[NTSysADM] RE: MS Volume Licensing Center login issues.

[Kennedy, Jim]

So I just went for it and sort of signed up for a ‘new’ account. It found me 
and I have everything. Odd set up they have now.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Wednesday, February 7, 2018 9:52 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] MS Volume Licensing Center login issues.

Hit the licensing center today to sign in and download some software and it is 
not recognizing me as a registered user for our org. I am certain my email 
address is correct, and as soon as I enter it it goes into the sign up process. 
I am certain our agreement is still in place, all of that is there.

Anyone else seeing this?

[NTSysADM] MS Volume Licensing Center login issues.

[Kennedy, Jim]

Hit the licensing center today to sign in and download some software and it is 
not recognizing me as a registered user for our org. I am certain my email 
address is correct, and as soon as I enter it it goes into the sign up process. 
I am certain our agreement is still in place, all of that is there.

Anyone else seeing this?

RE: [NTSysADM] Server build recommendation

[Kennedy, Jim]

I think the HP ML series will give you what you want and easily in that price 
range.  Heck you might get into their DL rack servers with hot swap drives and 
all that for that kind of moneydepending on how much storage you need.

https://www.cdw.com/shop/products/HPE-ProLiant-DL380-Gen9-Special-pricing-while-supplies-last/4205135.aspx?pfm=srh


-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kurt Buff
Sent: Wednesday, January 24, 2018 7:59 PM
To: ntsysadm 
Subject: Re: [NTSysADM] Server build recommendation

The quote from Dell that I saw (and on which they were going to pull
the trigger today, until I talked with them) was a around $3500, and
included Server Essentials.

That struck me as being a bit rich, especially since it only included
a software RAID controller. Man, I hate those things. I want a real
RAID controller, not something that requires a special Windows-only
driver, from both a speed/reliability and a recovery standpoint. In
this situation it's probably overkill to specify a hotswap
configuration, though.

Kurt

On Wed, Jan 24, 2018 at 3:58 PM, Gordon Pegue  wrote:
> Do they have a budget Kurt?
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Wednesday, January 24, 2018 4:46 PM
> To: ntsysadm 
> Subject: [NTSysADM] Server build recommendation
>
> The owner of a small 5-6 person property management company has
> approached me to help acquire a new server. They're currently running
> a 10+yo machine with SBS 2003, and wish to replace it.
>
> They've migrated their email to gmail, so don't need exchange, but do
> want a DC for account management, DHCP/DNS, etc., so they're looking
> to go with Server Essentials.
>
> The fellow he's nominated at his firm to be their sysadmin is quite
> green, and got a quote from Dell for a tower box with a software RAID
> card, and I told them to hold off on that purchase, while I look at
> alternatives.
>
> I was leaning toward an HP Microserver, but haven't played with one in
> years, and it looks like the current generation is using an AMD
> processor, and doesn't come with a RAID card to support RAID1.
>
> Anyone have a recommendation they can make regarding hardware?
>
> Kurt
>
>

[NTSysADM] RE: domain admin account passwords management

[Kennedy, Jim]

Granular password policy just for them. Make sure the expiration overlaps, so 
you always have one DA that isn't about to expire. One expires beginning of the 
quarter, one 3 weeks later and another 3 weeks after that for example.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Wednesday, January 17, 2018 12:30 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: domain admin account passwords management

Agreed on all accounts.
With that said how do we still manage the EA, DA, and SA accounts with the 90 
day rotation?

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Wednesday, January 17, 2018 12:15 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: domain admin account passwords management

Notice:  This email is from an outside source.  Please do not open any 
attachments, click on any hyperlinks, or respond without first confirming the 
authenticity of the email.


I would suggest you should only have 4 (maximum) domain admin accounts.

If Ford can get by with 4, so can you.

And the actual Administrator account should have a disgustingly long password 
that is written down and put in a safe.

I doubt highly that your service accounts need to be domain admins. They may 
need some specific privileges delegated, but actual domain admin? Probably not.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of David McSpadden
Sent: Wednesday, January 17, 2018 12:01 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] domain admin account passwords management

I know we have LAPS for local admins.
What is everyone doing for domain admin account passwords management and 
compliance?
We are being asked to change passwords every 90 days and most of the domain 
admins are service accounts?
So...what does everyone else do to automate/management this?


David McSpadden
Systems Administrator
Indiana Members Credit Union
P: 317.554.8190| F: 317.554.8106
[Description: imcu email icon]  [Description: facebook email 
icon]    [Description: twitter email 
icon] 
[Description: email logo]
[Image result for mcp 
logo]


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

[NTSysADM] RE: domain admin account passwords management

[Kennedy, Jim]

This is easy.  Your remove domain admin from your service accounts.  That is 
unacceptable, insane...really bad.  Take your pick. If they need more than 
local admin on the box they are running then you dig in and give them the perms 
they need.

Any vendor that says we need domain admin for a service is shown the door 
around here.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Wednesday, January 17, 2018 12:01 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] domain admin account passwords management

I know we have LAPS for local admins.
What is everyone doing for domain admin account passwords management and 
compliance?
We are being asked to change passwords every 90 days and most of the domain 
admins are service accounts?
So...what does everyone else do to automate/management this?


David McSpadden
Systems Administrator
Indiana Members Credit Union
P: 317.554.8190| F: 317.554.8106
[Description: imcu email icon]  [Description: facebook email 
icon]    [Description: twitter email 
icon] 
[Description: email logo]
[Image result for mcp 
logo]


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

[NTSysADM] RE: Surface and rdp small display

[Kennedy, Jim]

Here is a manifest file that is working on my Book that is on Anniversary.  Be 
sure to make the reg edit in the link I sent previously and reboot. It also 
works for Outlook and the old versions of Photoshop, just need to rename it and 
drop it in the right directory.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Tuesday, January 9, 2018 12:34 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Surface and rdp small display

I told him it was time for the bifocals.
He told me his private life was none of my business?
lol

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Andrea 'ML' Suatoni
Sent: Tuesday, January 9, 2018 11:20 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Surface and rdp small display

Notice:  This email is from an outside source.  Please do not open any 
attachments, click on any hyperlinks, or respond without first confirming the 
authenticity of the email.


Well, I don't know if it fits in your environment, but due to that precise DPI 
issue I've switched to mRemoteNG as RDP client when I started using a Surface, 
and it works perfectly. No more Lilliputian remote desktops since then.

Andrea

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of David McSpadden
Sent: 09 January 2018 15:46
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Surface and rdp small display

I have been reading and applying hotfixes to my CFO's surface but the RDP 
session is so small he cannot use his Surface to remote into his workstation in 
the office.
What should I be really doing to fix this?


David McSpadden
Systems Administrator
Indiana Members Credit Union
P: 317.554.8190| F: 317.554.8106
[Description: imcu email icon]  [Description: facebook email 
icon]    [Description: twitter email 
icon] 
[Description: email logo]
[Image result for mcp 
logo]


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.



mstsc.exe.MANIFEST
Description: mstsc.exe.MANIFEST

[NTSysADM] RE: Surface and rdp small display

[Kennedy, Jim]

You need a manifest file, however I believe MS blew that up in the Anniversary 
edition.

http://pocketnow.com/2016/01/25/hidpi-scalling-in-windows-10


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Tuesday, January 9, 2018 9:46 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Surface and rdp small display

I have been reading and applying hotfixes to my CFO's surface but the RDP 
session is so small he cannot use his Surface to remote into his workstation in 
the office.
What should I be really doing to fix this?


David McSpadden
Systems Administrator
Indiana Members Credit Union
P: 317.554.8190| F: 317.554.8106
[Description: imcu email icon]  [Description: facebook email 
icon]    [Description: twitter email 
icon] 
[Description: email logo]
[Image result for mcp 
logo]


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

[NTSysADM] RE: HP scanning losing connection - VPN

[Kennedy, Jim]

Sounds like the printer/scanner is having trouble finding the PC’s then…….

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of J- P
Sent: Thursday, December 7, 2017 10:50 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Re: HP scanning losing connection - VPN


After connecting to the VPN they can ping other PC's and the printer , and I 
have actually confirmed it by adding  the printer using  a TCP port as opposed 
to the HP "discovery"  port, it will print fine but the scanning  continues to 
fail and they actually scan more than they print.



And as I mentioned when they take their laptops home this doesn't occur 
(granted it's not the same exact model HP but its the same software)






From: listsad...@lists.myitforum.com 
> on 
behalf of Melvin Backus 
>
Sent: Thursday, December 7, 2017 6:56 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: HP scanning losing connection - VPN


If the VPN is not doing split tunneling it will break that setup. Easy test, do 
a route print and see where the default route it pointing.  Or trace to an 
external public IP and see if it goes out your local gateway or down the VPN 
tunnel.



Can they ping the other PCs on the network when it happens? Sometimes it’s 
easier to see when you expand the list of symptoms.



--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.



¯\_(ツ)_/¯



From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of J- P
Sent: Wednesday, December 6, 2017 9:01 PM
To: NT >
Subject: [NTSysADM] HP scanning losing connection - VPN



soho environment,  5 pc's  using HP's native scanning protocol (twain WIA)



constant "scanner not found" from the pc's  rebooting the the pc's and 
printer/scanner it re-establishes connections- they do use VPN haven't narrowed 
it down yet as to whether or not its the VPN that "breaks" the scanning 
ability-- users claim that "at home it works fine with or without VPN"



looking to get a real "Canon/Ricoh/Xerox" into the office , as the current one 
is a consumer product



any thought's ?




Jean-Paul Natola

RE: [NTSysADM] Advice: physically moving a site, but not changing AD Site info ...

[Kennedy, Jim]

You can still collapse the site if you want. Just move the servers to the 
existing site you are keeping and add vlan's that are being used due to 
telecom/voip constraints to that site.

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Tuesday, December 5, 2017 10:32 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Advice: physically moving a site, but not changing AD 
Site info ...

Thanks. As an update, they've decided *not* to move the servers tomorrow, 
during the downtime at the site. They will stay, and be back up the next day, 
when the power people get down doing whatever it is that they are doing.

(which means all the users at that site are coming here. And logging in .. to 
no profile, as their profile is hosted on the server which will be powered off 
at the remote site. I foresee lots of fun and amusement ...)

However, that site will close early next year, so I will have to move the file 
server and DC. I thought about collapsing down the subnets (and AD sites), but 
my networking guys don't want to do that, as they still need them for the 
telecom/VOIP system - don't ask me, I'm not following all that. If we don't 
change the subnets, then the networking guys have a ton of re-VLANing of ports 
to do, at the remaining site ...

No doubt I will be writing again, when the move actually happens. What I'd 
really like, is to be able to move the DHCP services off the DC, and onto 
another server. But that may be scary, too, guess we'll find out ...



On Fri, Dec 1, 2017 at 2:21 PM, Charles F Sullivan  
wrote:
> I don't see any issues with doing that.
>
> You may want to (once everything is working as expected) add that 
> subnet to the main data center site and do away with the old site. 
> There's no reason to have intersite replication now that the moved DCs 
> have good connectivity to the other DCs. Your remote users at least 
> will have more up to date AD changes, even if they may now suffer from 
> slower overall response from the file server and DCs.
>
> On Fri, Dec 1, 2017 at 11:07 AM, Michael Leone  wrote:
>>
>> I'm pretty sure I know the answer, but I want to verify.
>>
>> I've got a remote site that is scheduled to be shut down for the day 
>> next week, for power issues (don't ask me, I don't own the building 
>> ...). Since this site is scheduled to be abandoned next month, the 
>> Powers That Be have decided that they want to move the servers out of 
>> that site, down to the main data center, on Wed. This means that when 
>> the building re-opens on Thu, all the employees who are still at that 
>> remote sitewill then log in to the servers across the WAN.
>>
>> 
>>
>> Now this site is also a Site in AD, with 4 subnets assigned. The 
>> servers that are moving are all only in 1 subnet (x.x.16.x),
>>
>> Got all that?
>>
>> So I think if we physically move the servers to the main datacenter, 
>> re-configure some switch ports there to be the .16 subnet. And 
>> everything should still Just Work  ...
>>
>> by which I mean, the folks still out at the remote site can still 
>> login in to the domain, and access their file server, pretty much 
>> transparently. They're just going to be accessing their files long 
>> distance now, instead of locally.
>>
>> I don't need to do any AD or host reconfiguration, right? There is 
>> switch reconfigs to do (ports), but that should be on my networking 
>> guys, correct?
>>
>> Anything I can tell them to make sure they cover? This is all 
>> possible, right? And shouldn't be a big deal, presuming the 
>> connectivity all works? I am not a networking guy in any sense ...
>>
>> Thanks for any help. This just dropped into my lap when I came back 
>> in today. I thought we had until the end of Feb to prepare for this 
>>
>>
>
>
>
> --
>
> Charlie Sullivan
>
> Sr. Windows Systems Administrator
>
> Boston College
>
> 197 Foster St. Room 367
>
> Brighton, MA 02135
>
> 617-552-4318

RE: [NTSysADM] Advice: physically moving a site, but not changing AD Site info ...

