I've looked at the Print Spooler service on the primary node and 
it's set to LocalSystem.

'That's a weird one' I agree.


Cameron


From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Thursday, February 13, 2014 5:14 AM
To: ntsysadm@lists.myitforum.commailto:ntsysadm

RE: [NTSysADM] NLB on Server 2012 R2

[Brian Desmond]

I'd a search on HyperV NLB - there's a bunch of stuff you have to do to make 
this work.



Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of James Rankin
Sent: Friday, February 7, 2014 2:51 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] NLB on Server 2012 R2

It's on Hyper-V, I believe. I read that you need two NICs for unicast, so I've 
got the server admins to add a second NIC which I am now going to configure.
I was stopping IIS and expecting it to failover, but that appears to be out of 
scope for NLB, as far as I can tell from this discourse. I will try disabling 
it in NLB Manager, as rebooting brings it back too quickly to tell if it's 
failed over or not, and I don't have access to Hyper-V to shut it down.
I am assuming that although it can't do intelligent failover, it does do 
intelligent load balancing - i.e. it will route connections to the server with 
the least load?

Cheers,


JR


On 6 February 2014 23:54, Ken Schaefer k...@kj.net.aumailto:k...@kj.net.au 
wrote:
How are you stopping the server? If you're turning it off, or disabling in 
NLB manager, and everything stops working, then I don't think your cluster's 
working properly. Everything's just going to node 1

Are you running this in VMs? If so, you may need to do some extra steps to get 
multicast to work.

Cheers
Ken

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com] 
On Behalf Of James Rankin
Sent: Friday, 7 February 2014 1:54 AM

To: NTSysADM@lists.myitforum.commailto:NTSysADM@lists.myitforum.com
Subject: [NTSysADM] NLB on Server 2012 R2

Anyone had any luck with configuring this? Must admit, I am an NLB-noob, so 
I've probably done something wrong
Trying to configure an NLB cluster for an IIS-based app on Server 2012 R2.
Got two servers with the IIS app, Server1 and Server2
Configured an NLB cluster to load balance these called Cluster1
When both servers are up, everything seems to work fine. However, when I stop 
IIS on Server1, connecting to the Cluster1 DNS name just returns page cannot 
be found. It's as if it always tries to connect to the original one it 
connected to.
I can connect to http://Server1/app and http://Server2/app just fine.
I can connect to http://Cluster1/app fine as long as both servers are up.
If I shut down Server1, I can no longer connect to http://Cluster1/app
What obvious thing should I be checking? There's not an awful lot of options to 
try with NLB - switching to Multicast seems to stop it working altogether :-(
I've also messed with various bits of IIS but given that both servers accept 
connections I don't really think it's related to that.
Give me a NetScaler any day over NLB!
TIA,



JRR

--
James Rankin
-
RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization 
Practice Analyst - Desktop Virtualization
http://appsensebigot.blogspot.co.uk



--
James Rankin
-
RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization 
Practice Analyst - Desktop Virtualization
http://appsensebigot.blogspot.co.uk

RE: [NTSysADM] OT: Issue/Hardware/Inventory Tracking

[Brian Desmond]

You probably want some sort of hosted asset management solution. A cloud based 
CMDB with the ability to link tickets to the CIs would work too.

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Sam Cayze
Sent: Tuesday, February 4, 2014 1:29 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] OT: Issue/Hardware/Inventory Tracking

Finally got myself a long-term side gig!  Received lots of good advice from you 
guys that helped.

Been at it for a few months.
The company is having a terrible time tracking their non-pc hardware 
nationwide, and I'd like to set them up on a solution that would alleviate 
that.  (Which is above and beyond my scope of just managing the hardware).  But 
they really need it.

There has to be some sort of Inventory or HD software than can help.  I'm not 
really looking for a ticketing solution, although I could see how a ticketing 
solution might also have what I am looking for...

In a nutshell:
They have about 50 pieces of hardware.
About 20 franchise locations.
Hardware breaks, it gets shipped to me to fix, and then shipped somewhere (Not 
always the same location).

What needs tracking:
Issue tracking/history
Location history, Current location

I've been doing this in a shared Google Docs spreadsheet, but it's not cutting 
it.  In this day in age, I know there has to be a cloud solution that offers 
this perfectly.

Any ideas welcome.  Using your recommendations in addition to my own 
searching...

Thanks,
Sam

RE: [NTSysADM] AD FS question

[Brian Desmond]

ADFS only natively supports AuthN to AD. If you want to do your AuthN with 
something else, you have to federate ADFS with an IDP that does that piece for 
you. Thinktecture’s (free) IdentityServer is often the tool of choice for that.



Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Christopher Bodnar
Sent: Monday, February 3, 2014 9:52 AM
To: NTSysADM@lists.myitforum.com
Subject: [NTSysADM] AD FS question

We currently use PingFederate for all SSO SAML connections. I like it, it works 
really well, but we are paying for it. I'd like to begin the process of 
investigating AD FS as a possible replacement. I've never actually used AD FS, 
but have read the documentation. My question is in regards to directory 
repositories for authentication. Primarily we use LDAP authentication for 
access to SaaS applications. Going through IBM WebSeal for the authentication, 
which then passes it to PingFederate for the creation of the assertion, using 
LDAP properties to populate the SAML_Subject. Can you do this with AD FS? Can 
the front end authentication be LDAP, not AD? Since the IdP system isn't doing 
the authentication anyway, I don't think it should matter.  Anyone else doing 
something similar with it?

Thanks
Christopher Bodnar
Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture 
and Engineering Services

Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
christopher_bod...@glic.commailto:

[cid:image001.jpg@01CF20CF.532EF860]

The Guardian Life Insurance Company of America

www.guardianlife.comhttp://www.guardianlife.com/




- This message, and any attachments to 
it, may contain information that is privileged, confidential, and exempt from 
disclosure under applicable law. If the reader of this message is not the 
intended recipient, you are notified that any use, dissemination, distribution, 
copying, or communication of this message is strictly prohibited. If you have 
received this message in error, please notify the sender immediately by return 
e-mail and delete the message and any attachments. Thank you.
inline: image001.jpg

RE: [NTSysADM] Active Directory Login ID alias

[Brian Desmond]

You have sAMAccountName and userPrincipalName to work with. You can use xxx 
for the former, and first.l...@domain.commailto:first.l...@domain.com for the 
latter.

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Todd Lemmiksoo
Sent: Monday, February 3, 2014 1:37 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Active Directory Login ID alias

Is it possible to have an alias Login ID for a user in AD? In other words can a 
user have  and first.l...@domain.commailto:first.l...@domain.com as 
there network Login ID at the same time.
This question has come up for a new product bought by my company that only 
takes first.l...@domain.commailto:first.l...@domain.com for its login. Manage 
has asked can't you give everyone an alias.

--
T. Todd Lemmiksoo

RE: [NTSysADM] RE: IT resumes?

[Brian Desmond]

There’s a button right there on your profile screen in the free version.

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Heaton, Joseph@Wildlife
Sent: Friday, January 31, 2014 5:22 PM
To: 'ntsysadm@lists.myitforum.com'
Subject: RE: [NTSysADM] RE: IT resumes?

Brian,

You had mentioned in an earlier post in this thread about the PDF export of 
your Linkedin.  How do you do that?  Is it something that you need a 
subscription for, or does the free version allow it?

Thanks

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Brian Desmond
Sent: Thursday, January 23, 2014 10:03 AM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: IT resumes?

Weird. First thing I do when I get a resume or a candidate is look them up on 
LinkedIn.

I do like some sort of piece of paper whether it’s a LinkedIn printout or a 
resume – I’ve got a whole stack on my desk covered in notes from the hiring 
exercise I’m doing right now.

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of David Lum
Sent: Thursday, January 23, 2014 12:00 PM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: IT resumes?

Since I recently went through a job hunt and replacement myself, I can tell you 
I was on DICE and MONSTER and INDEED like a hound (yes  a lot show the same 
thing) as well as the Oregon Employment website. I have been on LinkedIn for a 
long time as well.

Resume’s landed my new job.  Sent six, got four calls, interviews with two 
companies (a third would have happened but they guessed rightly that their 
salary range was too low) and landed one fine job.

My manager here explicitly does NOT look at LinkedIn before interviewing in 
person (other than resume she wants her first impression to be in person) - 
which I find odd, but it shows there are some like that out there.

Dave

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Ziots, Edward
Sent: Thursday, January 23, 2014 8:50 AM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: IT resumes?

Honestly, I think anymore with the emergence of Linked In that a lot of 
professionals are getting noticed more for positions than what the resume is 
providing. Especially I am using mine as a way to demonstrate my work and 
professional affiliations with groups ( ISC, ISACA, CEH etc etc, along with 
displaying the technical presentations I have put on)

Z

Edward E. Ziots, CISSP, CISA, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.orgmailto:ezi...@lifespan.org
Work:401-255-2497


This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.
[Description: Description: Lifespan]


From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Thursday, January 23, 2014 10:46 AM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: IT resumes?

I was about to say… resume? What’s a resume?

I wrote one for a gig a few years ago (which you and I discussed Web) that I 
didn’t end up taking… otherwise it’s pretty much word of mouth and other social 
interactions. What we used to call “networking”. ☺ Before we had “social 
graphs” and “work graphs” blah blah blah. ☺

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Webster
Sent: Thursday, January 23, 2014 10:37 AM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: IT resumes?

I always tell people my most current resume is LinkedIn.  I keep that 
up-to-date as I complete a worthy project, certification, course, speaking gig, 
etc.  I may be lucky (or fortunate) but I rarely get asked for a resume any 
more.  I get most gigs nowadays via networking, my blog, Twitter, LinkedIn and 
Facebook.  Only cold callers ask for a resume now

RE: [NTSysADM] IT resumes?

