RE: [NTSysADM] RE: Persisting access to an Azure shared folder

[Stephen Gestwicki]

I doubt it would be this simple but could you just setup your service to have a 
Delayed Start?

- Stephen

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of James Rankin
Sent: Friday, March 17, 2017 12:46 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: Persisting access to an Azure shared folder

OK, the problem with this seems to be timing.

Running a "cmdkey" command at logon allows the user access to the Azure share, 
but by then my service has already tried and failed to connect. So unless I can 
delay that action, I'm kinda snookered here. Either that or find some way to 
run the cmdkey command ridiculously early in the logon process, but even using 
tooling like AppSense this seems to be impossible.

Adding the credentials to the system default profile also seems to be a 
non-starter - the username for the share seems to persist, but the password is 
still prompted for. I'm thinking that stored password credentials are somehow 
hashed for or tied to the originating user, which to be honest I'd expect, 
otherwise credential theft would be incredibly easy.

Think I'm going to write this one off as unachievable in the present state - 
thanks all for suggestions.


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: 17 March 2017 14:04
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [NTSysADM] RE: Persisting access to an Azure shared folder


This sender failed our fraud detection checks and may not be who they appear to 
be. Learn about spoofing<http://aka.ms/LearnAboutSpoofing>

Feedback<http://aka.ms/SafetyTipsFeedback>

I did try Group Policy with the delay set to 0, but it didn't manage to get in 
soon enough. However I didn't configure any of the other settings, let me give 
that a try.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Stephen Gestwicki
Sent: 17 March 2017 13:49
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [NTSysADM] RE: Persisting access to an Azure shared folder


* You can use Group Policy to change the logon script delay but that 
only applies to Server 2012 R2+ and Windows 8.1+.

o   Computer Configuration > Policies > Administrative Templates > System > 
Group Policy > Configure Logon Script Delay = Enabled and set to 0 minutes

* You can also try having the computer always wait for the network.

o   Computer Configuration > Policies > Administrative Templates > System > 
Logon > Always wait for the network at computer startup and logon = Enabled

* Another thing you can try is forcing each script to finish before 
allowing Group Policy to move on.

o   Computer Configuration > Policies > Administrative Templates > System > 
Scripts > Run startup scripts asynchronously = Disabled

Those settings may give you a shot at having Group Policy run the script first 
but they will also slow down your logins.


* I also like applying these settings to a test OU so I can see what is 
going on during my tests:

o   Computer Configuration > Policies > Administrative Templates > System > 
Display highly detailed status messages = Enabled

o   Computer Configuration > Policies > Administrative Templates > System > 
Scripts > Display instructions in shutdown scripts as they run = Enabled

?  Warning: users can close out your script before it finishes.

o   Computer Configuration > Policies > Administrative Templates > System > 
Scripts > Display instructions in startup scripts as they run = Enabled

?  Warning: users can close out your script before it finishes.

I hope that helps.

- Stephen

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: Friday, March 17, 2017 6:37 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [NTSysADM] RE: Persisting access to an Azure shared folder

Given Windows post-XP tendency to delay logon scripts, etc., I would fully 
expect that the scheduled task route would run earlier than a logon script. 
Whether would run soon enough remains to be tested, but in my experience they 
seem to run first before anything else I've found.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Friday, March 17, 2017 12:18 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: Re: [NTSysADM] RE: Persisting access to an Azure sh

RE: [NTSysADM] RE: Persisting access to an Azure shared folder

[Stephen Gestwicki]

* You can use Group Policy to change the logon script delay but that 
only applies to Server 2012 R2+ and Windows 8.1+.

o   Computer Configuration > Policies > Administrative Templates > System > 
Group Policy > Configure Logon Script Delay = Enabled and set to 0 minutes

* You can also try having the computer always wait for the network.

o   Computer Configuration > Policies > Administrative Templates > System > 
Logon > Always wait for the network at computer startup and logon = Enabled

* Another thing you can try is forcing each script to finish before 
allowing Group Policy to move on.

o   Computer Configuration > Policies > Administrative Templates > System > 
Scripts > Run startup scripts asynchronously = Disabled

Those settings may give you a shot at having Group Policy run the script first 
but they will also slow down your logins.