[Kennedy, Jim]

Based on your description and the network guys doing it rightyou are fine.

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Friday, December 1, 2017 11:08 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Advice: physically moving a site, but not changing AD Site 
info ...

I'm pretty sure I know the answer, but I want to verify.

I've got a remote site that is scheduled to be shut down for the day next week, 
for power issues (don't ask me, I don't own the building ...). Since this site 
is scheduled to be abandoned next month, the Powers That Be have decided that 
they want to move the servers out of that site, down to the main data center, 
on Wed. This means that when the building re-opens on Thu, all the employees 
who are still at that remote sitewill then log in to the servers across the WAN.



Now this site is also a Site in AD, with 4 subnets assigned. The servers that 
are moving are all only in 1 subnet (x.x.16.x),

Got all that?

So I think if we physically move the servers to the main datacenter, 
re-configure some switch ports there to be the .16 subnet. And everything 
should still Just Work  ...

by which I mean, the folks still out at the remote site can still login in to 
the domain, and access their file server, pretty much transparently. They're 
just going to be accessing their files long distance now, instead of locally.

I don't need to do any AD or host reconfiguration, right? There is switch 
reconfigs to do (ports), but that should be on my networking guys, correct?

Anything I can tell them to make sure they cover? This is all possible, right? 
And shouldn't be a big deal, presuming the connectivity all works? I am not a 
networking guy in any sense ...

Thanks for any help. This just dropped into my lap when I came back in today. I 
thought we had until the end of Feb to prepare for this 

RE: [NTSysADM] RE: Crosspost: clearing the autocomplete cache

[Kennedy, Jim]

So perhaps a run once log off script for the user……

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael B. Smith
Sent: Friday, December 1, 2017 10:21 AM
To: excha...@lists.myitforum.com; ntsysadm@lists.myitforum.com
Subject: [Exchange] RE: [NTSysADM] RE: Crosspost: clearing the autocomplete 
cache

Without restarting Outlook? That would require testing.

But yes, when Outlook restarts it will.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Friday, December 1, 2017 9:34 AM
To: ntsysadm@lists.myitforum.com
Cc: excha...@lists.myitforum.com
Subject: [Exchange] RE: [NTSysADM] RE: Crosspost: clearing the autocomplete 
cache

Guys, I am 100% completely onboard with you.  I don’t want to do this, but I’ve 
been directed to, and they’re not listening to reason.  So, does anyone know of 
a way to do this, without opening Outlook.  If I just rename/delete the 
original file, will Outlook recreate it automatically the first time the user 
sends a new e-mail?

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jack Kramer
Sent: Thursday, November 30, 2017 1:50 PM
To: > 
>
Cc: excha...@lists.myitforum.com
Subject: Re: [NTSysADM] RE: Crosspost: clearing the autocomplete cache

Oh, if he clears everyone’s autocomplete cache I’d put money on it being open 
carry versus concealed...

Jack Kramer, Senior Consultant
Small Type Computing - www.smalltype.net
W: 855-765-8973 x101 - C: 248-635-4955

On Nov 30, 2017, at 2:48 PM, Webster 
> wrote:

Be glad CA is not a concealed carry state!


Webster

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Thursday, November 30, 2017 10:05 AM
To: 'NT System Admin Issues Discussion list' 
>; 
excha...@lists.myitforum.com
Subject: [NTSysADM] Crosspost: clearing the autocomplete cache

Recently, we did a cleanup of proxy addresses that were no longer needed.  
Unfortunately, this has caused an issue with our users, as some of their 
autocomplete entries are using the old, now gone, proxy addresses.  I’ve been 
directed to clear everyone’s autocomplete cache.  I found a quick and easy 
command to do this, but it opens Outlook in order to perform the clean.  
(outlook.exe /CleanAutoCompleteCache).  Having Outlook open spontaneously, or a 
second instance opening, would be very disconcerting and worrisome for our 
users, so I’d like to find a way to clean the cache, without opening Outlook.  
Does anyone have a method?

For the most part, all users are using Outlook 2016, but there are a few 2013, 
and 2010.

Thanks,

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284

RE: [NTSysADM] OS in the CPU

[Kennedy, Jim]

It matters to management when you give your 2 week notice, which is exactly 
what I would do if they treated me as you described. Any of us that are half 
way decent can find a new better higher paying gig just by picking up the phone 
on the drive home.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of john.matte...@gmail.com
Sent: Saturday, November 25, 2017 5:23 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] OS in the CPU

Since when does that matter to management? We’re all barely evolved pond scum 
as far as management goes when things are going right. When the environment 
blows up due to a zero day, or an undiscovered vulnerability and management is 
looking for retribution, IT people are the first to feel the axe on their necks.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: Tuesday, November 21, 2017 1:01 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] OS in the CPU

And if the current stats are even close to accurate there are something like 
20 unfilled cybersecurity jobs at the moment with only about 2 
qualified people to fill them, and the unfilled numbers are growing faster than 
the qualified people.  That would lead me to think that the ‘career ending 
event’ would actually be a gateway to a new job where they probably understand 
that you can’t possibly catch everything, particularly heretofore unknown 
things.

How’s that saying go?  You can’t know what you don’t know.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

¯\_(ツ)_/¯

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Andrew S. Baker
Sent: Tuesday, November 21, 2017 11:43 AM
To: ntsysadm >
Subject: Re: [NTSysADM] OS in the CPU

Sure, but there are lots of ways to lose jobs -- many of which have nothing to 
do with your own personal actions.

InfoSec currently lends itself more to employment than unemployment.


Regards,

 ASB



On Mon, Nov 20, 2017 at 12:05 PM, Jonathan Link 
> wrote:
More like job insecurity. Missing an exploit might be a career ending event, 
even if it is heretofore an unknown exploit.

On Mon, Nov 20, 2017 at 11:54 AM Melvin Backus 
> wrote:
Some call them opportunities, we in IT call them job security. ☺

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

¯\_(ツ)_/¯

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of Kurt Buff
Sent: Monday, November 20, 2017 11:34 AM
To: ntsysadm >
Subject: Re: [NTSysADM] OS in the CPU

There are always more problems:

https://www.thezdi.com/blog/2017/10/04/vmware-escapology-how-to-houdini-the-hypervisor

https://www.youtube.com/watch?v=uRemWLNBSZg

On Mon, Nov 20, 2017 at 8:05 AM, Andrew S. Baker 
> wrote:
But wait!   There's more...

https://www.youtube.com/watch?v=KrksBdWcZgQ


​(I see your "solution" and raise you two more problems)​


Regards,

 ASB


On Sun, Nov 19, 2017 at 12:28 PM, Kurt Buff 
> wrote:
The OS in question (minix), isn't in the main CPU - it's in the CPU of the 
management engine, which is completely separate, and doesn't, or at least 
shouldn't, affect system performance.
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Hardware
That actually makes it worse, since as long as the machine is connect to power, 
even though putatively "off", the management engine is available. That is, if 
it's been configured. This is an enterprise feature, so the ME is usually not 
active in consumer-grade computers.
But, if it's present and turned on, then it's pretty risky:
https://www.theregister.co.uk/2017/11/09/chipzilla_come_closer_closer_listen_dump_ime/
But there's some hope, of a sort - Google is on the case:
http://www.tomshardware.com/news/google-removing-minix-management-engine-intel,35876.html
Kurt

On Sun, Nov 19, 2017 at 6:34 AM, Andrew S. Baker 
> wrote:
No wonder our machines don't seem as fast as we think they *could* be... 
They're busy running more stuff than we thought:

http://www.zdnet.com/article/minix-intels-hidden-in-chip-operating-system/

The security implications are also pretty staggering...

Regards,

 ASB




[Image removed by sender.]

RE: [NTSysADM] Accessing only a lower level folder in a share

[Kennedy, Jim]

ABE won't do that, it just controls what they seeit just hides what they 
don't have read access to. Great feature, I use it everywhere but not what you 
need for this.

Break inheritance on D4, add the group for the new users and create a shortcut 
for them directly to that path.  \\server\B2\C3\D4  I am assuming B2 is shared 
here.

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Tuesday, November 14, 2017 11:51 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Accessing only a lower level folder in a share

It's been so long since I've had to do this, I need a check. I'm doing 
something fundamentally wrong, I think.

We use groups to set share/ACLs on folders. I got a request to share a 4th 
level sub-folder with other employees not in the ACL. So what I have is:

Folder A1 (shared)
-->>B2
   -->>C3
 -->> D4 (this is the one I want to allow access to)

Now, the share permissions on A1 is for DevelopmentGroup, and the NTFS 
permissions are the same. Those permissions just flow down to B2, C3 and D4 
(i.e., normal inheritance).

Now, I'm pretty sure the only way to allow access to only D4, and not allow 
access to B2 and C3 or even see files there, is to enable ABE.
But I've never done that, and am leery of enabling it in production, without a 
whole more testing and forethought (I shudder to think of all the help desk 
calls, if I get something wrong).

Am I correct that only ABE will do what I am thinking of (allow access only to 
D4 and hide contents of A1, B2, C3)?

Barring ABE, there's nothing I can do, short of granting a new group access to 
D4, and living with the consequences?

Thoughts? At this point, I want to just add the new group to the NTFS 
permissions of D4 only, and live with the fact that these new group members can 
see everything higher up.

RE: [NTSysADM] RE: GPO application question.

[Kennedy, Jim]

That was where I was going…a general rule of thumb for future use.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Micheal Espinola Jr
Sent: Tuesday, October 24, 2017 3:43 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] RE: GPO application question.

Like James said; if the OS doesn't programmatically recognize a registry entry, 
then it doesn't do anything with it.  However, this is a potential rabbit hole 
if you get into this habit and start to push mismatched settings without 
concern.

--
Espi


On Tue, Oct 24, 2017 at 11:06 AM, James Rankin 
<ja...@htguk.com<mailto:ja...@htguk.com>> wrote:
It will write the Registry key, I presume, but the OS will just ignore it.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Kennedy, Jim
Sent: 24 October 2017 18:57
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] GPO application question.


What happens with a setting that is in a GPO applied to a non-supported OS.  So 
for example the SMB setting below is on an OU with Win 10 boxes in it. Is it 
just ignored? So it will get ignored and not mess up the Win 10 
dependencies..correct?



[cid:image001.jpg@01D34CDF.C9E8EDE0]

[NTSysADM] RE: WOW!!! I had no idea I was going to be honored

[Kennedy, Jim]

Epic sir, congrats.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Webster
Sent: Tuesday, October 24, 2017 12:18 PM
To: NT Issues (ntsysadm@lists.myitforum.com)
Subject: [NTSysADM] WOW!!! I had no idea I was going to be honored

https://www.citrix.com/blogs/2017/10/24/announcing-ctp-fellow-award-a-new-classification/

Deeply, deeply humbled and honored

Thanks


Carl Webster
Citrix Technology Professional | iGel Tech Community Insider | Parallels VIPP
http://www.CarlWebster.com
The Accidental Citrix Admin

RE: [NTSysADM] GPO application question.

[Kennedy, Jim]

It is an age thing, which is why I knew what you ment.  ☺

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Charles F Sullivan
Sent: Tuesday, October 24, 2017 2:53 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] GPO application question.

Correction on that first paragraph: Meant to say "not applying that setting to 
Windows 8.1/2012R2 and later."

(There'll be a lot more where that came from. It's an age thing)

On Tue, Oct 24, 2017 at 2:39 PM, Charles F Sullivan 
<charles.sulliva...@bc.edu<mailto:charles.sulliva...@bc.edu>> wrote:
I'm not sure why MS seems to make kind of a big deal about not applying that 
setting to down level OSes. It's the exact setting that Window 2012R2/8.1 and 
later has by default even with SMB1 enabled, so it won't add or change 
anything. I just don't see how it would cause a problem.

On a side note, I was cautious about removing SMB1 altogether as a feature from 
my Windows 2012R2 and 2016 images because those servers would be linked to a 
GPO that disables SMB1. I went ahead and did that anyway on a test machine and 
there are no errors in the Event Logs, etc, despite the fact that it added some 
registry settings (AFIK).

Side note number 2: For some reason it seems that even after refreshing a newly 
linked GPO and rebooting, I had to refresh GP yet again to get the 
mrxsmb1:start=4 setting to apply. I've seen this on a few machines anyway.


On Tue, Oct 24, 2017 at 1:56 PM, Kennedy, Jim 
<kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote:

What happens with a setting that is in a GPO applied to a non-supported OS.  So 
for example the SMB setting below is on an OU with Win 10 boxes in it. Is it 
just ignored? So it will get ignored and not mess up the Win 10 
dependencies..correct?