[Brian Desmond]

Other thing I’d add – that giant list of technical buzzwords under “Skills” 
that some people do – put it in the back. It’s search engine fodder for the job 
sites, not interesting to me taking half the first page. When people assert 
skills in dozens of things, I usually just start picking things and asking 
questions – usually doesn’t turn out well for the candidate because spelling a 
buzzword != knowing anything about it.

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Christopher Bodnar
Sent: Thursday, January 23, 2014 8:28 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] IT resumes?

I agree with Brian, the format hasn't  changed. but then again I see a lot 
of variance in formatting styles. If you are looking for recommendations , here 
are some things I'll point out:

Have your address listed ( want to know if you are a local candidate or not)
Omit the Summary/Goals at the beginning of the resume, this can be covered 
during an interview
List dates for work experience (i,e.: from 10/2005 - to 4/2013). Wide gaps are 
acceptable, but be prepared to discuss them, it will be asked.
In work experience list detailed accomplishments, not topics. For example I 
would prefer to see something like this:

Developed SCCM Task Sequences to update system files across 15 sites.

Instead of this:

Managed SCCM

Christopher Bodnar
Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture 
and Engineering Services

Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
christopher_bod...@glic.commailto:

[cid:image001.jpg@01CF181D.F5AE1AE0]

The Guardian Life Insurance Company of America

www.guardianlife.comhttp://www.guardianlife.com/







From:Mathew Shember 
mathew.shem...@synopsys.commailto:mathew.shem...@synopsys.com
To:ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com 
ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Date:01/22/2014 11:24 PM
Subject:[NTSysADM] IT resumes?
Sent by:
listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com




An odd question to ask the group.

But what do resumes look like these days?

I haven’t had to use one for my last 2 jobs and was wondering if they have 
changed in format or style.

Thanks!

- This message, and any attachments to 
it, may contain information that is privileged, confidential, and exempt from 
disclosure under applicable law. If the reader of this message is not the 
intended recipient, you are notified that any use, dissemination, distribution, 
copying, or communication of this message is strictly prohibited. If you have 
received this message in error, please notify the sender immediately by return 
e-mail and delete the message and any attachments. Thank you.
inline: image001.jpg

RE: [NTSysADM] RE: IT resumes?

[Brian Desmond]

If you fill all that stuff in on LinkedIn also, the recruiter tools (I have an 
account) let you filter in a really granular manner (as opposed to just keyword 
searches). I’ve consistently gotten better candidates off LinkedIn than any of 
the legacy job sites.

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Adam Greene
Sent: Thursday, January 23, 2014 9:31 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: IT resumes?

Yes, I was going to say … many people seem to use LinkedIn as an ongoing public 
resume … includes job history, education, skills, etc. Seems pretty complete.

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Brian Desmond
Sent: Thursday, January 23, 2014 9:05 AM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: IT resumes?

They all look about the same to me. Some people just submit the PDF export from 
LinkedIn I’m finding, which works just fine for me.



Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Mathew Shember
Sent: Wednesday, January 22, 2014 10:23 PM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: [NTSysADM] IT resumes?

An odd question to ask the group.

But what do resumes look like these days?

I haven’t had to use one for my last 2 jobs and was wondering if they have 
changed in format or style.

Thanks!

[NTSysADM] RE: Auditing AD Security Group usage

[Brian Desmond]

No, there's no way to get that data out of AD. Groups are injected in to your 
token at logon. The target device then looks at the token you present to do 
AuthZ.

You could turn on LDAP query logging and see if you can catch any LDAP 
integrated apps that do direct queries, but, that's only going to give you a 
slice of the answer and the data won't be real easy to consume.

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of James Hill
Sent: Tuesday, December 17, 2013 3:59 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Auditing AD Security Group usage

I'm currently working in an AD environment that has been poorly documented.  In 
particular there are a large number of security groups whose usage is unknown.

We initially looked at the last modified attribute as that at least let us know 
about groups that are recently modified.  To find what they are actually used 
for does not appear to be a simple task.  We have used some other tools such as 
shareenum to check for security groups that are used for share permissions.

To try and simplify the process I'm wondering if it is possible to audit where 
specific group membership queries are coming from?  We could then investigate 
those devices etc individually to see what they use the security group for.

Any other suggestions are welcome!

James.

RE: [NTSysADM] Migrating from Infoblox to MS DNS General questions

[Brian Desmond]

I would find a way to do Option 2 for all your zones. 

Thanks,
Brian Desmond
br...@briandesmond.com

w – 312.625.1438 | c – 312.731.3132

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Don Kuhlman
Sent: Monday, October 28, 2013 1:49 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Migrating from Infoblox to MS DNS General questions

So here's what I came up with for the high level steps - Option1 and Option 2 - 
thoughts or comments appreciated...