* I also like applying these settings to a test OU so I can see what is 
going on during my tests:

o   Computer Configuration > Policies > Administrative Templates > System > 
Display highly detailed status messages = Enabled

o   Computer Configuration > Policies > Administrative Templates > System > 
Scripts > Display instructions in shutdown scripts as they run = Enabled

?  Warning: users can close out your script before it finishes.

o   Computer Configuration > Policies > Administrative Templates > System > 
Scripts > Display instructions in startup scripts as they run = Enabled

?  Warning: users can close out your script before it finishes.

I hope that helps.

- Stephen

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: Friday, March 17, 2017 6:37 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: Persisting access to an Azure shared folder

Given Windows post-XP tendency to delay logon scripts, etc., I would fully 
expect that the scheduled task route would run earlier than a logon script. 
Whether would run soon enough remains to be tested, but in my experience they 
seem to run first before anything else I've found.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Friday, March 17, 2017 12:18 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] RE: Persisting access to an Azure shared folder

It needs to run in the user context, so it would have to be at logon. I wonder 
if a task would run earlier? Could be worth a bash...

Sent from my slightly schizophrenic, but rather cool, BlackBerry Android
From: kurt.b...@gmail.com
Sent: 17 March 2017 12:40 a.m.
To: ntsysadm@lists.myitforum.com
Reply to: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] RE: Persisting access to an Azure shared folder


Scheduled task at startup?

Kurt

On Thu, Mar 16, 2017 at 3:48 PM, James Rankin 
> wrote:
That's what I've been trying, but the net use command, when run at logon, 
doesn't execute early enough to get in "ahead" of the write to the share, sadly.

In order to get it done for new users was the rationale around seeing if I 
could get it in the default profile, but unfortunately sysprep seems to remove 
saved passwords (although not usernames, oddly)

So net use works, but somehow I need to get it to execute earlier than seems 
possible at the moment, hence trying to think of a different approach...

Sent from my slightly schizophrenic, but rather cool, BlackBerry Android
From: mich...@smithcons.com
Sent: 16 March 2017 10:44 p.m.
To: ntsysadm@lists.myitforum.com
Reply to: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Persisting access to an Azure shared folder


I'm not saying that there isn't a better solution... and I'd love to know one.

But I've had people executing the "net use /persist" from a batch file (or 
sending around an intern to do it).

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of James Rankin
Sent: Thursday, March 16, 2017 3:39 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Persisting access to an Azure shared folder

I have a shared folder set up in Azure which can be mapped via SMB. You can 
access this by a "net use" command which specifies a username and password.

However I want all of my users to be able to write out to this share, but I 
need the access to be available from quite early in the logon process (I'm 
writing some user-specific configuration files out to the 

RE: [NTSysADM] Fwd: Protecting from Ransomware

[Stephen Gestwicki]

I have never tried knowbe4.com so I cannot comment on that.

I just received a quote for Sophos Intercept X last month because I was 
interested in the ransomware protection. It does a lot more than just 
ransomware protection but the cost was way too high for me to justify.
Sophos Central Endpoint Intercept X - 1 Year Subscription *
Includes: [Windows] Malicious Traffic Detection, Synchronized Security 
Heartbeat, Exploit Prevention, Cryptoguard Ransomware Protection, Malware 
Activity Remediation, Threat Analysis. [Managed by Sophos Central].

I have heard of free ransomware protections but I have not had time to look 
into them yet so I don’t know if they can be used for business.
https://ransomfree.cybereason.com/
https://www.bitdefender.com/solutions/anti-ransomware-tool.html
https://go.kaspersky.com/Anti-ransomware-tool.html
https://blog.malwarebytes.com/malwarebytes-news/2016/01/introducing-the-malwarebytes-anti-ransomware-beta/

- Stephen

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Stefan Jafs
Sent: Wednesday, February 15, 2017 3:41 PM
To: NTSysADM@lists.myitforum.com
Subject: [NTSysADM] Fwd: Protecting from Ransomware


https://www.knowbe4.com/

Does any of you use their service? Is it worth while?Looks like the proper way 
to educate users.

Also Sophos just came out with Intercept

Anyone have any experience / recommendations?

--
Stefan



--
Stefan Jafs

[NTSysADM] RE: CMAK profiles without admin rights

[Stephen Gestwicki]

You should be able to use Processes Explorer to find that while running the VPN.