--

Charlie Sullivan

Sr. Windows Systems Administrator

Boston College

197 Foster St. Room 
367<https://maps.google.com/?q=197+Foster+St.+Room+367%0D+%0D+Brighton,+MA+02135%0D+%0D+617=gmail=g>

Brighton, MA 
02135<https://maps.google.com/?q=197+Foster+St.+Room+367%0D+%0D+Brighton,+MA+02135%0D+%0D+617=gmail=g>

617-552-4318<tel:(617)%20552-4318>



--

Charlie Sullivan

Sr. Windows Systems Administrator

Boston College

197 Foster St. Room 367

Brighton, MA 02135

617-552-4318

[NTSysADM] RE: GPO application question.

[Kennedy, Jim]

A WMI filter fixes this, was just trying to avoid 2 GPO's. Thanks for the heads 
up, it did feel like it could end bad(tm).


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Tuesday, October 24, 2017 2:05 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: GPO application question.

Weird and unsupported things.
Not good mojo for you if you go this route.
Basically it could cause unknown things to happen.


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Tuesday, October 24, 2017 1:57 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] GPO application question.

Notice:  This email is from an outside source.  Please do not open any 
attachments, click on any hyperlinks, or respond without first confirming the 
authenticity of the email.



What happens with a setting that is in a GPO applied to a non-supported OS.  So 
for example the SMB setting below is on an OU with Win 10 boxes in it. Is it 
just ignored? So it will get ignored and not mess up the Win 10 
dependencies..correct?



[cid:image001.jpg@01D34CD2.53770AF0]

This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

[NTSysADM] GPO application question.

[Kennedy, Jim]

What happens with a setting that is in a GPO applied to a non-supported OS.  So 
for example the SMB setting below is on an OU with Win 10 boxes in it. Is it 
just ignored? So it will get ignored and not mess up the Win 10 
dependencies..correct?



[cid:image001.jpg@01D34CCF.E9276250]

RE: [NTSysADM] RE: 2008 R2 Hyper V guests OoM

[Kennedy, Jim]

So yea, it is the SIEM. It is a really slow leak but my get-process dump over 
time pointed it out.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Monday, October 16, 2017 3:08 PM
To: ntsysadm
Subject: RE: [NTSysADM] RE: 2008 R2 Hyper V guests OoM

I have a SIEM on each of them. The vendor is trustworthy, no reports of anyone 
else having this issue and the agent upgrades don’t coincide with this 
happening. Although an upgrade to Windows could certainly impact it.

There was an upgrade to the SCOM agent that does line up pretty good with when 
this started. But you would think the world would be screaming if that were the 
case. I disabled the SCOM agent on all the 2008 R2 boxes for now. So far it has 
been fine, but still a tad too soon to blame that.



From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Andrew S. Baker
Sent: Monday, October 16, 2017 2:54 PM
To: ntsysadm
Subject: Re: [NTSysADM] RE: 2008 R2 Hyper V guests OoM

I was thinking antimalware myself.

In fact, antimalware, some other agent software, and malware, are the three 
things that come to mind for this scenario -- especially if the devices 
experiencing the problem are not logged on to the console.


Regards,

 ASB
 https://about.me/Andrew.S.Baker

 Providing CyberSecurity and IT Operations Consulting for the SMB market…

 GPG: 860D 40A1 4DA5 3AE1 B052 8F9F 07A1 F9D6 A549 8842



On Thu, Oct 12, 2017 at 6:50 PM, Richard Stovall 
<rich...@gmail.com<mailto:rich...@gmail.com>> wrote:
I seem to remember Vipre causing that occasionally, in its early incarnations.

On Tue, Oct 10, 2017 at 10:12 AM, Kennedy, Jim 
<kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote:
Still having this issue, and it has spread to many of my 2008 R2 servers 
including non hyper V guests.  They all start with this:

The server was unable to allocate from the system nonpaged pool because the 
pool was empty.

Full on hangs, so I can’t get in to see what ate the memory. Not seeing 
anything in real time looking like too many handles.

Any ideas here gang?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Kennedy, Jim
Sent: Monday, September 11, 2017 1:25 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: 2008 R2 Hyper V guests OoM

So yea, that is exactly what I did.  TYVM sir.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Monday, September 11, 2017 12:59 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: 2008 R2 Hyper V guests OoM

Don’t run overcommitted in production.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Monday, September 11, 2017 12:20 PM
To: 'ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>'
Subject: [NTSysADM] 2008 R2 Hyper V guests OoM

Just started a couple of weeks ago. I suspect an August update so I may cross 
post this later over on Patch Management.

2012 R2 Hyper V host (2 of them) with a mixture of 2008 R2 and 2012 R2 guests.  
Only the 2008 R2’s are exhibiting this behavior, they are all low usage 
machines. They are all set to dynamic memory and have been running for years 
without issue. One is only an FTP server that accepts 4 connections a night for 
an automated data transfer. And the incoming connections are IP restricted on 
our ASA, so it isn’t like it is getting flooded with hacking attempts. These 
boxes are varied in their use FTP, internal only web server, RDP Gateway, 
generic file server……

They crash shortly after a 2019 from srv.  “The server was unable to allocate 
from the system nonpaged pool because the pool was empty.”

Setting them to a fixed memory on the slightly larger than what I would expect 
them to need seems to have fixed it. Any other ideas?

RE: [NTSysADM] RE: 2008 R2 Hyper V guests OoM

[Kennedy, Jim]

I have a SIEM on each of them. The vendor is trustworthy, no reports of anyone 
else having this issue and the agent upgrades don’t coincide with this 
happening. Although an upgrade to Windows could certainly impact it.

There was an upgrade to the SCOM agent that does line up pretty good with when 
this started. But you would think the world would be screaming if that were the 
case. I disabled the SCOM agent on all the 2008 R2 boxes for now. So far it has 
been fine, but still a tad too soon to blame that.



From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Andrew S. Baker
Sent: Monday, October 16, 2017 2:54 PM
To: ntsysadm
Subject: Re: [NTSysADM] RE: 2008 R2 Hyper V guests OoM

I was thinking antimalware myself.

In fact, antimalware, some other agent software, and malware, are the three 
things that come to mind for this scenario -- especially if the devices 
experiencing the problem are not logged on to the console.


Regards,

 ASB
 https://about.me/Andrew.S.Baker

 Providing CyberSecurity and IT Operations Consulting for the SMB market…

 GPG: 860D 40A1 4DA5 3AE1 B052 8F9F 07A1 F9D6 A549 8842



On Thu, Oct 12, 2017 at 6:50 PM, Richard Stovall 
<rich...@gmail.com<mailto:rich...@gmail.com>> wrote:
I seem to remember Vipre causing that occasionally, in its early incarnations.

On Tue, Oct 10, 2017 at 10:12 AM, Kennedy, Jim 
<kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote:
Still having this issue, and it has spread to many of my 2008 R2 servers 
including non hyper V guests.  They all start with this:

The server was unable to allocate from the system nonpaged pool because the 
pool was empty.

Full on hangs, so I can’t get in to see what ate the memory. Not seeing 
anything in real time looking like too many handles.

Any ideas here gang?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Kennedy, Jim
Sent: Monday, September 11, 2017 1:25 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: 2008 R2 Hyper V guests OoM

So yea, that is exactly what I did.  TYVM sir.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Monday, September 11, 2017 12:59 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: 2008 R2 Hyper V guests OoM

Don’t run overcommitted in production.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Monday, September 11, 2017 12:20 PM
To: 'ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>'
Subject: [NTSysADM] 2008 R2 Hyper V guests OoM

Just started a couple of weeks ago. I suspect an August update so I may cross 
post this later over on Patch Management.

2012 R2 Hyper V host (2 of them) with a mixture of 2008 R2 and 2012 R2 guests.  
Only the 2008 R2’s are exhibiting this behavior, they are all low usage 
machines. They are all set to dynamic memory and have been running for years 
without issue. One is only an FTP server that accepts 4 connections a night for 
an automated data transfer. And the incoming connections are IP restricted on 
our ASA, so it isn’t like it is getting flooded with hacking attempts. These 
boxes are varied in their use FTP, internal only web server, RDP Gateway, 
generic file server……

They crash shortly after a 2019 from srv.  “The server was unable to allocate 
from the system nonpaged pool because the pool was empty.”

Setting them to a fixed memory on the slightly larger than what I would expect 
them to need seems to have fixed it. Any other ideas?

RE: [NTSysADM] Is it possible to allow users to update just 1 field in AD?

[Kennedy, Jim]

I vote not allowing a regular user to run powershell.

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jack Kramer
Sent: Monday, October 16, 2017 8:57 AM
To: ntsysadm@lists.myitforum.com
Cc: ActiveDir Mailing List
Subject: Re: [NTSysADM] Is it possible to allow users to update just 1 field in 
AD?

What about having her execute a PS script to do that? She’d still need 
permissions but it’d be a lot harder for her to get into trouble if she doesn’t 
have an interface to mess around with.

Jack Kramer, Senior Consultant
Small Type Computing - www.smalltype.net
W: 855-765-8973 x101 - C: 248-635-4955

> On Oct 16, 2017, at 8:44 AM, Michael Leone  wrote:
> 
> I have a user, who needs to do 2 things in AD.
> 
> 1. She needs to lookup a user, to see what their login ID is (it has
> to match what is in our Cisco VOIP, I'm told). And then ...
> 2. She needs to input a value in the "IP Phone" field. (apparently,
> the Cisco software does an LDAP lookup of this field).
> 
> Is it possible to delegate the right to change just that one field to
> a user? (I think not) We don't want her to inadvertently delete a
> user, or change anything else. We're just tired of her calling the
> help desk to do simple lookups, or enter a phone number that she
> should (might?) be able to do herself.
> 
> Mind you, I did an export of all user logins, which was supposed to be
> fed into the Cisco system. So why they think the logins don't match, I
> don't know. And don't have time (or inclination) to deal with.
> 
> Thanks for any advise.
> 
> 

[NTSysADM] RE: OT Meanwhile at Derbycon this weekend...

[Kennedy, Jim]

Sorry, gotta share this. Dave got Trevor on CNN.

https://youtu.be/slz9PlnnEjk?t=4m17s


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Monday, September 25, 2017 12:43 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: OT Meanwhile at Derbycon this weekend...

So I should not expect you to contribute to the Go Fund Me that I set up for 
Trevor’s family?

https://www.gofundme.com/trevor-the-roach-memorial-fund


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Monday, September 25, 2017 12:25 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: OT Meanwhile at Derbycon this weekend...

Good riddance!

*shakes fist* Get off my lawn!

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Monday, September 25, 2017 9:54 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] OT Meanwhile at Derbycon this weekend...

…we lost a close friend. Trevor the Roach.

https://www.csoonline.com/article/3227910/security/hackers-create-memorial-for-a-cockroach-named-trevor.html

[NTSysADM] RE: 2008 R2 Hyper V guests OoM

[Kennedy, Jim]

Going to fire a scheduled task to run every 30 minutes or so on a few of them.


Get-Process | Export-Csv -Append -Path "C:\processes.csv"


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Tuesday, October 10, 2017 10:12 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: 2008 R2 Hyper V guests OoM

Still having this issue, and it has spread to many of my 2008 R2 servers 
including non hyper V guests.  They all start with this:

The server was unable to allocate from the system nonpaged pool because the 
pool was empty.

Full on hangs, so I can’t get in to see what ate the memory. Not seeing 
anything in real time looking like too many handles.

Any ideas here gang?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Monday, September 11, 2017 1:25 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: 2008 R2 Hyper V guests OoM

So yea, that is exactly what I did.  TYVM sir.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Monday, September 11, 2017 12:59 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: 2008 R2 Hyper V guests OoM

Don’t run overcommitted in production.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Monday, September 11, 2017 12:20 PM
To: 'ntsysadm@lists.myitforum.com'
Subject: [NTSysADM] 2008 R2 Hyper V guests OoM

Just started a couple of weeks ago. I suspect an August update so I may cross 
post this later over on Patch Management.

2012 R2 Hyper V host (2 of them) with a mixture of 2008 R2 and 2012 R2 guests.  
Only the 2008 R2’s are exhibiting this behavior, they are all low usage 
machines. They are all set to dynamic memory and have been running for years 
without issue. One is only an FTP server that accepts 4 connections a night for 
an automated data transfer. And the incoming connections are IP restricted on 
our ASA, so it isn’t like it is getting flooded with hacking attempts. These 
boxes are varied in their use FTP, internal only web server, RDP Gateway, 
generic file server……

They crash shortly after a 2019 from srv.  “The server was unable to allocate 
from the system nonpaged pool because the pool was empty.”

Setting them to a fixed memory on the slightly larger than what I would expect 
them to need seems to have fixed it. Any other ideas?

[NTSysADM] RE: 2008 R2 Hyper V guests OoM

[Kennedy, Jim]

Still having this issue, and it has spread to many of my 2008 R2 servers 
including non hyper V guests.  They all start with this:

The server was unable to allocate from the system nonpaged pool because the 
pool was empty.