Thanks

I.  For DMZ DNS:
1)  Export the Blox zone to a flat file
2)  Modify as needed to MS formatted .dns file
3)  Create new MS zone as a non AD integrated primary – use file
4)  Clean up nameserver records
5)  Stop Blox services for test
6)  Test lookups/resolution against new ms dns
7)  Change needed firewall rules
8)  Point clients/servers/devices to new ms servers
9)  Checkout
10) Stop Infoblox dns.

II. For the internal stuff:
1)  Create 2ndaries on MS
2)  Do the zone xfers from Blox to MS
3)  Stop the Blox DNS services
4)  Test lookups on new ms zones
5)  Make MS zones the primaries
6)  Clean up nameserver records
7)  Test lookups to new zones
8)  Convert to AD integrated, etc.
9)  Test lookups to AD integrated servers
10) Point everything to new MS DNS
11) De-comm Blox



On Mon, 10/28/13, Don Kuhlman drkuhl...@yahoo.com wrote:

 Subject: RE: [NTSysADM] Migrating from Infoblox to MS DNS General questions
 To: ntsysadm@lists.myitforum.com
 Date: Monday, October 28, 2013, 1:16 PM
 
 Thanks much Ken!
 
 Don
 
 On Mon, 10/28/13, Ken Cornetet ken.corne...@kimball.com
 wrote:
 
  Subject: RE: [NTSysADM] Migrating from Infoblox to MS DNS  General questions
  To: ntsysadm@lists.myitforum.com
 ntsysadm@lists.myitforum.com
  Date: Monday, October 28, 2013, 1:08 PM
  
  That's exactly how we did our
  infoblox to MS DNS migration. Set up secondaries on the MS
  side, shut down the infoblox, then convert the MS zones to
  primaries. IIRC, you can't go directly to AD integrated -
  you have to make them primaries first, then AD integrated
  (if that is what you want). Clean up the nameserver
  records.
  
  -Original Message-
  From: listsad...@lists.myitforum.com
  [mailto:listsad...@lists.myitforum.com]
  On Behalf Of Don Kuhlman
  Sent: Monday, October 28, 2013 1:52 PM
  To: ntsysadm@lists.myitforum.com
  Subject: [NTSysADM] Migrating from Infoblox to MS DNS
  General questions
  
  Hi folks. Happy almost Halloween!
  
  I had some generic questions for anyone that may have  worked
  on an Infoblox to Microsoft DHCP/DNS migration.
  
  From what I've found reading the doc and googling, you can
  export the Infoblox dns info to a flat file, then use that
  to import into MS DNS, which I thought would be a good
  method for a DMZ configuration.
  
  I also read that you could just set up a new zone in MS as  a
  2ndary, then do a zone transfer from the Blox appliance to
  the MS 2ndary zone, confirm it all moved over, make the MS
  primary, point everything to the MS server, then decomm  the
  Blox and manage MS from there.
  
  Are there any gotchas for those that have in this  scenario?
  
  For example, are there any types of Blox DNS records that  MS
  doesn't support from a pure DNS point of view ?
  
  Any gotchas on leaving the Blox Grid type of setup to MS ?
  
  Thanks,
  
  Don K
  
  
  
  
  
 
 
 

RE: [NTSysADM] Technical authoring

[Brian Desmond]

+1 on Amazon.

What's the draw for the book approach? Do you think you can sell enough copies 
to make it worthwhile? I'd tend to agree with Rod that you're probably not 
going to.

I'd disagree on the advice to just start writing and see what happens. You're 
going to end up rewriting I would expect. Make an outline, figure out what you 
want to talk about, and then start filling in the outline.

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Rod Trent
Sent: Wednesday, October 16, 2013 5:29 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Technical authoring

Google's publishing arm?  Why not Amazon?

Are you looking to profit from it? Or, just create a resource? If you're 
looking to make money, there's no money to be made anymore in writing 
conventional books.

A good friend of mine, David Stein, writes books through the Amazon process. I 
can connect you if interested...

http://www.amazon.com/David-M.-Stein/e/B006BHXOFE/ref=sr_ntt_srch_lnk_1?qid=1381962349sr=8-1

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Rankin, James R
Sent: Wednesday, October 16, 2013 6:18 PM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Technical authoring

I'm going to do an administrator's guide for AppSense DesktopNow. There are no 
books on it in existence besides the product manual, and I get regular emails 
from admins asking if there is a book I can recommend to them. So I guess I've 
got a bit of demand for it.

I was going to use Google's publishing arm to publish it electronically first, 
and go from there...all advice around this is gratefully accepted.
Sent from my BlackBerry, which may make me an antiques dealer, but it's 
reliable as hell for email delivery :-)

From: Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com
Sender: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com
Date: Wed, 16 Oct 2013 21:48:17 +
To: 
ntsysadm@lists.myitforum.comntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com%3cntsys...@lists.myitforum.com
ReplyTo: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Technical authoring

I'd start with what are you planning to write about, who is going to buy it, 
and who is going to publish it?