[cid:image002.png@01D22546.20F9DCB0]

https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx?f=255=-2147217396

- Stephen

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: Thursday, October 13, 2016 10:30 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

I've see that, but as was pointed out it one of the articles I read, what 
executable do you assign that to? The offending process is a DLL.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Thursday, October 13, 2016 7:58 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

I assume you probably read this already but just in case you haven't (pulled 
from http://www.winvistatips.com/threads/cmak-elevated-privs-for-vista.725462/ )

The route table updating via Cmroute in the CMAK package requires admin
privileges. Because of the introduction of UCA (user account control) in
Windows Vista, you need to running CM profile with cmroute custom action
from admin user (user in administrative group and with UAC disabled) or
from elevated cmd. If UAC is enabled then cmroute will ask for elevation.

If you do not want to receive the prompt, you may consider the following
options:

1. Refer to the following KB to disable UAC for the generated CMAK package.
2. Disable UAC on all Vista clients. (not the preferred practice)

How to disable the User Account Control Prompt for certain application
http://msmvps.com/blogs/xperts64/archive/2007/12/31/disable-uac-prompt-for-a
-single-application.aspx


The steps to disable the User Account Control Prompt for certain
application:

1) Download and install the Application Compatibility Toolkit (link below).
2) Open the Compatibility Administrator application with elevated
credentials.
3) In the left hand pane, right-click on the database under Custom
Databases and
select Create New Application Fix
4) Enter the name and other details of the application you want to alter
behavior
on and then browse to it to select it.
5) Click Next until you are in the Compatibility Fixes screen.
6) To prevent being prompted to elevate an application (which means that it
will
always use the less privileged credential to run) place a checkmark next to
RunAsInvoker.
7) Click Next and then Finish.
8) Select File and Save As. Save the file as a filename.SDB type file in a
directory you will easily find it.
9) Copy the .sdb file to the Vista computer you want to alter the
elevation prompt behavior on.
10) Open an elevated command prompt.
11) Run the command (without the quotes, assuming you copied the file to
the
Windows directory on C: "sdbinst c:\windows\.sdb" and then
press
enter.

Microsoft Application Compatibility Toolkit 5.0
http://www.microsoft.com/downloads/details.aspx?FamilyId=24DA89E9-B581-47B0-
B45E-49
2DD6DA2971=en

More info on the other options you have in altering application launch
behavior are
available at the URL below:

Application Compatibility Feature Guide
http://www.microsoft.com/technet/desktopdeployment/bdd/standard/AppCompact_6
.mspx

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: 13 October 2016 12:47
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

Budget for this is nil but I'll have a look and see.  The installation of the 
connectoid isn't the issue, it's all runtime when the user tries to connect to 
the VPN.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Thursday, October 13, 2016 7:15 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

You can use privilege management tools like AppSense Application Manager, RES, 
Scense and the like to configure specific files that can run with elevated 
rights.

There's also tools like CPAU from JoeWare which can run scripts with elevated 
privileges so that you can get the profile build to complete maybe?

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: 13 October 2016 12:05
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] CMAK profiles without admin rights

Hello folks,

We've been working 

RE: [NTSysADM] persistent lies

[Stephen Gestwicki]

There was a Microsoft patch back in June that caused issues like this for some 
environments.
http://www.gpanswers.com/never-a-dull-moment-with-group-policy-or-what-to-do-about-ms16-072/

- Stephen

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Micheal Espinola Jr
Sent: Friday, September 30, 2016 1:28 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] persistent lies

Have you verified that the 'Reconnect' setting is still selected?  Have you 
used Group Policy Results to verify its application?

--
Espi


On Fri, Sep 30, 2016 at 6:42 AM, Bill Humphries 
> wrote:
I have a client that is windows 2008 domain and all client machines are windows 
7 64 bit.  Over the pas month, it looks like any mapped drives (via GPO) have 
decided to no longer be persistant.  Any time a user bootsup away off network, 
the drives do not appear.  No red exes, just missing.  As a few people work 
offsite very frequently this has become an issue.

I’m suspicious that some MS update for windows 7 has broken this persistence.  
Anyone have any insight into this behavior or suggestions for fixing?

Thanks.