Full on hangs, so I can’t get in to see what ate the memory. Not seeing 
anything in real time looking like too many handles.

Any ideas here gang?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Monday, September 11, 2017 1:25 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: 2008 R2 Hyper V guests OoM

So yea, that is exactly what I did.  TYVM sir.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Monday, September 11, 2017 12:59 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: 2008 R2 Hyper V guests OoM

Don’t run overcommitted in production.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Monday, September 11, 2017 12:20 PM
To: 'ntsysadm@lists.myitforum.com'
Subject: [NTSysADM] 2008 R2 Hyper V guests OoM

Just started a couple of weeks ago. I suspect an August update so I may cross 
post this later over on Patch Management.

2012 R2 Hyper V host (2 of them) with a mixture of 2008 R2 and 2012 R2 guests.  
Only the 2008 R2’s are exhibiting this behavior, they are all low usage 
machines. They are all set to dynamic memory and have been running for years 
without issue. One is only an FTP server that accepts 4 connections a night for 
an automated data transfer. And the incoming connections are IP restricted on 
our ASA, so it isn’t like it is getting flooded with hacking attempts. These 
boxes are varied in their use FTP, internal only web server, RDP Gateway, 
generic file server……

They crash shortly after a 2019 from srv.  “The server was unable to allocate 
from the system nonpaged pool because the pool was empty.”

Setting them to a fixed memory on the slightly larger than what I would expect 
them to need seems to have fixed it. Any other ideas?

RE: [NTSysADM] Local script or tool to export to PST

[Kennedy, Jim]

I use ReliefJet to export a larger number of Outlook Calendars each night for a 
brick level backup of them. Been using it for years. It will do what you need 
although it might be overkill.

https://www.reliefjet.com/


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Tony Burrows
Sent: Monday, October 9, 2017 7:53 PM
To: NT Sys Admin
Subject: [NTSysADM] Local script or tool to export to PST

Good evening all,
I have an interesting one and am hoping someone can point me in the right 
direction or confirm my assumptions. I was told a couple weeks ago by a 
multi-site client that the owners are going through a falling out and thus they 
are parting ways. The secondary site has retained our services however they are 
100% dependent on the primary site via an 100Mbps MPLS connection. We are 
already working on new SIP and internet services, servers, rack, switches, 
workstations, phone system, firewall, etc. and we're good to go here. The catch 
is there are around 50 users at the secondary site that all have email accounts 
on the locally hosted Exchange 2013 server at the primary site. We've been told 
that nobody from the secondary site (including my company) will be given access 
to the Exchange server. Normally I'd just run something like 
"Get-MailboxDatabase | Get-Mailbox | Export-Mailbox -PSTFolderPath C:\PSTs" to 
export everything to PST then "Get-MailboxDatabase | Get-Mailbox | 
Import-Mailbox -PSTFolderPath C:\PSTs" to import it into the new forest but 
this isn't possible in this situation.

We still have standard user access to the current domain through the end of the 
month so what I'm wondering is if any of you know of a script or utility that 
can export a user's full Exchange account to a PST so I can import it into the 
new O365 tenant? We're going to be putting in new workstations so each new and 
old workstation will be touch however I'd prefer not to have to create the PST 
manually since we're on a time crunch. We did some digging and found this 
https://support.office.com/en-us/article/Back-up-Outlook-data-with-the-Microsoft-Outlook-Personal-Folders-Backup-tool-7ef27bac-6088-4f03-a9f7-34165d885883
 however it only applies to Office 2007 and the client is running Office 2013 
and 2016 across their workstations. For kicks, another one of our guys ran this 
on their Office 2016 install and it failed. Any assistance is greatly 
appreciated and thank you in advance.


Regards,
Tony

[NTSysADM] RE: OT Meanwhile at Derbycon this weekend...

[Kennedy, Jim]

One more:

I really want to solve this problem for you but please Boss, try it my way for 
a little while.  If it doesn’t meet the needs of the org of course we will 
adjust.

And just do a regular domain user account added to the local admin group via 
gpo. Unless we are totally missing a need here it will work and it will be the 
last you will ever hear of it.


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Monday, September 25, 2017 12:43 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: OT Meanwhile at Derbycon this weekend...

So I should not expect you to contribute to the Go Fund Me that I set up for 
Trevor’s family?

https://www.gofundme.com/trevor-the-roach-memorial-fund


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael B. Smith
Sent: Monday, September 25, 2017 12:25 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: OT Meanwhile at Derbycon this weekend...

Good riddance!

*shakes fist* Get off my lawn!

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Monday, September 25, 2017 9:54 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] OT Meanwhile at Derbycon this weekend...

…we lost a close friend. Trevor the Roach.

https://www.csoonline.com/article/3227910/security/hackers-create-memorial-for-a-cockroach-named-trevor.html

[NTSysADM] RE: OT Meanwhile at Derbycon this weekend...

[Kennedy, Jim]

So I should not expect you to contribute to the Go Fund Me that I set up for 
Trevor’s family?

https://www.gofundme.com/trevor-the-roach-memorial-fund


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael B. Smith
Sent: Monday, September 25, 2017 12:25 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: OT Meanwhile at Derbycon this weekend...

Good riddance!

*shakes fist* Get off my lawn!

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Monday, September 25, 2017 9:54 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] OT Meanwhile at Derbycon this weekend...

…we lost a close friend. Trevor the Roach.

https://www.csoonline.com/article/3227910/security/hackers-create-memorial-for-a-cockroach-named-trevor.html

[NTSysADM] OT Meanwhile at Derbycon this weekend...

[Kennedy, Jim]

…we lost a close friend. Trevor the Roach.

https://www.csoonline.com/article/3227910/security/hackers-create-memorial-for-a-cockroach-named-trevor.html

[NTSysADM] RE: Running RSAT tools elevated

[Kennedy, Jim]

So why does mine work? Very odd.  Below is my GPO for this.

[cid:image001.jpg@01D3337A.2C2734F0]

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Heaton, Joseph@Wildlife
Sent: Thursday, September 21, 2017 3:49 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Running RSAT tools elevated

Nope.  We log in with normal user accounts.  Definitely a division of 
permissions.

@Charles - There are a number of local policies in the UAC area that are 
enabled:

Admin Approval Mode for the Built-In Administrator account
Detect application installations and prompt for elevation
Only elevate UIAccess applications that are installed in secure locations
Run all Administrators in Admin Approval Mode
Virtualize file and registry write failures to per-user locations

Behavior of the elevation prompt for admins in Admin Approval Mode  -- Prompt 
for consent
Behavior of the elevation prompt for standard users - Prompt for credentials

All other UAC settings are disabled.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Thursday, September 21, 2017 12:12 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: Running RSAT tools elevated

Are you logged in with a local admin account?  Perhaps that is fooling UAC?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Thursday, September 21, 2017 11:46 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: Running RSAT tools elevated

My UAC was turned all the way up.  I brought it down one notch to match your 
setting, and rebooted, but double-clicking the shortcut on my desktop still 
just opens the app directly, no asking for creds.

Shift-right-click does work, but I really don't want to have to do that every 
time.

In Win7, I would double-click the icon, and UAC/Viewfinity would ask for 
credentials.  I thought all I did was go into Advanced for the shortcut and 
check the Run as Administrator box, but that's not working for me now.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Thursday, September 21, 2017 8:11 AM
To: 'NT System Admin Issues Discussion list' 
<ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>>
Subject: [NTSysADM] RE: Running RSAT tools elevated

Is this a UAC setting issue?  I just click and it asks. Mine is set to 'Always 
notify, do not dim'.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Thursday, September 21, 2017 9:48 AM
To: 'NT System Admin Issues Discussion list'
Subject: [NTSysADM] Running RSAT tools elevated

So, in Win 7, I had installed RSAT tools, and I had the shortcuts setup so that 
when I double-clicked it, it would run as administrator, I'd be prompted by my 
privilege elevation software, put in my admin credentials and away I went.  I 
did not have to use the runas command in the shortcut to make this happen.  
Now, in Win 10, I can't for the life of me get this working.  If I go to the 
Advanced button in the shortcut, and choose Run as Administrator, nothing 
happens.  The tool opens using my logged in credentials, not prompting me for 
my admin creds.  If I do put in the runas command, I end up having to enter my 
credentials twice, once for my privilege elevation software, once in a command 
window that opens up.

Anyone know of a better way of doing this?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284

[NTSysADM] RE: Running RSAT tools elevated

[Kennedy, Jim]

Are you logged in with a local admin account?  Perhaps that is fooling UAC?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Heaton, Joseph@Wildlife
Sent: Thursday, September 21, 2017 11:46 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Running RSAT tools elevated

My UAC was turned all the way up.  I brought it down one notch to match your 
setting, and rebooted, but double-clicking the shortcut on my desktop still 
just opens the app directly, no asking for creds.

Shift-right-click does work, but I really don't want to have to do that every 
time.

In Win7, I would double-click the icon, and UAC/Viewfinity would ask for 
credentials.  I thought all I did was go into Advanced for the shortcut and 
check the Run as Administrator box, but that's not working for me now.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Thursday, September 21, 2017 8:11 AM
To: 'NT System Admin Issues Discussion list' <ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: Running RSAT tools elevated

Is this a UAC setting issue?  I just click and it asks. Mine is set to 'Always 
notify, do not dim'.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Thursday, September 21, 2017 9:48 AM
To: 'NT System Admin Issues Discussion list'
Subject: [NTSysADM] Running RSAT tools elevated

So, in Win 7, I had installed RSAT tools, and I had the shortcuts setup so that 
when I double-clicked it, it would run as administrator, I'd be prompted by my 
privilege elevation software, put in my admin credentials and away I went.  I 
did not have to use the runas command in the shortcut to make this happen.  
Now, in Win 10, I can't for the life of me get this working.  If I go to the 
Advanced button in the shortcut, and choose Run as Administrator, nothing 
happens.  The tool opens using my logged in credentials, not prompting me for 
my admin creds.  If I do put in the runas command, I end up having to enter my 
credentials twice, once for my privilege elevation software, once in a command 
window that opens up.

Anyone know of a better way of doing this?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284

[NTSysADM] RE: Running RSAT tools elevated

[Kennedy, Jim]

Is this a UAC setting issue?  I just click and it asks. Mine is set to 'Always 
notify, do not dim'.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Heaton, Joseph@Wildlife
Sent: Thursday, September 21, 2017 9:48 AM
To: 'NT System Admin Issues Discussion list'
Subject: [NTSysADM] Running RSAT tools elevated

So, in Win 7, I had installed RSAT tools, and I had the shortcuts setup so that 
when I double-clicked it, it would run as administrator, I'd be prompted by my 
privilege elevation software, put in my admin credentials and away I went.  I 
did not have to use the runas command in the shortcut to make this happen.  
Now, in Win 10, I can't for the life of me get this working.  If I go to the 
Advanced button in the shortcut, and choose Run as Administrator, nothing 
happens.  The tool opens using my logged in credentials, not prompting me for 
my admin creds.  If I do put in the runas command, I end up having to enter my 
credentials twice, once for my privilege elevation software, once in a command 
window that opens up.

Anyone know of a better way of doing this?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284

RE: [NTSysADM] Scanning for web server vulnerabilities

[Kennedy, Jim]

Nessus, it's only a grand a year and you can scan everything.

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Monday, September 18, 2017 9:48 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Scanning for web server vulnerabilities

We had a pen test done recently, and so I've been fixing some of our external 
web servers, per their recommendations (i.e., turning off this protocol, 
enabling that one, etc).

I'm curious what sites you might use to scan for vulnerabilities. I've been 
using:

https://www.htbridge.com/ssl/
https://www.ssllabs.com/ssltest/

And both the web servers I've been fixing now pass with A or A+ (yay!
for A - LOL).

Any other sites I should be trying? What do you use?

Thanks

RE: [NTSysADM] Dropping Kaspersky Av, who to replace it with?

[Kennedy, Jim]

" My boss says it's not meeting our needs"

I respectfully suggest that a well run Applocker policy and no local admin 
rights will meet his needs better than any AV ever will. Haven't had AV here 
for 15 years, other than Defender which I only leave on because it is easier 
than turning it off.

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Friday, September 15, 2017 10:34 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Dropping Kaspersky Av, who to replace it with?

On Thu, Sep 14, 2017 at 2:33 PM, Kurt Buff  wrote:
> On Thu, Sep 14, 2017 at 9:31 AM, Michael Leone  wrote:
>>
>> We use Kaspersky for our AV needs, and to be honest, it's worked out 
>> well for us. It's certainly caught things that McAfee, our previous 
>> AV solution, didn't. However, they have this slight problem with 
>> being a covert arm of the Russian government, apparently ..
>
> Citation needed. I have not seen anything that supports the idea that 
> Kaspersky is an arm of the Russian government.