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Wednesday, October 16, 2013 4:04 PM
To: NTSysADM@lists.myitforum.commailto:NTSysADM@lists.myitforum.com
Subject: [NTSysADM] Technical authoring

I forgot to say thanks to everyone for the excellent help regarding public 
speaking a month or so agothe event went well, although I now know I have a 
distressing tendency to lapse deeper into my native accent when under pressure, 
but I am at least aware of that now :-)

Anywaysmy next project, now that my doctor has told me to drink less and 
sleep better, is to put together a technical book. So as with the public 
speaking, I am a total virgin in this arena as welldo any of the list 
members (obviously, particularly those with publications to their names) have 
any pearls of wisdom or resources or best practices to share? I'm a fairly 
accomplished writer - it's more layout, style, content, tips and hints I am 
after. I'm very quick at putting words down on paper so I'm hoping not to spend 
more than a few months on this, but I recognize this may be an unduly short 
period for a properly authored resource.

As always, the help of the list is greatly appreciated and of immense value.

Cheers,



JR

--
James Rankin
Technical Consultant (ACA, CCA, MCTS)
http://appsensebigot.blogspot.co.uk

RE: [NTSysADM] Technical authoring

[Brian Desmond]

I'd start with what are you planning to write about, who is going to buy it, 
and who is going to publish it?

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of James Rankin
Sent: Wednesday, October 16, 2013 4:04 PM
To: NTSysADM@lists.myitforum.com
Subject: [NTSysADM] Technical authoring

I forgot to say thanks to everyone for the excellent help regarding public 
speaking a month or so agothe event went well, although I now know I have a 
distressing tendency to lapse deeper into my native accent when under pressure, 
but I am at least aware of that now :-)

Anywaysmy next project, now that my doctor has told me to drink less and 
sleep better, is to put together a technical book. So as with the public 
speaking, I am a total virgin in this arena as welldo any of the list 
members (obviously, particularly those with publications to their names) have 
any pearls of wisdom or resources or best practices to share? I'm a fairly 
accomplished writer - it's more layout, style, content, tips and hints I am 
after. I'm very quick at putting words down on paper so I'm hoping not to spend 
more than a few months on this, but I recognize this may be an unduly short 
period for a properly authored resource.

As always, the help of the list is greatly appreciated and of immense value.

Cheers,



JR

--
James Rankin
Technical Consultant (ACA, CCA, MCTS)
http://appsensebigot.blogspot.co.uk

RE: [NTSysADM] Dedicated Management port on s witches?

[Brian Desmond]

Dedicating one port per switch just to the management VLAN sounds incredibly 
expensive when you total up your port costs...

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Matthew W. Ross
Sent: Tuesday, October 15, 2013 2:09 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Dedicated Management port on s witches?

That's what we'er doing too.

We're just considering dedicating port 1 to the management vlan. It would be 
left unplugged 99% of the time, unless you wanted to get on it with a laptop to 
manage the switch..

I'm guessing most people don't do this, but I figured I'd ask.


--Matt Ross
Ephrata School District


- Original Message -
From: Glen Johnson
[mailto:gjohn...@vhcc.edu]
To: ntsysadm@lists.myitforum.com
[mailto:ntsysadm@lists.myitforum.com]
Sent: Tue, 15 Oct 2013 11:25:38
-0800
Subject: RE: [NTSysADM] Dedicated Management port on switches?


 Not sure if all switches work this way, but in Cisco land, we 
 configure the switch management on a separate vlan, no other traffic 
 allowed and only a few select machines can access the management vlan.
 So it doesn't require a dedicate physical port.  Serial/console port 
 is still an option if needed.
 
 -Original Message-
 From: listsad...@lists.myitforum.com 
 [mailto:listsad...@lists.myitforum.com]
 On Behalf Of Matthew W. Ross
 Sent: Tuesday, October 15, 2013 1:54 PM
 To: ntsysadm@lists.myitforum.com
 Subject: [NTSysADM] Dedicated Management port on switches?
 
 Quick question, do you guys dedicate a port on your switches on the 
 management vlan? Or do you just use serial connections if you need 
 such local access?
 
 
 --Matt Ross
 Ephrata School District
 
 
 
 
 

[NTSysADM] RE: OT: Job Search

[Brian Desmond]

LinkedIn

Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Heaton, Joseph@Wildlife
Sent: Thursday, October 3, 2013 11:43 AM
To: NTSysADM@lists.myITforum.com
Subject: [NTSysADM] OT: Job Search

What sites/tools/resources do you guys use to look for jobs?  I'm looking to 
possibly make a huge move, out of CA, and need tips/advice on this sort of 
thing.

Thanks,

Joe Heaton

RE: [NTSysADM] 2.5 SATA converter to USB

[Brian Desmond]

Go on NewEgg and look at the reviews? That's usually how I buy random computer 
parts



Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jon Harris
Sent: Wednesday, September 25, 2013 8:01 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] 2.5 SATA converter to USB

Any one have a recommendation for which one/type to get?  Any companies to stay 
away from?  Amazon must have more than 50 different models/companies to choose 
from.