Bill

[NTSysADM] RE: More PowerShell help

[Stephen Gestwicki]

The easiest way I have found without changing UAC settings was to create a 
small batch file that I right click on an select "Run as administrator".
This is the contents of my batch file:
@echo off
set ScriptDirectory=%~dp0
PowerShell -ExecutionPolicy Unrestricted -Command "&'%ScriptDirectory%\script 
name.ps1' -Verbose"

Another option would be to add your script as a function in a PowerShell 
profile.
https://technet.microsoft.com/en-us/library/bb613488(v=vs.85).aspx

I would love to know if someone has a better method.

- Stephen

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of James Rankin
Sent: Wednesday, August 31, 2016 12:45 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] More PowerShell help

How can I get a PowerShell script to run with administrative privileges?

I have a configuration script I want to run on my Windows 10 machines, 
obviously it is going to be run by an admin user, but I want to just 
double-click the script and it runs with admin privileges. At the minute I have 
to launch PowerShell as an admin and then run the script directly - what's the 
best way to be able to do this with a simple double-click action?

Cheers,


James Rankin
EUC Solutions Architect | 07809 668579 | ja...@htguk.com
One Trinity Green, Eldon Street, South Shields, Tyne & Wear, NE33 1SA
Tel: 0191 481 3446

RE: [NTSysADM] Force sleep downside

[Stephen Gestwicki]

I think Google is giving you all those links for it just because it is much 
more common for people to disable sleep and hibernate then to enable it. It 
could be a convenience for them or it could be because CEOs around the world 
cannot wait the tens of seconds for their machine to wake up.

As for the disadvantages,
Hibernate will write the contents of memory to disk. Since everything running 
on a computer is in memory (that includes things like the private keys which 
can be used for decryption) it is best practice to disable hibernation when 
using full disk encryption. It is more important to disable (or better yet not 
even have) Direct Memory Access ports like thunderbolt.
Hibernate will also create a file that is the same size as the computer's 
memory which can cause space issues if the computer has a lot of RAM and a 
small SSD.
Sleep doesn't suffer from the above two issues but scenarios where a user signs 
into the VPN and then does a remote desktop connection to their work desktop 
can have problems with sleep and hibernate. WOL helps but you have to be able 
to connect to a running device on that network to send the magic packet and 
users may only have access to the VPN and their own box.

- Stephen

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of J- P
Sent: Sunday, August 07, 2016 12:41 PM
To: NT 
Subject: RE: [NTSysADM] Force sleep downside



I thin I didn't explain my question properly,

While I agree with your comments, as a wise man once said "there are seldom 
good technological solutions to behavioral problems", (Ed Crowley) In this case 
though, I can do something.

 WOL will resolve the Remote Access issue, and I will update the portal page 
with a warning (however if they use the app on the their phones they probably 
wont see it)

I do know how to apply the policy, my concern was why all hits/docs/articles 
were geared towards disabling it


thx





From: jcas...@activenetwerx.com
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Force sleep downside
Date: Sun, 7 Aug 2016 15:59:22 +
So if you force a machine to sleep, maybe you interrupt a process or prevent 
remote access to the pc.
My opinion is we are all consenting adults, if you break it, the pieces are 
yours to keep for free.

So if it were me, I'd post a warning on the reset portal or even raise a dialog 
of the consequences.

But back to your question, I am looking at a GPO were we set various aspects 
and I see behaviors for computer prefs for power options. You can state Sleep 
after x etc, does that not work for you?

My 2 cents,
jlc

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of J- P
Sent: Sunday, August 7, 2016 9:38 AM
To: NT >; 
jnat...@fcimail.org
Subject: [NTSysADM] Force sleep downside

Hi all,

We recently deployed ADSelfService  to give users the ability to reset, change 
passwords and unlock their account, we went to this after finally convincing 
"the powers that be" that password complexity and expiration  is a GOOD thing.

After a couple of users started complaining about "not being able to get in or 
unlock their account", one of the causes  turned out to be that they weren't 
logging off their office PC, and they were  changing their passwords via the 
ADSS portal.