Tell that to the US government .. LOL

>> So we need to drop them, as the federal agencies are doing.
>
> Is this a requirement by law/regulation for your departement? If not, 
> don't drop them, at least not for the reason stated above.

My boss says it's not meeting our needs, and it will be replaced, so the 
requirement is for me to obey orders and keep my job. LOL

Listen, I'm happy with Kaspersky, and I would recommend keeping it.
But I have an idea that this is a mandate from farther high up.
Especially seeing as to how we are a state agency, I guess my CIO doesn't want 
to spend time explaining to our board of commissioners why the feds are wrong, 
and we're keeping Kaspersky when they aren't ...

> We have Eset, and I'd drop them in a heartbeat, if I could. Not 
> because it's a bad product of its kind - far from it. It's been fairly 
> good.
>
> Instead, I'd go with Applocker, and removing admin privileges - we 
> already do patching fairly well.

The order was for AV, since we need to do local workstations and remote 
devices. So we will.

Also, no one here (including me) knows Applocker, and there's not a lot of 
support here, besides me, for anything OS or AD related ..

RE: [NTSysADM] Dropping Kaspersky Av, who to replace it with?

[Kennedy, Jim]

Ohoh.

Yea, I totally agree with that. The concern seems to be 'a relationship between 
Kaspersky and the Russia Gov.'.

The same of which could be said of many US Tech firms.

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael B. Smith
Sent: Thursday, September 14, 2017 2:35 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Dropping Kaspersky Av, who to replace it with?

But he doesn't say anything is wrong.

It's just another step in the increasing tension between Russia and the USA as 
far as I can see.

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Thursday, September 14, 2017 2:26 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Dropping Kaspersky Av, who to replace it with?

Looks like the WH's cybersecurity dude announced it.

http://www.businessinsider.com/kaspersky-is-being-banned-across-the-us-government-by-trump-2017-9


-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael B. Smith
Sent: Thursday, September 14, 2017 2:18 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Dropping Kaspersky Av, who to replace it with?

As I've recommended Kaspersky for about a decade now, I'm interested in knowing 
your source. :-)

I know that the USA is less and less happy with Russia... But I've not found 
anything that even seems official...

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Thursday, September 14, 2017 12:32 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Dropping Kaspersky Av, who to replace it with?

We use Kaspersky for our AV needs, and to be honest, it's worked out well for 
us. It's certainly caught things that McAfee, our previous AV solution, didn't. 
However, they have this slight problem with being a covert arm of the Russian 
government, apparently ..

So we need to drop them, as the federal agencies are doing.

There are lots of reviews, such as av-test.org, that we are looking at. But 
tell me, who do you have? And - more importantly - if you had your say in the 
matter, would you keep them?

We're an sort of enterprise level organization, maybe 1K users, bunch of 
laptops issued to remote users. So far, all Win 7 for workstations, but 
obviously that will change in the future. Servers are all Win
2008/2012 R2 (so far). So we need something with a centralized console, to push 
out rules, updates, etc.

We use Proofpoint as an email gateway, so it does mail scanning. We have 
Checkpoint firewalls for managing that sort of traffic.

Thoughts?  I know I've heard good things about ESET and Sophos, among others. 
Just soliciting some real world opinions, along with our own research.

RE: [NTSysADM] Dropping Kaspersky Av, who to replace it with?

[Kennedy, Jim]

Here we go, DHS announcement.

https://www.dhs.gov/news/2017/09/13/dhs-statement-issuance-binding-operational-directive-17-01


-Original Message-
From: Kennedy, Jim 
Sent: Thursday, September 14, 2017 2:26 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Dropping Kaspersky Av, who to replace it with?

Looks like the WH's cybersecurity dude announced it.

http://www.businessinsider.com/kaspersky-is-being-banned-across-the-us-government-by-trump-2017-9


-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael B. Smith
Sent: Thursday, September 14, 2017 2:18 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Dropping Kaspersky Av, who to replace it with?

As I've recommended Kaspersky for about a decade now, I'm interested in knowing 
your source. :-)

I know that the USA is less and less happy with Russia... But I've not found 
anything that even seems official...

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Thursday, September 14, 2017 12:32 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Dropping Kaspersky Av, who to replace it with?

We use Kaspersky for our AV needs, and to be honest, it's worked out well for 
us. It's certainly caught things that McAfee, our previous AV solution, didn't. 
However, they have this slight problem with being a covert arm of the Russian 
government, apparently ..

So we need to drop them, as the federal agencies are doing.

There are lots of reviews, such as av-test.org, that we are looking at. But 
tell me, who do you have? And - more importantly - if you had your say in the 
matter, would you keep them?

We're an sort of enterprise level organization, maybe 1K users, bunch of 
laptops issued to remote users. So far, all Win 7 for workstations, but 
obviously that will change in the future. Servers are all Win
2008/2012 R2 (so far). So we need something with a centralized console, to push 
out rules, updates, etc.

We use Proofpoint as an email gateway, so it does mail scanning. We have 
Checkpoint firewalls for managing that sort of traffic.

Thoughts?  I know I've heard good things about ESET and Sophos, among others. 
Just soliciting some real world opinions, along with our own research.

RE: [NTSysADM] Dropping Kaspersky Av, who to replace it with?

[Kennedy, Jim]

Looks like the WH's cybersecurity dude announced it.

http://www.businessinsider.com/kaspersky-is-being-banned-across-the-us-government-by-trump-2017-9


-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael B. Smith
Sent: Thursday, September 14, 2017 2:18 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Dropping Kaspersky Av, who to replace it with?

As I've recommended Kaspersky for about a decade now, I'm interested in knowing 
your source. :-)

I know that the USA is less and less happy with Russia... But I've not found 
anything that even seems official...

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Thursday, September 14, 2017 12:32 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Dropping Kaspersky Av, who to replace it with?

We use Kaspersky for our AV needs, and to be honest, it's worked out well for 
us. It's certainly caught things that McAfee, our previous AV solution, didn't. 
However, they have this slight problem with being a covert arm of the Russian 
government, apparently ..

So we need to drop them, as the federal agencies are doing.

There are lots of reviews, such as av-test.org, that we are looking at. But 
tell me, who do you have? And - more importantly - if you had your say in the 
matter, would you keep them?

We're an sort of enterprise level organization, maybe 1K users, bunch of 
laptops issued to remote users. So far, all Win 7 for workstations, but 
obviously that will change in the future. Servers are all Win
2008/2012 R2 (so far). So we need something with a centralized console, to push 
out rules, updates, etc.

We use Proofpoint as an email gateway, so it does mail scanning. We have 
Checkpoint firewalls for managing that sort of traffic.

Thoughts?  I know I've heard good things about ESET and Sophos, among others. 
Just soliciting some real world opinions, along with our own research.

[NTSysADM] RE: 2008 R2 Hyper V guests OoM

[Kennedy, Jim]

So yea, that is exactly what I did.  TYVM sir.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael B. Smith
Sent: Monday, September 11, 2017 12:59 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: 2008 R2 Hyper V guests OoM

Don’t run overcommitted in production.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Monday, September 11, 2017 12:20 PM
To: 'ntsysadm@lists.myitforum.com'
Subject: [NTSysADM] 2008 R2 Hyper V guests OoM

Just started a couple of weeks ago. I suspect an August update so I may cross 
post this later over on Patch Management.

2012 R2 Hyper V host (2 of them) with a mixture of 2008 R2 and 2012 R2 guests.  
Only the 2008 R2’s are exhibiting this behavior, they are all low usage 
machines. They are all set to dynamic memory and have been running for years 
without issue. One is only an FTP server that accepts 4 connections a night for 
an automated data transfer. And the incoming connections are IP restricted on 
our ASA, so it isn’t like it is getting flooded with hacking attempts. These 
boxes are varied in their use FTP, internal only web server, RDP Gateway, 
generic file server……

They crash shortly after a 2019 from srv.  “The server was unable to allocate 
from the system nonpaged pool because the pool was empty.”

Setting them to a fixed memory on the slightly larger than what I would expect 
them to need seems to have fixed it. Any other ideas?

[NTSysADM] 2008 R2 Hyper V guests OoM

[Kennedy, Jim]

Just started a couple of weeks ago. I suspect an August update so I may cross 
post this later over on Patch Management.

2012 R2 Hyper V host (2 of them) with a mixture of 2008 R2 and 2012 R2 guests.  
Only the 2008 R2’s are exhibiting this behavior, they are all low usage 
machines. They are all set to dynamic memory and have been running for years 
without issue. One is only an FTP server that accepts 4 connections a night for 
an automated data transfer. And the incoming connections are IP restricted on 
our ASA, so it isn’t like it is getting flooded with hacking attempts. These 
boxes are varied in their use FTP, internal only web server, RDP Gateway, 
generic file server……

They crash shortly after a 2019 from srv.  “The server was unable to allocate 
from the system nonpaged pool because the pool was empty.”

Setting them to a fixed memory on the slightly larger than what I would expect 
them to need seems to have fixed it. Any other ideas?

RE: [NTSysADM] Group Policy - Enforce screensaver and password

[Kennedy, Jim]

So did your power settings only partially kick in...like 10 minutes to 
dark...30 to lock...and you only waited 10?

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Wednesday, September 6, 2017 1:51 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Group Policy - Enforce screensaver and password

On Wed, Sep 6, 2017 at 1:13 PM, Webster  wrote:
> How about testing it on a test user account so you will know exactly what 
> happens??? It is a user policy setting so you can restrict it to a single 
> user account for testing.

I am testing it. :-) That's why I asked - I set it to enforce a password 
screensaver, but then didn't set a screensaver (as the user).
And the situation happened as I described - monitor went dark (power), but 
clicking on anything put me right back into the session, no password. That's 
what I need to find a way to avoid ...


>
>
> Webster
>
> -Original Message-
> From: listsad...@lists.myitforum.com 
> [mailto:listsad...@lists.myitforum.com] On Behalf Of Michael Leone
> Sent: Wednesday, September 6, 2017 11:03 AM
> To: ntsysadm@lists.myitforum.com
> Subject: Re: [NTSysADM] Group Policy - Enforce screensaver and 
> password
>
> On Wed, Sep 6, 2017 at 11:38 AM, Wolf, Daniel  wrote:
>> Don't specify a screensaver. It will just lock the machine with the screen 
>> off.
>
> OK. So what if the user doesn't choose a screensaver. Then nothing happens, 
> right? No screensaver, and - more importantly - no password needed to unlock 
> the PC (presuming the display turns off, for power saving). I got the 
> impression that this is what he is trying to prevent. Doesn't want people 
> just walking away from a PC, and leaving it unlocked, for anyone to walk up 
> and do nefarious things ...
>
>
>>
>> -Original Message-
>> From: listsad...@lists.myitforum.com
>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Michael Leone
>> Sent: Wednesday, September 6, 2017 10:26 AM
>> To: ntsysadm@lists.myitforum.com
>> Subject: [NTSysADM] Group Policy - Enforce screensaver and password
>>
>> I've had a "suggestion" from my CIO. :-) He would like to use GP to enforce 
>> that all domain computers have a screensaver (set to like 15 minutes), and 
>> that the screensaver is password enabled. He didn't seem to care which 
>> screensaver, as long as one is set.
>>
>> (these are all Win 7 PCs, BTW)
>>
>> I see the options in User Config/Policies/Admin Templates/Control 
>> Panel/Personalization that I can Enable Screen saver and password protect 
>> the screen saver. But if I read it right, I either have to specify which 
>> screen saver to use, or depend on the user to pick one.
>>
>> So what happens if I choose
>>
>> Enable screen saver: ENABLED
>> Password protect the screen saver: ENABLED screen saver timeout: 900 
>> seconds
>>
>> and the user does *not* set a screensaver? If I use the above settings, do I 
>> really also need to force a specific screen saver, so that I can be sure 
>> that at least a passworded screen saver is set?
>>
>> What do the rest of you do? I'm assuming at least some of you enforce 
>> passworded screensavers.
>>
>> Thanks for any advice.
>>
>>
>
>

[NTSysADM] RE: Performance issues working on large shared files over VPN

[Kennedy, Jim]

I have 4 of them running on Hyper's for years.  Each is set up for the type of 
staff that uses them.  They love it and to this day some still comment about 
how it blows the old VPN away. We had one really high up person leave our 
school district for another district.  She called me and asked if she could pay 
me to set it up for her over there.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of David Tobias
Sent: Thursday, August 24, 2017 4:15 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Performance issues working on large shared files over 
VPN

RD Gateway Services certainly looks like a viable alternative as well. Will 
definitely dig deeper into that.