2.5 SATA laptop drive is what I am looking to pull data off of before sending 
the machine in for service.

Thanks,

Jon

RE: [NTSysADM] Change control....GPO

[Brian Desmond]

+1. I've seen this pivot in highly regulated environments where the GPO affects 
a controlled asset/system then it's much more rigid.


Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of William Robbins
Sent: Friday, September 20, 2013 10:08 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Change controlGPO

Most of the environments I've worked in treat GPO's depending on level of 
impact.  Domain-wide, go to Change Control processes.  OU level required 
manager for that OU's sign off.  GPO's making maintenance changes with low risk 
are treated the same as user account creation.  HD Ticket or similar to track 
request and work.


 - WJR

On Fri, Sep 20, 2013 at 9:55 PM, David Lum 
david@nwea.orgmailto:david@nwea.org wrote:
For you guys with a pretty well defined change control process - are 
incremental GPO changes (in this case we have a GPO that controls IE's trusted 
sites, I want to add enable auto logon with current credentials for sites in 
trusted sites) reviewed by people before the change? I'm thinking in larger 
environments it might be submitted by one person, reviewed and approved by 
another but not necessarily held until a formal change request meeting is 
convened?

Normally I'd just whip this change out, but I need to think about the 
accountability process in general.
David Lum
Sr. Systems Engineer // NWEATM
Office 503.548.5229tel:503.548.5229

[NTSysADM] RE: System process 100% CPU 08r2

[Brian Desmond]

I'm not sure why you would disable this.

What version of Windows is the file server running? 

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of N Parr
Sent: Friday, September 20, 2013 7:41 AM
To: 'ntsysadm@lists.myitforum.com'
Subject: [NTSysADM] RE: System process 100% CPU 08r2

Following up with some results and another question.  I added a second CPU, it 
helped but didn't solve the problem.  After some more digging with Process 
Explorer it seems the culprit is the SMB 2.0 driver.  It's chewing up the CPU 
but only with my Win7 clients.  This article suggests in mixed client 
environments try disabling SMB 2 on the server and clients.  Haven't done it 
yet.  Anyone else experience issues related to the SMB 2 driver?  It would 
explain why my Win XP clients don't experience the same issues as my Win 7.
http://www.petri.co.il/how-to-disable-smb-2-on-windows-vista-or-server-2008.htm#


-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Brian Desmond
Sent: Monday, September 16, 2013 3:35 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: System process 100% CPU 08r2

Capturing a dump of the system when the problem is occurring or collecting an 
xperf trace would be my approaches to start. 

1 CPU is not really a great setup here.

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of N Parr
Sent: Monday, September 16, 2013 3:07 PM
To: 'ntsysadm@lists.myitforum.com'
Subject: [NTSysADM] RE: System process 100% CPU 08r2

Only questions I didn't already answer are 
~100 sessions
5 shares
Virtual (same config as other file servers that don't experience this)
1 CPU

Something else to add is I am snapping for previous file versions but CPU 
spikes never seem to coincide.I tend to agree it's something with the NIC 
because when System is spiking the CPU it's also the process with the highest 
network activity.  And then it's only 2-4% utilization.  There's not much I can 
do about that other than change the NIC type of the VM, but again it's using 
the same virtual adapter as my other file servers.


-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jesse Rink
Sent: Monday, September 16, 2013 2:45 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: System process 100% CPU 08r2

what version OS is the server?  nothing at all running on it other than a 
couple folder shares?   how many users are hitting the box?  how often is the 
spiking occuring?   is it a virtual or physical box?   how many cpu's or vcpus? 
   have you tried updating the NIC driver on the server?  does the cpu spike 
settle down on its own after awhile or do you have to reboot the client(s) 
and/or server?  

Just thinking out loud...



From: listsad...@lists.myitforum.com [listsad...@lists.myitforum.com] on behalf 
of N Parr [npar...@mortonind.com]
Sent: Monday, September 16, 2013 2:24 PM
To: 'ntsysadm@lists.myitforum.com'
Subject: [NTSysADM] System process 100% CPU 08r2

I've been troubleshooting this for months now and I'm not getting anywhere but 
more confused.  I have one file server that keeps spiking the system service at 
random times.  Nothing else is running on the server, no AV or other apps.  
When this happens my win7 clients trying to access files on that server will 
come to a screeching halt.  That's the really strange part, my XP clients keep 
working like nothing is wrong.  I've done all the trouble shooting I can find 
for this problem, it's very hard to narrow down exactly what's causing the 
system process to spike.  I noticed that one of the win7 clients in 
particular was moving a lot of data (receiving .5 MB/sec steady) but they had 
no apps running off the server, weren't searching, search service was turned 
off.  But on that client it was the system service that was receiving the 
data from that server.  I rebooted the client and the server cpu immediately 
went back to normal.  My googling can't find anything that links the two 
together.  Just hoping someone else has encountered this.  Both client and 
server are patched but this has been going on for a long time, at least the 
last couple years.
Thanks

[NTSysADM] RE: System process 100% CPU 08r2

[Brian Desmond]

Yeah it sounds like your issue is probably the files you're storing. There are 
KBs out there that have tuning settings for the SMB stack on the server side 
that often help here.