So we've decided that if they cant learn to log off, we'll force the machines 
to sleep or hibernate to prevent this, which brings me to my question

Why is that every time I lookup "windows 7 sleep gpo" or any variation of that, 
all the hits explain how to DISABLE sleep or hibernate, is there a downside to 
forcing sleep or hibernation?

example;
https://www.google.com/#q=sleep+windows+7+gpo

RE: [NTSysADM] RE: PowerShell weaknesses

[Stephen Gestwicki]

Why don’t you use ADSI instead of installing RSAT on everyone’s computers?
http://stackoverflow.com/questions/10184052/get-a-users-email-address-from-the-username-via-powershell-and-wmi

- Stephen

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of James Rankin
Sent: Monday, June 27, 2016 11:58 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: PowerShell weaknesses

Actually might be worth extending this debate slightly…

I’m trying to build Outlook signature files on the fly using AD attributes. So 
I basically need to grab certain AD attributes and set them as variables. This 
is not a problem.

However, as I am doing this at user first logon, I need to query the AD 
attributes in the context of the user. Get-ADUser is the cmdlet I’m using, but 
this is unavailable on my Windows 10 clients unless I install the RSAT. So…

Is there a way to programmatically install the RSAT feature on Windows 10 with 
the AD PowerShell stuff enabled? I’d rather not have to go back and create a 
new image.

I found Enable-WindowsOptionalFeature but don’t seem to be able to crack the 
right syntax for it…

Cheers,



JR

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Charles F Sullivan
Sent: 27 June 2016 16:29
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: PowerShell weaknesses

I was going to suggest:

Get-ADUser -identity jrankin -Properties mail

That will get you the defaults plus Mail.
I mention this because I find it easier to remember, though of course it’s a 
matter of preference.


From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of James Rankin
Sent: Monday, June 27, 2016 10:41 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: PowerShell weaknesses

Doh!

Put it in brackets would be the thing I’m missing

(Get-ADUser -filter jrankin -Properties mail).mail

Never mind…. ☺


From: James Rankin
Sent: 27 June 2016 15:39
To: 'ntsysadm@lists.myitforum.com' 
>
Subject: PowerShell weaknesses

How can I used Get-ADUser to query a single attribute for a specific user? If I 
use something like

Get-ADUser -filter jrankin -Properties mail

To query the email address in AD, I don’t just get that attribute returned, I 
get a bunch of default stuff too…

DistinguishedName : CN=James Rankin,OU=Desktop1,OU=Standard Users,OU=User 
Accounts,DC=JRR,DC=test,DC=local
Enabled   : True
GivenName : James
mail  : ja...@htguk.com
Name  : James Rankin
ObjectClass   : user
ObjectGUID: 694d15e1-d550-483a-8f21-cb7415f05342
SamAccountName: jrankin
SID   : S-1-5-21-2950944927-1203068717-1704750700-1114
Surname   : Rankin
UserPrincipalName : jran...@jrr.test.local

Am I missing something blatantly obvious here?

Cheers,


James Rankin
EUC Solutions Architect | 07809 668579 | ja...@htguk.com
One Trinity Green, Eldon Street, South Shields, Tyne & Wear, NE33 1SA
Tel: 0191 481 3446

[NTSysADM] RE: PowerShell weaknesses

[Stephen Gestwicki]

Another option which to me is more readable for someone that doesn't know 
PowerShell is:
Get-ADUser -Identity jrankin | Select-Object -ExpandProperty mail

- Stephen

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of James Rankin
Sent: Monday, June 27, 2016 10:41 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: PowerShell weaknesses

Doh!

Put it in brackets would be the thing I'm missing

(Get-ADUser -filter jrankin -Properties mail).mail

Never mind :)


From: James Rankin
Sent: 27 June 2016 15:39
To: 'ntsysadm@lists.myitforum.com' 
>
Subject: PowerShell weaknesses

How can I used Get-ADUser to query a single attribute for a specific user? If I 
use something like

Get-ADUser -filter jrankin -Properties mail

To query the email address in AD, I don't just get that attribute returned, I 
get a bunch of default stuff too...

DistinguishedName : CN=James Rankin,OU=Desktop1,OU=Standard Users,OU=User 
Accounts,DC=JRR,DC=test,DC=local
Enabled   : True
GivenName : James
mail  : ja...@htguk.com
Name  : James Rankin
ObjectClass   : user
ObjectGUID: 694d15e1-d550-483a-8f21-cb7415f05342
SamAccountName: jrankin
SID   : S-1-5-21-2950944927-1203068717-1704750700-1114
Surname   : Rankin
UserPrincipalName : jran...@jrr.test.local

Am I missing something blatantly obvious here?