~Dave

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Thursday, August 24, 2017 12:35 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: Performance issues working on large shared files over 
VPN

RDP (with Gateway Services) or Google Docs.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of David Tobias
Sent: Thursday, August 24, 2017 2:31 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] Performance issues working on large shared files over VPN

Hi all-

As a junior sysadmin I've been tasked with reviewing a solution to the 
following problem. Users that work from home (traditionally out of state from 
where our file server is located) are experiencing performance issues when 
having to VPN in and work on larger files (traditionally shared Excel workbooks 
that can range from 15MB to 45MB in size). As anticipated, users are 
experiencing performance issues, time-outs, and instability when having to open 
and work on these workbooks across the VPN. Users on the LAN in the same 
location where the file server is operate normally without issue, as expected.

A few suggestions that have been tossed around have been setting up some type 
of VDI solution to present them with a virtualized desktop where they can go to 
work on the files. Immediate downside is that we don't have an infrastructure 
for this in place and it may be overkill if this is just affecting a few users 
working on a few files.

We've also discussed about setting up a SharePoint or Teams site as a 
collaboration area for them to work (not going across VPN) but there are 
concerns about hosting files with sensitive information as well as for users 
needing potentially needing to store more and more files as time goes on 
leading to a split of our files being located on a file server as well as on an 
online site.

This is still a very early stage project and nothing is necessarily off the 
table at this point. Would very much enjoy hearing from others who may have had 
to deal with a similar situation and how they worked through it.

Appreciate this great list!

Thank you.

~Dave
CONFIDENTIALITY NOTICE: This communication and its attachments may contain 
non-public, confidential, or legally privileged information including 
HIPAA-protected PHI. The interception, use or disclosure of such information is 
prohibited. If you are not the intended recipient, or have received this 
information in error, please notify the sender immediately by reply email and 
delete all copies of this message and attachments without reading, saving, or 
further distributing them.
CONFIDENTIALITY NOTICE: This communication and its attachments may contain 
non-public, confidential, or legally privileged information including 
HIPAA-protected PHI. The interception, use or disclosure of such information is 
prohibited. If you are not the intended recipient, or have received this 
information in error, please notify the sender immediately by reply email and 
delete all copies of this message and attachments without reading, saving, or 
further distributing them.

[NTSysADM] RE: Performance issues working on large shared files over VPN

[Kennedy, Jim]

RDP (with Gateway Services) or Google Docs.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of David Tobias
Sent: Thursday, August 24, 2017 2:31 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Performance issues working on large shared files over VPN

Hi all-

As a junior sysadmin I've been tasked with reviewing a solution to the 
following problem. Users that work from home (traditionally out of state from 
where our file server is located) are experiencing performance issues when 
having to VPN in and work on larger files (traditionally shared Excel workbooks 
that can range from 15MB to 45MB in size). As anticipated, users are 
experiencing performance issues, time-outs, and instability when having to open 
and work on these workbooks across the VPN. Users on the LAN in the same 
location where the file server is operate normally without issue, as expected.

A few suggestions that have been tossed around have been setting up some type 
of VDI solution to present them with a virtualized desktop where they can go to 
work on the files. Immediate downside is that we don't have an infrastructure 
for this in place and it may be overkill if this is just affecting a few users 
working on a few files.

We've also discussed about setting up a SharePoint or Teams site as a 
collaboration area for them to work (not going across VPN) but there are 
concerns about hosting files with sensitive information as well as for users 
needing potentially needing to store more and more files as time goes on 
leading to a split of our files being located on a file server as well as on an 
online site.

This is still a very early stage project and nothing is necessarily off the 
table at this point. Would very much enjoy hearing from others who may have had 
to deal with a similar situation and how they worked through it.

Appreciate this great list!

Thank you.

~Dave
CONFIDENTIALITY NOTICE: This communication and its attachments may contain 
non-public, confidential, or legally privileged information including 
HIPAA-protected PHI. The interception, use or disclosure of such information is 
prohibited. If you are not the intended recipient, or have received this 
information in error, please notify the sender immediately by reply email and 
delete all copies of this message and attachments without reading, saving, or 
further distributing them.

[NTSysADM] RE: Imaging windows 10 1703 enterprise

[Kennedy, Jim]

Somewhat, and is certainly the way to start.  I should not have assumed the OP 
had done that.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Wednesday, August 16, 2017 12:55 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Imaging windows 10 1703 enterprise

Does putting the sysprep in auditmode and making corrections and then 
generalize work for imaging?


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Wednesday, August 16, 2017 12:47 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: Imaging windows 10 1703 enterprise

Notice:  This email is from an outside source.  Please do not open any 
attachments, click on any hyperlinks, or respond without first confirming the 
authenticity of the email.


CopyProfile is pretty much gone/broke.  GPO's and scripts after imaging are 
what you will need to do.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of David McSpadden
Sent: Wednesday, August 16, 2017 12:29 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] Imaging windows 10 1703 enterprise

I have a base image completely built.
Everything functions on the local admin account.
I have saved that image.
Then Sysprepped.
Then brought up the sysprepped image and my domain administrator can not access 
desktop icons, my default apps are back to Microsoft defaults (Edge not IE11), 
etc...
What can I do to the save preSysPrepped image to have the default profiles come 
up nicely for the end users so they don't have to make the associations 
themselves?
Make GPO's or CopyProfile?
I have done neither thus far but am willing to do either if it helps.
Leaning into the GPO's a lot harder than copyprofile if I can.
What is everyone's opinion and how can I research this the quickest.
The few google searches are coming up with articles from 2009 and such.
I would like the latest best practices if we can.


David McSpadden
Systems Administrator
Indiana Members Credit Union
P: 317.554.8190| F: 317.554.8106
[Description: imcu email icon]<http://imcu.com/>  [Description: facebook email 
icon] <https://www.facebook.com/IndianaMembersCU>   [Description: twitter email 
icon] <https://twitter.com/IndMembersCU>
[Description: email logo]
[Image result for mcp 
logo]<https://www.google.com/url?sa=i=j==s=images==rja=8=0ahUKEwirvOT_m8fTAhVM1xoKHVbUA2kQjRwIBw=https://mssqlhub.wordpress.com/2013/09/23/pathway-for-microsoft-certification/=AFQjCNHf-4M9Isb1398vr-wswZ04wRJObQ=1493471205430002>


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

[NTSysADM] RE: Imaging windows 10 1703 enterprise

[Kennedy, Jim]

CopyProfile is pretty much gone/broke.  GPO's and scripts after imaging are 
what you will need to do.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Wednesday, August 16, 2017 12:29 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Imaging windows 10 1703 enterprise

I have a base image completely built.
Everything functions on the local admin account.
I have saved that image.
Then Sysprepped.
Then brought up the sysprepped image and my domain administrator can not access 
desktop icons, my default apps are back to Microsoft defaults (Edge not IE11), 
etc...
What can I do to the save preSysPrepped image to have the default profiles come 
up nicely for the end users so they don't have to make the associations 
themselves?
Make GPO's or CopyProfile?
I have done neither thus far but am willing to do either if it helps.
Leaning into the GPO's a lot harder than copyprofile if I can.
What is everyone's opinion and how can I research this the quickest.
The few google searches are coming up with articles from 2009 and such.
I would like the latest best practices if we can.


David McSpadden
Systems Administrator
Indiana Members Credit Union
P: 317.554.8190| F: 317.554.8106
[Description: imcu email icon]  [Description: facebook email 
icon]    [Description: twitter email 
icon] 
[Description: email logo]
[Image result for mcp 
logo]


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

RE: [NTSysADM] How to handle patching a patch, using scheduled installations

[Kennedy, Jim]

Did it fail for sure, or is that one just showing up now.  Did you also approve 
the Security Only?  If that one installs first it won’t show the Quality until 
after reboot IIRC.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Monday, July 24, 2017 10:59 AM
To: ntsysadm@lists.myitforum.com; WSUS Mailing List
Subject: [NTSysADM] How to handle patching a patch, using scheduled 
installations

I'd like some advice, please. So this past weekend, we applied our monthly 
updates, and for the first time, half of my servers applied them using a 
scheduled installation time from my WSUS v3 server. And yes, the patches were 
applied, the servers rebooted, no human intervention needed. Yay!

BUT ... some servers then came back saying that another patch needed to be 
installed (apparently on some servers, the June Monthly Quality update failed, 
hence why it's still waiting to be installed). What that means is that this 
coming Sunday, those servers will apply this waiting patch and reboot (which I 
don't want to happen, because it's outside of the monthly maintenance window).

I might be able to apply that patch offhours, before next Sunday.

So how does everyone else handle this issue - the issue of installing a patch, 
and then having another patch now needing to be installed, or - as with me - a 
patch that failed to install the first time attempt to re-try?  So how to avoid 
having the server reboot the next weekend, during a non-scheduled window?

Thanks

RE: [NTSysADM] Advice on patching Domain Controllers via WSUS

[Kennedy, Jim]

Separate group in WSUS, download but don’t install.  I manually install them 
during downtime I schedule shortly after patch Tuesday. That is how I hand 
member servers and DC’s.

But, I only have 40 or so servers to do.


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Wednesday, July 12, 2017 10:56 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Advice on patching Domain Controllers via WSUS

Our policy has been that our DCs are not patched via WSUS, like other member 
servers, but instead that we manually install the current patches from 
Microsoft Update. But now, I would like to change this, and use WSUS to patch 
all the DCS to our production levels (meaning: one month behind on released 
patches).

I don't see any downsides to this. I would create a new GPO (rather than modify 
the Default Domain Controllers Policy). I think I might still set them to 
download only, not automatically install.

Thoughts?
Should I let them auto-install, like most of my other member servers?
Is that what you others do?
Do you let your DCs get their patches via WSUS?

(the more servers I don't have to manually install patches on, the happier I 
am. We have some servers that we must do manually, for reasons I won't go into)

[NTSysADM] RE: Odd DSN behavior

[Kennedy, Jim]

Just to be sure, they are static IP entries...not getting them from dhcp which 
could be registering them for you.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: Tuesday, July 11, 2017 10:41 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Odd DSN behavior

The conditional forwarding for the internal domain does point to internal 
servers.  That hasn't changed however and has been the case for ages.

All interfaces have the register connection checkbox cleared.  That was checked 
initially but it was the first thing I looked at once I got involved.  We 
unchecked that and were still having the issue.

Any clue how a DDNS request would create a static entry?  I didn't think that 
was possible.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Tuesday, July 11, 2017 10:19 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Odd DSN behavior

Just curious... are the forwarder/conditional-forwarder/root-hints of your DNS 
servers still configured the way you think?

For each interface did you uncheck "register this connection in DNS"?

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: Tuesday, July 11, 2017 9:40 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Odd DSN behavior

We've run across a very strange DNS situation that we can't explain.  We have 
suspicions and a temporary fix but I'm hoping someone on the list has seen it 
already and give us some pointers.

Recently stood up 2 new Skype for Business servers to replace the existing Lync 
2010 servers. One internal and one edge server in each case. We've successfully 
migrated the topology and everything is running of the new servers.  But now 
for the weird part.  Every day, the internal DNS entry for the edge server gets 
changed.  The static IPv4 entry for the internal interface (LAN facing) gets 
removed and there are new entries for the external interface IPs (public 
facing), both IPv4 and IPv6.  The weird part is that the new entries are static 
as well, no timestamps.

After much digging and churning we finally disabled the DNS Client service on 
that server and it didn't happen last night, but I'm trying to figure out how 
it was happening even with the DNS Client running. DNS on that box points to a 
DNS server on the public side, not the internal servers. DDNS updates should 
create a dynamic / timestamped entry. I've never seen a static entry created 
any way other than via manual intervention.

Any one care to solve the puzzle?


Service Desk | 404-497-1599 | 
https://servicedesk.byers.com
Melvin Backus | Sr. Systems Engineer | Byers Engineering Company | 404.497.1565
--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

[NTSysADM] DNS providers

[Kennedy, Jim]

Looking for recommendations for public DNS providers.  Our current provider is 
getting a bit flakey.  We are not huge, don't need anything fancy, just 
reliable and reasonably responsive.

RE: [NTSysADM] Exchange time insanity.

[Kennedy, Jim]

Fixed.

http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04557232


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Thursday, June 29, 2017 3:55 PM
To: 'ntsysadm@lists.myitforum.com'
Subject: RE: [NTSysADM] Exchange time insanity.

2012 R2


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Miller Bonnie L.
Sent: Thursday, June 29, 2017 3:45 PM
To: 'ntsysadm@lists.myitforum.com'
Subject: RE: [NTSysADM] Exchange time insanity.

Is this on Server 2016?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Thursday, June 29, 2017 12:32 PM
To: 'ntsysadm@lists.myitforum.com' 
<ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>>
Subject: RE: [NTSysADM] Exchange time insanity.

So that is the issue, time on the server is freaking out during startup.  If I 
let it settle out and sync with the domain and restart MS Information Store it 
is all better now.


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Thursday, June 29, 2017 8:17 PM
To: 'ntsysadm@lists.myitforum.com'
Subject: RE: [NTSysADM] Exchange time insanity.