I'd also validate the perf of the storage that's backing this share. 

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of N Parr
Sent: Friday, September 20, 2013 9:04 AM
To: 'ntsysadm@lists.myitforum.com'
Subject: [NTSysADM] RE: System process 100% CPU 08r2

I'm not either, that's why I'm asking
08R2
I already experimented with disabling it on my Win7 client and 2 others that 
have problems, not the server.  Now ,according to resource monitor, instead of 
reading at 500KB/sec from the server I'm reading at 15MB/sec and I wasn't 
causing the CPU to spike like I did before.  The other two workstations I 
disabled it on also seem to have stopped having/causing issues.  There is a 
shared app that uses Access DB's and the CPU spikes almost always revolve 
around that app, when they are trying to do specific functions like filtering, 
saving, etc.  But again, Win XP clients with this app never experience or cause 
this to happen.   I'll have to watch it through the day and see if things keep 
behaving.  Could be related to the KB Phil mentioned since pst and mdb files 
could both cause the same issue.
Thanks

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Brian Desmond
Sent: Friday, September 20, 2013 7:57 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: System process 100% CPU 08r2

I'm not sure why you would disable this.

What version of Windows is the file server running? 

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of N Parr
Sent: Friday, September 20, 2013 7:41 AM
To: 'ntsysadm@lists.myitforum.com'
Subject: [NTSysADM] RE: System process 100% CPU 08r2

Following up with some results and another question.  I added a second CPU, it 
helped but didn't solve the problem.  After some more digging with Process 
Explorer it seems the culprit is the SMB 2.0 driver.  It's chewing up the CPU 
but only with my Win7 clients.  This article suggests in mixed client 
environments try disabling SMB 2 on the server and clients.  Haven't done it 
yet.  Anyone else experience issues related to the SMB 2 driver?  It would 
explain why my Win XP clients don't experience the same issues as my Win 7.
http://www.petri.co.il/how-to-disable-smb-2-on-windows-vista-or-server-2008.htm#


-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Brian Desmond
Sent: Monday, September 16, 2013 3:35 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: System process 100% CPU 08r2

Capturing a dump of the system when the problem is occurring or collecting an 
xperf trace would be my approaches to start. 

1 CPU is not really a great setup here.

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of N Parr
Sent: Monday, September 16, 2013 3:07 PM
To: 'ntsysadm@lists.myitforum.com'
Subject: [NTSysADM] RE: System process 100% CPU 08r2

Only questions I didn't already answer are 
~100 sessions
5 shares
Virtual (same config as other file servers that don't experience this)
1 CPU

Something else to add is I am snapping for previous file versions but CPU 
spikes never seem to coincide.I tend to agree it's something with the NIC 
because when System is spiking the CPU it's also the process with the highest 
network activity.  And then it's only 2-4% utilization.  There's not much I can 
do about that other than change the NIC type of the VM, but again it's using 
the same virtual adapter as my other file servers.


-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jesse Rink
Sent: Monday, September 16, 2013 2:45 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: System process 100% CPU 08r2

what version OS is the server?  nothing at all running on it other than a 
couple folder shares?   how many users are hitting the box?  how often is the 
spiking occuring?   is it a virtual or physical box?   how many cpu's or vcpus? 
   have you tried updating the NIC driver on the server?  does the cpu spike 
settle down on its own after awhile or do you have to reboot the client(s) 
and/or server?  

Just thinking out loud...



From: listsad...@lists.myitforum.com [listsad...@lists.myitforum.com] on behalf 
of N Parr [npar...@mortonind.com]
Sent: Monday, September 16

[NTSysADM] RE: System process 100% CPU 08r2

[Brian Desmond]

Capturing a dump of the system when the problem is occurring or collecting an 
xperf trace would be my approaches to start. 

1 CPU is not really a great setup here.

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of N Parr
Sent: Monday, September 16, 2013 3:07 PM
To: 'ntsysadm@lists.myitforum.com'
Subject: [NTSysADM] RE: System process 100% CPU 08r2

Only questions I didn't already answer are 
~100 sessions
5 shares
Virtual (same config as other file servers that don't experience this)
1 CPU

Something else to add is I am snapping for previous file versions but CPU 
spikes never seem to coincide.I tend to agree it's something with the NIC 
because when System is spiking the CPU it's also the process with the highest 
network activity.  And then it's only 2-4% utilization.  There's not much I can 
do about that other than change the NIC type of the VM, but again it's using 
the same virtual adapter as my other file servers.


-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jesse Rink
Sent: Monday, September 16, 2013 2:45 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: System process 100% CPU 08r2

what version OS is the server?  nothing at all running on it other than a 
couple folder shares?   how many users are hitting the box?  how often is the 
spiking occuring?   is it a virtual or physical box?   how many cpu's or vcpus? 
   have you tried updating the NIC driver on the server?  does the cpu spike 
settle down on its own after awhile or do you have to reboot the client(s) 
and/or server?  