Cheers,


James Rankin
EUC Solutions Architect | 07809 668579 | ja...@htguk.com
One Trinity Green, Eldon Street, South Shields, Tyne & Wear, NE33 1SA
Tel: 0191 481 3446

[NTSysADM] RE: Owned by Crypz

[Stephen Gestwicki]

Crypto ransomware can still run if the user does not have administrative 
rights. It will stop the ransomware from messing with volume shadow copies and 
some other things but it will still be able to encrypt any file the user can 
write to.

Keeping all software (particularly the internet touching software like web 
browsers, flash, and email clients) fully up to date really helps. Application 
whitelisting is the best solution that I know of for stopping all kinds of 
malware. Just make sure you haven't left software out of date by blocking 
updaters.

- Stephen

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Wednesday, June 15, 2016 10:11 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Owned by Crypz

So is flash updated/uninstalled, Java up to date, macro's disabled, virusscan 
up to date, local admin rights disabled?
How are the three clients all installing and executing the crypz after it has 
been allowed admin access to the pc?


From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kelsey, John
Sent: Wednesday, June 15, 2016 10:00 AM
To: 'ntsysadm@lists.myitforum.com' 
>
Subject: [NTSysADM] RE: Owned by Crypz

One was a URL in an email that was obvious spam, but the user thought she 
really did sign up for the Womens Justice League of America..

One appears to have come from a website, and the other is unknown..the user 
hasn't fessed up to any specific activity.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Wolf, Daniel
Sent: Tuesday, June 14, 2016 1:39 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Owned by Crypz


Potentially dangerous attachments were identified and removed from this

message.  If you believe this attachment is not dangerous and need it 
delivered, contact the helpdesk at x3070 or 
helpd...@phhealthcare.org.
What's the infection vector? What are people doing to get it?

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kelsey, John
Sent: Tuesday, June 14, 2016 12:30 PM
To: 'ntsysadm@lists.myitforum.com' 
>
Subject: [NTSysADM] Owned by Crypz

Anybody else getting crushed by the Crypz virus/ransomware?  We've been hit 3 
times in the last 3 days.  Our Sophos email appliance isn't catching it, nor is 
the Sophos endpoint software..or our Cisco FireSight...or any other products we 
have on the perimeter.  :/

***
John C. Kelsey
Penn Highlands Healthcare
*:  814.375.3073
*  :   814.375.4005
*:   jckel...@phhealthcare.org
***
[PHH ESig Logo 150dpi]


This email and any attached files are sensitive in nature and intended solely 
for the intended recipient(s). If you are not the named recipient you should 
not read, distribute, copy or alter this email. Any views or opinions expressed 
in this email are those of the author and do not represent those of Penn 
Highlands Healthcare or its affiliates.. Warning: Although precautions have 
been taken to make sure no viruses are present in this email, the company 
cannot accept responsibility for any loss or damage that arise from the use of 
this email or attachments.

This email and any attached files are sensitive in nature and intended solely 
for the intended recipient(s). If you are not the named recipient you should 
not read, distribute, copy or alter this email. Any views or opinions expressed 
in this email are those of the author and do not represent those of Penn 
Highlands Healthcare or its affiliates.. Warning: Although precautions have 
been taken to make sure no viruses are present in this email, the company 
cannot accept responsibility for any loss or damage that arise from the use of 
this email or attachments.

This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

RE: [NTSysADM] RE: End user data - local, cloud, home directories, and OneDrive, Oh my!

[Stephen Gestwicki]

I agree with Art. He makes a VERY good point about syncing site libraries from 
SharePoint.

The part you may be missing is that the NGSC allows you to do a selective sync. 
You could create a "Local files" folder and only sync that for users with more 
space used in their OneDrive folder then they have on their local hard drive. I 
also think that you are going to have to work out a similar solution for those 
users no matter what cloud storage you use.
[cid:image001.png@01D1BCD8.F4FC2C60]

- Stephen

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Art DeKneef
Sent: Wednesday, June 01, 2016 6:11 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: End user data - local, cloud, home directories, and 
OneDrive, Oh my!