There was a reboot before this started. Just did a shutdown to check the MB 
clock and time zone, it is correct.  Shutdown shows at 3:07 PM in the event 
log.  Power on came at 8:11 PM.  Services start, normal boot messages then Time 
Service corrects it.


From: Kennedy, Jim
Sent: Thursday, June 29, 2017 8:17 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [NTSysADM] Exchange time insanity.

If I send to a 2010 box the received time on their end is ok.  But when they 
look at my email the sent time is incorrect.  You can see that below in your 
quote of me:   “On Thu, Jun 29, 2017 at 6:17 PM, Kennedy, Jim”

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Mike
Sent: Thursday, June 29, 2017 3:11 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: Re: [NTSysADM] Exchange time insanity.

What if you send to a mailbox still on 2010? Same behavior?

On Thu, Jun 29, 2017 at 6:17 PM, Kennedy, Jim 
<kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote:
Stood up an Exch 2016 server in my 2010 org.  Moved my mailbox over more than a 
week ago.  It has been fine.  Moved another box today and the below started 
happening to both of us.  What you are seeing is emails I sent to myself.   The 
send time is listed to the right of my name, so 1:47 pm, 1:48 pm and so on.  
Next you see the received time.  It makes no sense.  That happens with internal 
mail and external mail.

Time zones on the mailboxes, Outlook and servers are correct.  They all have 
the correct time from the domain.




[cid:image001.jpg@01D2F648.6986DD10]

RE: [NTSysADM] Exchange time insanity.

[Kennedy, Jim]

So that is the issue, time on the server is freaking out during startup.  If I 
let it settle out and sync with the domain and restart MS Information Store it 
is all better now.


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Thursday, June 29, 2017 8:17 PM
To: 'ntsysadm@lists.myitforum.com'
Subject: RE: [NTSysADM] Exchange time insanity.

There was a reboot before this started. Just did a shutdown to check the MB 
clock and time zone, it is correct.  Shutdown shows at 3:07 PM in the event 
log.  Power on came at 8:11 PM.  Services start, normal boot messages then Time 
Service corrects it.


From: Kennedy, Jim
Sent: Thursday, June 29, 2017 8:17 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [NTSysADM] Exchange time insanity.

If I send to a 2010 box the received time on their end is ok.  But when they 
look at my email the sent time is incorrect.  You can see that below in your 
quote of me:   “On Thu, Jun 29, 2017 at 6:17 PM, Kennedy, Jim”

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Mike
Sent: Thursday, June 29, 2017 3:11 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: Re: [NTSysADM] Exchange time insanity.

What if you send to a mailbox still on 2010? Same behavior?

On Thu, Jun 29, 2017 at 6:17 PM, Kennedy, Jim 
<kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote:
Stood up an Exch 2016 server in my 2010 org.  Moved my mailbox over more than a 
week ago.  It has been fine.  Moved another box today and the below started 
happening to both of us.  What you are seeing is emails I sent to myself.   The 
send time is listed to the right of my name, so 1:47 pm, 1:48 pm and so on.  
Next you see the received time.  It makes no sense.  That happens with internal 
mail and external mail.

Time zones on the mailboxes, Outlook and servers are correct.  They all have 
the correct time from the domain.




[cid:image001.jpg@01D2F0EC.D84BF390]

RE: [NTSysADM] Exchange time insanity.

[Kennedy, Jim]

If I send to a 2010 box the received time on their end is ok.  But when they 
look at my email the sent time is incorrect.  You can see that below in your 
quote of me:   “On Thu, Jun 29, 2017 at 6:17 PM, Kennedy, Jim”

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Mike
Sent: Thursday, June 29, 2017 3:11 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Exchange time insanity.

What if you send to a mailbox still on 2010? Same behavior?

On Thu, Jun 29, 2017 at 6:17 PM, Kennedy, Jim 
<kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote:
Stood up an Exch 2016 server in my 2010 org.  Moved my mailbox over more than a 
week ago.  It has been fine.  Moved another box today and the below started 
happening to both of us.  What you are seeing is emails I sent to myself.   The 
send time is listed to the right of my name, so 1:47 pm, 1:48 pm and so on.  
Next you see the received time.  It makes no sense.  That happens with internal 
mail and external mail.

Time zones on the mailboxes, Outlook and servers are correct.  They all have 
the correct time from the domain.




[cid:image001.jpg@01D2F0EB.90891750]

[NTSysADM] Exchange time insanity.

[Kennedy, Jim]

Stood up an Exch 2016 server in my 2010 org.  Moved my mailbox over more than a 
week ago.  It has been fine.  Moved another box today and the below started 
happening to both of us.  What you are seeing is emails I sent to myself.   The 
send time is listed to the right of my name, so 1:47 pm, 1:48 pm and so on.  
Next you see the received time.  It makes no sense.  That happens with internal 
mail and external mail.

Time zones on the mailboxes, Outlook and servers are correct.  They all have 
the correct time from the domain.




[cid:image001.jpg@01D2F0E6.1F693AA0]

RE: [NTSysADM] Using GPP to fight Petya

[Kennedy, Jim]

Redircmp will send them to an OU and it all sticks.  I did it many years 
ago..so I am bit fuzzy on it but mine go to a specific ou, then we manually 
move them down to sub OU’s for the edge cases.

http://kpytko.pl/active-directory-domain-services/redirecting-default-computers-location-in-active-directory/


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: Wednesday, June 28, 2017 2:01 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Using GPP to fight Petya


That’s one thing I’ve always hated about the way AD works. Whatever the default 
container is can’t get anything besides the default policy.  And even if you 
change where the default gets created, it just changes that to a container 
instead of an OU so you’re still in the same boat.

RE: [NTSysADM] Using GPP to fight Petya

[Kennedy, Jim]

Well first they should do it around 90 minutes max on their own.

You could push a psexec gpupdate against a text file list of the boxes. Or via 
powershell:

https://blogs.technet.microsoft.com/heyscriptingguy/2012/11/12/force-a-domain-wide-update-of-group-policy-with-powershell/


And I will also add servers are not the most important thing to target with 
this mitigation. It is the desktops, they are the ones that are clicking on 
stuff.  They will get infected and be used to hit your servers.


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Wednesday, June 28, 2017 10:11 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Using GPP to fight Petya

OK, so I've made that change in the GPO, and it creates the file appropriately.

So how do I force all my servers to refresh their GPOs, without going to each 
and doing a "gpupdate /force"? When they automatically check in the next time, 
this policy should be applied. But how to make that happen NOW, rather than 
within the next 24 hours (or whatever)?

On Wed, Jun 28, 2017 at 9:23 AM, Kennedy, Jim 
<kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote:
I will ground my son who wrote that.  It should be ‘replace’.  That will create 
it or replace it.

Now, why you are not seeing it in gpresult I dunno. You ran the gpresult as a 
local admin?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Michael Leone
Sent: Wednesday, June 28, 2017 9:13 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] Using GPP to fight Petya

So I'm confused. Looking at this page:

https://www.binarydefense.com/petya-ransomware-without-fluff/

Shows using GPP to create a file "c:\windows\perfc.dat". Apparently, if this 
file exists, the malware stops (yes, I know that there will be a variant Real 
Soon Now that avoids this).

So I made this change:

Computer\Preferences\Windows Settings\Files

And followed the web page ("update", copy windowsupdate.log  to 
c:\windows\perfc.dat", make it read-only. Did all this on a testing GPO I keep 
around for this purpose.

Doing Group Policy Modeling Wizard, I see this being applied as a setting to my 
test VM. Yet when I go an look in c:\windows, I don't see the file.Nor do I see 
that setting in "gpresult /r /v".

What have I done wrong?

RE: [NTSysADM] Using GPP to fight Petya

[Kennedy, Jim]

I did both, can’t hurt.  But just perfc will work based on the way the 
ransomware is creating the file.


“BTW, lot of other sites recommend creating a file "perfc" (no extension), and 
this page recommends "perfc.dat". Perhaps I should create both, just to be sure 
..”

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Wednesday, June 28, 2017 9:40 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Using GPP to fight Petya

On Wed, Jun 28, 2017 at 9:23 AM, Kennedy, Jim 
<kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote:
I will ground my son who wrote that.  It should be ‘replace’.  That will create 
it or replace it.


OK, I will change that option ...

Now, why you are not seeing it in gpresult I dunno. You ran the gpresult as a 
local admin?


I did. I rebooted (luckily it's a test server), and the file showed up. Even 
though I had done a "gpupdate /force /target:computer", specifically to avoid 
rebooting ...

There are other test VMs in that same OU, I will check those ...

BTW, lot of other sites recommend creating a file "perfc" (no extension), and 
this page recommends "perfc.dat". Perhaps I should create both, just to be sure 
...




From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Michael Leone
Sent: Wednesday, June 28, 2017 9:13 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] Using GPP to fight Petya

So I'm confused. Looking at this page:

https://www.binarydefense.com/petya-ransomware-without-fluff/

Shows using GPP to create a file "c:\windows\perfc.dat". Apparently, if this 
file exists, the malware stops (yes, I know that there will be a variant Real 
Soon Now that avoids this).

So I made this change:

Computer\Preferences\Windows Settings\Files

And followed the web page ("update", copy windowsupdate.log  to 
c:\windows\perfc.dat", make it read-only. Did all this on a testing GPO I keep 
around for this purpose.

Doing Group Policy Modeling Wizard, I see this being applied as a setting to my 
test VM. Yet when I go an look in c:\windows, I don't see the file.Nor do I see 
that setting in "gpresult /r /v".

What have I done wrong?

RE: [NTSysADM] Using GPP to fight Petya

[Kennedy, Jim]

I will ground my son who wrote that.  It should be ‘replace’.  That will create 
it or replace it.

Now, why you are not seeing it in gpresult I dunno. You ran the gpresult as a 
local admin?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Wednesday, June 28, 2017 9:13 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Using GPP to fight Petya

So I'm confused. Looking at this page:

https://www.binarydefense.com/petya-ransomware-without-fluff/

Shows using GPP to create a file "c:\windows\perfc.dat". Apparently, if this 
file exists, the malware stops (yes, I know that there will be a variant Real 
Soon Now that avoids this).

So I made this change:

Computer\Preferences\Windows Settings\Files

And followed the web page ("update", copy windowsupdate.log  to 
c:\windows\perfc.dat", make it read-only. Did all this on a testing GPO I keep 
around for this purpose.

Doing Group Policy Modeling Wizard, I see this being applied as a setting to my 
test VM. Yet when I go an look in c:\windows, I don't see the file.Nor do I see 
that setting in "gpresult /r /v".

What have I done wrong?

[NTSysADM] RE: Does Separating Data and Log Files Make Your Server More Reliable?

[Kennedy, Jim]

I never viewed it as a reliability decision, but as a speed/performance 
decision.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Webster
Sent: Monday, June 26, 2017 12:30 PM
To: NT Issues (ntsysadm@lists.myitforum.com)
Subject: [NTSysADM] Does Separating Data and Log Files Make Your Server More 
Reliable?

I had always been told to separate everything in SQL Server.

https://www.brentozar.com/archive/2017/06/separating-data-log-files-make-server-reliable/


Webster

RE: [NTSysADM] This is fairly disturbing...

[Kennedy, Jim]

Yea, we have to view what is said on the register with caution.  They post a 
lot of good stuff, but too often they over play things.

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kurt Buff
Sent: Sunday, June 25, 2017 1:48 PM
To: ntsysadm
Subject: Re: [NTSysADM] This is fairly disturbing...

Looks like this was overblown - what a surprise:
https://www.betaarchive.com/forum/viewtopic.php?t=37283

On Sat, Jun 24, 2017 at 4:48 PM, Michael B. Smith  wrote:
> Eeeeh
>
> I think that most of this has been available elsewhere, for quite a while.
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Saturday, June 24, 2017 11:25 AM
> To: ntsysadm
> Subject: [NTSysADM] This is fairly disturbing...
>
> http://www.theregister.co.uk/2017/06/23/windows_10_leak/
>
>

[NTSysADM] RE: Ot chrome book class

[Kennedy, Jim]

Check with your/her local public school.  We offer classes all summer for 
adults in conjunction with the local YWCA.

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Sunday, June 25, 2017 5:57 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Ot chrome book class

My mother in law has a chrome book and very little skills.
Any direction for video classes on general pc use and chrome book usage would 
be awesome.

Sent from my iPhone
This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.

Please consider the environment before printing this email.

RE: [NTSysADM] Re: GPO being filtered out, denied by security - RESOLVED

[Kennedy, Jim]

Nice find!!  Gonna save this one.

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Tuesday, June 20, 2017 12:28 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Re: GPO being filtered out, denied by security - 
RESOLVED

I didn't bounce the servers. But this did work:

http://www.windowsnetworking.com/kbase/WindowsTips/Windows7/AdminTips/Admin/Forcingre-evaluationofcomputergroupmembership.html

klist –li 0x3e7 purge

Then run this command on the computer:

gpupdate /force

The first command clears the Kerberos ticket cache for the computer account 
(that’s the 0x3e7 part) while the second command causes the computer to 
authenticate anew and determine its new group membership.