Just thinking out loud...



From: listsad...@lists.myitforum.com [listsad...@lists.myitforum.com] on behalf 
of N Parr [npar...@mortonind.com]
Sent: Monday, September 16, 2013 2:24 PM
To: 'ntsysadm@lists.myitforum.com'
Subject: [NTSysADM] System process 100% CPU 08r2

I've been troubleshooting this for months now and I'm not getting anywhere but 
more confused.  I have one file server that keeps spiking the system service at 
random times.  Nothing else is running on the server, no AV or other apps.  
When this happens my win7 clients trying to access files on that server will 
come to a screeching halt.  That's the really strange part, my XP clients keep 
working like nothing is wrong.  I've done all the trouble shooting I can find 
for this problem, it's very hard to narrow down exactly what's causing the 
system process to spike.  I noticed that one of the win7 clients in 
particular was moving a lot of data (receiving .5 MB/sec steady) but they had 
no apps running off the server, weren't searching, search service was turned 
off.  But on that client it was the system service that was receiving the 
data from that server.  I rebooted the client and the server cpu immediately 
went back to normal.  My googling can't find anything that links the two 
together.  Just hoping someone else has encountered this.  Both client and 
server are patched but this has been going on for a long time, at least the 
last couple years.
Thanks

RE: [NTSysADM] OT: Speaking in public

[Brian Desmond]

+1



Thanks,
Brian Desmond
br...@briandesmond.commailto:br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael B. Smith
Sent: Wednesday, September 11, 2013 4:53 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] OT: Speaking in public

+1

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Rod Trent
Sent: Wednesday, September 11, 2013 5:14 PM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] OT: Speaking in public

I use Camtasia studio. It's pricey, but worth it.


From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of 
kz2...@googlemail.commailto:kz2...@googlemail.com
Sent: Wednesday, September 11, 2013 5:07 PM
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] OT: Speaking in public

Actually, while I'm on, what's a good piece of software for capturing videos of 
my lab screens that I can embed into my presentation?
Sent from my Blackberry, which may be an antique but delivers email RELIABLY

From: Kevin Lundy klu...@gmail.commailto:klu...@gmail.com
Sender: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com
Date: Wed, 11 Sep 2013 17:02:38 -0400
To: 
NTSysADM@lists.myITforum.comntsysadm@lists.myitforum.commailto:NTSysADM@lists.myITforum.com%3cntsys...@lists.myitforum.com
ReplyTo: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] OT: Speaking in public

You don't want to remember lines.  The audience knows when you are reading to 
them, even if the reading is memorized.

The trick I used for that is never writing full sentences in my notes.  Just a 
keyword or two to remind you what the next topic is supposed to be.

On Wed, Sep 11, 2013 at 4:54 PM, 
kz2...@googlemail.commailto:kz2...@googlemail.com wrote:
Thanks guys for all the input, it is very much appreciated.

I'm only supposed to be on for 15-20 mins.

What bothers me the most is trying to remember my lines (although I guess the 
PowerPoint slides will make good prompts) and the possibility of getting some 
left-field questions at the end.

All the advice has been excellent so far, plenty of good pointers for me to go 
to work on.

Cheers,


JR


Sent from my Blackberry, which may be an antique but delivers email RELIABLY
-Original Message-
From: Kurt Buff kurt.b...@gmail.commailto:kurt.b...@gmail.com
Sender: 
listsadmin@lists.myitforum.comDatemailto:listsadmin@lists.myitforum.comDate: 
Wed, 11 Sep 2013 13:45:15
To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Reply-to: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] OT: Speaking in public

How long is your presentation supposed to last? If it's relatively
short 10-20 minutes, give your talk to a neighborhood 10 year old - or
your own, if you have one. If you can keep that audience interested,
you a) know your subject and b) know how to work an audience.

Videotaping yourself and critiquing it is decent advice, too.

Webster's advice is pretty good too.

Don't practice in the mirror - it's not worth it.

Do not speak from your notes by rote - they'll know, and be bored.

Kurt

PS You only need one beer, but it should be 24oz of a good Belgian
style quadrupel, roughly 10% by volume. :)



On Wed, Sep 11, 2013 at 1:17 PM,  
kz2...@googlemail.commailto:kz2...@googlemail.com wrote:
 Next week, against my better judgement, I'm doing my first ever bit of 
 technical presentation in front of an audience...and because my submission 
 was apparently different and interesting, I'm going on last out of six 
 presenters :-(

 Just wondering if anyone on the list (particularly the conference veterans) 
 have any tips or hints to share around this sort of thing (besides having 
 about five or six beers first)? I'm not a natural public speaker or 
 limelight-seeker, I write much better than I talk :-(

 All input appreciated!


 JR


 Sent from my Blackberry, which may be an antique but delivers email RELIABLY