I think you're missing a lot.

What Office365 plan do you have? That makes a difference to some of your points 
below, like archiving.

You moved your project data to SharePoint included with your Office 365 plan? 
Are you using site libraries and want to sync those libraries? If so, then you 
still need to use the old One Drive for Business client (that's called 
groove.exe). The new One Drive for Business client is called OneDrive.exe.

What exactly are you trying to achieve with your end user data? At one point 
you talk about all of it being stored on One Drive for Business. Another point 
you say you can't do that because of some OneDrive limitation on hard drive 
size.

Where have you got the information that One Drive for Business is limited to 
the space on a user's hard drive? You get 1 TB of space per user on OneDrive 
with any Office 365 business or enterprise subscription. That's not limited to 
hard drive size. Now if you are trying to sync all the user data, then that 
will cause the issue you mention. But It doesn't appear to be clear to me.

Do these mobile users, or the people with limited hard drive space, need access 
to all the data all the time? If so, then you have a problem. You and them are 
going to have to make some hard choices on what gets synced and what doesn't. 
Also, how are you planning to make sure that their data is saved to OneDrive 
for Business?

How are you planning to back up all this user data on OneDrive?

Art

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jonathan Raper
Sent: Wednesday, June 1, 2016 10:05 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: End user data - local, cloud, home directories, and 
OneDrive, Oh my!

Thanks Stephen,

We're actually still testing and not officially supporting the use of it 
because Microsoft keeps changing it up and promising new features/functionality 
with the next release (yes, I know that's what we bought into with O365, 
but like I said in my original post, it (OneDrive for Business) still feels not 
quite fully baked). We have worked with the NGSC, and it fixes a lot, but we 
still end up with the quandary of data on the endpoint versus data on a server 
share/home directory (or external hard drive). Some of our users simply don't 
have enough local space on their hard drive to store everything

And the way I understand it, the storage on One Drive for Business is still 
limited to the amount of space you have on your local machine, even with the 
Next Gen Sync Client. So, if you have 500 Gigs of data and your local drive is 
only 250, you can't put everything on OneDrive, which in my opion defeats the 
purpose.

Or am I missing something?

Thanks,

Jonathan

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Stephen Gestwicki
Sent: Monday, May 30, 2016 1:04 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: End user data - local, cloud, home directories, and 
OneDrive, Oh my!

It sounds to me like you are not using the OneDrive for Business Next 
Generation Sync 
Client<https://support.office.com/en-us/article/Get-started-with-the-OneDrive-for-Business-Next-Generation-Sync-Client-in-Windows-615391c4-2bd3-4aae-a42a-858262e42a49>
 that came out a couple months ago. Microsoft based that version on the 
consumer OneDrive client and fixed just about all the issues people were having 
with the old business client. It still may not be the best solution for you but 
I think you should see if you are using the older client.

- Stephen

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jonathan Raper
Sent: Friday, May 27, 2016 11:24 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] End user data - local, cloud, home directories, and 
OneDrive, Oh my!

Hi all,

We've made a lot of strides to consolidate and streamline our i

[NTSysADM] RE: End user data - local, cloud, home directories, and OneDrive, Oh my!

[Stephen Gestwicki]

It sounds to me like you are not using the OneDrive for Business Next 
Generation Sync 
Client
 that came out a couple months ago. Microsoft based that version on the 
consumer OneDrive client and fixed just about all the issues people were having 
with the old business client. It still may not be the best solution for you but 
I think you should see if you are using the older client.

- Stephen

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jonathan Raper
Sent: Friday, May 27, 2016 11:24 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] End user data - local, cloud, home directories, and 
OneDrive, Oh my!

Hi all,

We've made a lot of strides to consolidate and streamline our infrastructure 
and data footprintone thing seems to evade us - dealing with end user data, 
and I'm curious what you all are seeing and what you're doing with end user 
data.

We've moved email to O365, so that eliminates PSTs and the need for archiving 
(at least for now, considering that we went from a 2 Gig limit to a 50 Gig 
limit). We've moved 90-95% of project data to SharePoint, and so that all but 
eliminates shared drives, and it seems to work well. Most of our business apps 
are hosted, so that really only leaves one thing: end user data on the endpoint 
device and in Home Directories on file servers.

Originally (before we really understood the limitations of OneDrive for 
Business), we had hoped to be able to move all of that data to OneDrive and be 
done. Alas, the limitations of OneDrive and the design don't lend itself to 
that (at least for the users with more than about 100 Gigs of data due to 
OneDrive limit being based on the local user's available hard drive space. It 
is also not a fully baked product yet. We've experienced our share of quirks 
rolling it out.)

So, really, just about the only thing keeping us from eliminating file servers 
(which is something we really want to do) at this point is this end user data. 
We want to consolidate it and make sure it is backed up, but are wrestling with 
exactly how to best achieve this for a distributed organization with hundreds 
of users, many of whom are mobile. What are you guys and gals doing or seeing 
to address this need? Yes, we have many users using DropBox and Google Drive - 
we'd like to move away from that if possible, though DropBox Business or 
Enterprise is not necessarily out of the question, but it really does get 
expensive @ $12.50/$15 per month per user.

Thanks,

Jonathan
NOTE: This message and any attachments is intended solely for the use of the 
individual or entity to which it is addressed and may contain information that 
is non-public, proprietary, legally privileged, confidential, and/or exempt 
from disclosure. If you are not the intended recipient, you are hereby notified 
that any use, dissemination, distribution, or copying of this communication is 
strictly prohibited. If you have received this communication in error, please 
notify the original sender immediately by telephone or return email and destroy 
or delete this message along with any attachments immediately.

[NTSysADM] RE: DHCP failover

[Stephen Gestwicki]

DHCP failover is missing a very needed feature of automatic replication. I 
created a PowerShell script that I ran from a scheduled task to handle it. This 
is the main line in the script that did the work:
Invoke-DhcpServerv4FailoverReplication -ComputerName $PrimaryDHCP -Force

- Stephen

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: Wednesday, May 18, 2016 10:31 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] DHCP failover

Anyone using DHCP failover on 2012r2?  I'm seeing some unexpected things.  The 
one that particularly surprised me was that server filters don't appear to be 
replicated even though all scopes are replicated between the servers.  Is that 
normal?


Melvin Backus | Sr. Systems Engineer | Byers Engineering Company | 404.497.1565
Service Desk | 404-497-1599 | http://servicedesk.byers.com
--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

RE: [NTSysADM] RE: New script: Microsoft Active Directory Health Check PowerShell Script V2.0

[Stephen Gestwicki]

Yes, LastLogin is DC specific but LastLogonTimeStamp is not. The issue with the 
later one is that it isn’t updated very often because it was designed to find 
stale accounts which still works perfectly for this usage.
http://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx

- Stephen

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Charles F Sullivan
Sent: Monday, May 09, 2016 10:51 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: New script: Microsoft Active Directory Health Check 
PowerShell Script V2.0

Isn’t it LastLogon which is DC specific?

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of Michael Leone
Sent: Monday, May 9, 2016 10:14 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] RE: New script: Microsoft Active Directory Health Check 
PowerShell Script V2.0



On Mon, May 9, 2016 at 9:47 AM, Charles F Sullivan 
> wrote:
Do you want results like this?

Name   : BENO
CanonicalName  : 
somedomain.com/comps/winxp/BENO
LastLogonTimeStamp : 2/4/2015 12:06:46 PM

If so, I use this in different variations, sometime adding in logic for a 
particular OS version. I give the machines 90 days to be off the network, but 
change the $date variable as you see fit. If you want to include computer 
accounts that are disabled as well, remove “-and (Enabled -eq "true")”.

import-module ActiveDirectory

$date = [DateTime]::Today.AddDays(-90)

get-adcomputer -filter { (LastLogonTimeStamp -ge $date) -and (Enabled -eq 
"true") } -property * | Select-Object 
Name,CanonicalName,@{n='LastLogonTimeStamp';e={ 
[DateTime]::FromFileTime($_.LastLogonTimeStamp) } } | sort-object -descending 
-property LastLogonTimeStamp | format-list | out-file ".\oldcomps.txt" -append


Isn't the LastLogonTimeStamp dependent on which DC the user (or computer, in 
this case) connects to? So that if you are not accessing the same DC, you might 
not be getting the correct information.

I could be wrong, but that is what I understood from this mailing list.