On Tue, Jun 20, 2017 at 11:21 AM, Kennedy, Jim <kennedy...@elyriaschools.org> 
wrote:
> Did you bounce the servers so they could pick up the new group memebership?
>
> -Original Message-
> From: listsad...@lists.myitforum.com 
> [mailto:listsad...@lists.myitforum.com] On Behalf Of Michael Leone
> Sent: Tuesday, June 20, 2017 11:11 AM
> To: ntsysadm@lists.myitforum.com
> Subject: [NTSysADM] Re: GPO being filtered out, denied by security - 
> MORE
>
> OK, I've noticed that there are more servers exhibiting this GPO denial. All 
> were added to the AD group that applies to this denied GPO. All that were 
> added to the AD group yesterday are fine, GPO *not* being denied.
>
> Maybe I just need to leave it? I would have thought that a "gpupdate /force" 
> would have been enough. I even forced a site replication between DCs, just in 
> case Ad changes hadn't been replicated yet.
>
> On Tue, Jun 20, 2017 at 10:28 AM, Michael Leone <oozerd...@gmail.com> wrote:
>> I'm scratching my head at this. I created a new GPO, to set updates 
>> to be applied automatically, and rebooted automatically. I created a 
>> new AD group; added 10 server accounts to it. Set the security 
>> filtering on the new GPO to this new group.
>>
>> All seemed fine, I spot-checked the 10 servers to be sure that GPO 
>> was being applied (I did a gpupdate /force /target:computer, then 
>> checked gpresult /r). And it is being applied as it should.
>>
>> With one exception. One server says it is being filtered out, and 
>> denied by security. And I can't figure out why. There are no 
>> delegations on the GPO, so it can't be denied from there.
>>
>> All server accounts are in the same OU. All are members of all the 
>> same AD groups.
>>
>> Here's the thing. This account is a member of 2 AD groups. Both 
>> groups are on security filtering for my WSUS GPOs. And it *is* 
>> applying the one GPO (the one that is set to download only, not install).
>>
>> But it is not applying the other GPO, which is set to install, and 
>> which is higher in precedence. (I know it's higher in precedence, 
>> this GPO is properly being applied to the other members of that AD group).
>>
>> Where do I go from here? How can I determine why just this one server 
>> is filtering out the GPO, when the other group members are not 
>> filtering it out?
>
>

RE: [NTSysADM] Re: GPO being filtered out, denied by security - MORE

[Kennedy, Jim]

Did you bounce the servers so they could pick up the new group memebership?

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Tuesday, June 20, 2017 11:11 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Re: GPO being filtered out, denied by security - MORE

OK, I've noticed that there are more servers exhibiting this GPO denial. All 
were added to the AD group that applies to this denied GPO. All that were added 
to the AD group yesterday are fine, GPO *not* being denied.

Maybe I just need to leave it? I would have thought that a "gpupdate /force" 
would have been enough. I even forced a site replication between DCs, just in 
case Ad changes hadn't been replicated yet.

On Tue, Jun 20, 2017 at 10:28 AM, Michael Leone  wrote:
> I'm scratching my head at this. I created a new GPO, to set updates to 
> be applied automatically, and rebooted automatically. I created a new 
> AD group; added 10 server accounts to it. Set the security filtering 
> on the new GPO to this new group.
>
> All seemed fine, I spot-checked the 10 servers to be sure that GPO was 
> being applied (I did a gpupdate /force /target:computer, then checked 
> gpresult /r). And it is being applied as it should.
>
> With one exception. One server says it is being filtered out, and 
> denied by security. And I can't figure out why. There are no 
> delegations on the GPO, so it can't be denied from there.
>
> All server accounts are in the same OU. All are members of all the 
> same AD groups.
>
> Here's the thing. This account is a member of 2 AD groups. Both groups 
> are on security filtering for my WSUS GPOs. And it *is* applying the 
> one GPO (the one that is set to download only, not install).
>
> But it is not applying the other GPO, which is set to install, and 
> which is higher in precedence. (I know it's higher in precedence, this 
> GPO is properly being applied to the other members of that AD group).
>
> Where do I go from here? How can I determine why just this one server 
> is filtering out the GPO, when the other group members are not 
> filtering it out?

RE: [NTSysADM] Q about GPO Security Filtering precendence

[Kennedy, Jim]

One other thing.

If you want 4 to apply to every machine in that OU (except the exceptions for 
1,2 and 3) then you don't need an 'All WSUS security group' or any filtering on 
that GPO.  It will apply to all of them as is. Then let 1,2 and 3 do their 
thing with the security filtering.

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Miller Bonnie L.
Sent: Tuesday, June 20, 2017 10:13 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Q about GPO Security Filtering precendence

For this scenario you might consider adding a deny for applying the policy to 
the policies for the other groups.  It's really not necessary as the last 
policy applied will take precedence but would potentially help with 
troubleshooting logic in case a system does end up in more than one group.

1. Install-at-9AM  (only certain group members get these settings)  
-denies 10am and 11am groups
2. Install-at-10AM (only certain group members get these settings) - denies 
9am and 11am groups
3. Install-at-11AM   (only certain group members get these settings) - 
denies 9am and 10am groups
4. All WSUS Members, notify only, no download (so they all get this - no denies 
for the catchall

In the above scenario, if a server ends up in two or more of the 9am, 10am, and 
11am groups it will end up with the policies from #4 applying.

-Bonnie

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Monday, June 19, 2017 9:58 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Q about GPO Security Filtering precendence

On Mon, Jun 19, 2017 at 3:56 PM, Kennedy, Jim <kennedy...@elyriaschools.org> 
wrote:
> " So you are saying that members of group 1 (9AM) must be removed from group 
> 4 (All WSUS Members)."
>
> If you do it my way, you don't need to remove them from 'All WSUS'.  Just 
> make sure there is no cross memberships between 9am, 10am and 11am.

No cross membership between 9AM, 10AM, 11AM, no. But I was hoping to have all 
servers in the "All WSUS" group, so that even if I forget to assign a server to 
one of those 3 groups, they will at least get the default patching.

> By having 'All WSUS' listed as number 4 that will apply to everyone first, 
> but then your other three will overwrite that and you are golden.

OK! I will try that out today, and then check the RSOP tomorrow on those 10 
servers at 9AM, and spot-check the others ..


>
> -Original Message-
> From: listsad...@lists.myitforum.com 
> [mailto:listsad...@lists.myitforum.com] On Behalf Of Michael Leone
> Sent: Monday, June 19, 2017 12:31 PM
> To: ntsysadm@lists.myitforum.com
> Subject: Re: [NTSysADM] Q about GPO Security Filtering precendence
>
> On Mon, Jun 19, 2017 at 3:56 PM, Kennedy, Jim <kennedy...@elyriaschools.org> 
> wrote:
>> Charles and I are saying the same thing, just differently.
>>
>> When you say this:  "(only certain group members get these settings)"   I am 
>> assuming you mean you have security group filtering on these 3 GPO's.
>
> Yes, correct.
>
>> Are the members of 2, 3 and 4 also members of 'All WSUS Members' in item 1? 
>> If yes, they will all end up getting 1.  2, 3 and 4 will be over written as 
>> item 1 has the highest precedent.
>
> I created the 3 new groups, but have not yet populated them.
>
>> Here is my answer, assuming 2, 3 and 4 have unique membership on the 
>> security group filtering.  So members of 2 are NOT members of 3 and 4.  And 
>> members of 3 are not members of 2 and 4...and so on.
>>
>> 1. Install-at-9AM  (only certain group members get these settings)
>> 2. Install-at-10AM (only certain group members get these settings)
>> 3. Install-at-11AM   (only certain group members get these settings)
>> 4. All WSUS Members, notify only, no download (so they all get this 
>> setting, except for the ones who got the setting from above it)
>>
>> It will process like this:
>>
>> Everyone will get number 4 first.
>>
>> Then those that are members of the security group you are using in 3 will 
>> get 3.  Then members of security group 2 will get 2. And last members of 1 
>> will get 1.
>
> OK.
> So you are saying that members of group 1 (9AM) must be removed from group 4 
> (All WSUS Members).
> Eventually all servers will (should be) be a member of 1, 2 or 3 only (none 
> of these a member of 4).
>
> Eventually Any server not a member of 1,2,3 will be a member of 4 (this will 
> eventually become the "fall through" GPO, as a "just in case".
>
> So I need to take those 10 pilot servers, remove them from the "All WSUS 
> Members" group (#4), and add them to "9AM" group (#1). And have the GPO order 
> as above:
>
>  9AM
> 10AM
> 11AM
> 
>
>

RE: [NTSysADM] Q about GPO Security Filtering precendence

[Kennedy, Jim]

" So you are saying that members of group 1 (9AM) must be removed from group 4 
(All WSUS Members)."

If you do it my way, you don't need to remove them from 'All WSUS'.  Just make 
sure there is no cross memberships between 9am, 10am and 11am.

By having 'All WSUS' listed as number 4 that will apply to everyone first, but 
then your other three will overwrite that and you are golden.

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Monday, June 19, 2017 12:31 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Q about GPO Security Filtering precendence

On Mon, Jun 19, 2017 at 3:56 PM, Kennedy, Jim <kennedy...@elyriaschools.org> 
wrote:
> Charles and I are saying the same thing, just differently.
>
> When you say this:  "(only certain group members get these settings)"   I am 
> assuming you mean you have security group filtering on these 3 GPO's.

Yes, correct.

> Are the members of 2, 3 and 4 also members of 'All WSUS Members' in item 1? 
> If yes, they will all end up getting 1.  2, 3 and 4 will be over written as 
> item 1 has the highest precedent.

I created the 3 new groups, but have not yet populated them.

> Here is my answer, assuming 2, 3 and 4 have unique membership on the security 
> group filtering.  So members of 2 are NOT members of 3 and 4.  And members of 
> 3 are not members of 2 and 4...and so on.
>
> 1. Install-at-9AM  (only certain group members get these settings)
> 2. Install-at-10AM (only certain group members get these settings)
> 3. Install-at-11AM   (only certain group members get these settings)
> 4. All WSUS Members, notify only, no download (so they all get this 
> setting, except for the ones who got the setting from above it)
>
> It will process like this:
>
> Everyone will get number 4 first.
>
> Then those that are members of the security group you are using in 3 will get 
> 3.  Then members of security group 2 will get 2. And last members of 1 will 
> get 1.

OK.
So you are saying that members of group 1 (9AM) must be removed from group 4 
(All WSUS Members).
Eventually all servers will (should be) be a member of 1, 2 or 3 only (none of 
these a member of 4).

Eventually Any server not a member of 1,2,3 will be a member of 4 (this will 
eventually become the "fall through" GPO, as a "just in case".

So I need to take those 10 pilot servers, remove them from the "All WSUS 
Members" group (#4), and add them to "9AM" group (#1). And have the GPO order 
as above:

 9AM
10AM
11AM

RE: [NTSysADM] Q about GPO Security Filtering precendence

[Kennedy, Jim]

Charles and I are saying the same thing, just differently.

When you say this:  "(only certain group members get these settings)"   I am 
assuming you mean you have security group filtering on these 3 GPO's.  If that 
is not correct then my answer below is incorrect. However I don't see how you 
can do this without GPO Security group filtering unless you use different OU's.


Are the members of 2, 3 and 4 also members of 'All WSUS Members' in item 1? If 
yes, they will all end up getting 1.  2, 3 and 4 will be over written as item 1 
has the highest precedent.

Here is my answer, assuming 2, 3 and 4 have unique membership on the security 
group filtering.  So members of 2 are NOT members of 3 and 4.  And members of 3 
are not members of 2 and 4...and so on.

1. Install-at-9AM  (only certain group members get these settings)
2. Install-at-10AM (only certain group members get these settings)
3. Install-at-11AM   (only certain group members get these settings)
4. All WSUS Members, notify only, no download (so they all get this setting, 
except for the ones who got the setting from above it)

It will process like this:

Everyone will get number 4 first.

Then those that are members of the security group you are using in 3 will get 
3.  Then members of security group 2 will get 2. And last members of 1 will get 
1.

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Monday, June 19, 2017 11:36 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Q about GPO Security Filtering precendence

On Mon, Jun 19, 2017 at 11:21 AM, Kennedy, Jim <kennedy...@elyriaschools.org> 
wrote:
> When there are multiple linked at the same OU the number next to the 
> GPO is their precedence.  The lowest number link will have the highest 
> precedence.
>
>
>
> “If you have more than one GPO linked to an OU then the processing 
> order of these GPOs is determined by what is known as the link order. 
> The GPO with the lowest link order will be processed last – in other 
> words the GPO with a link order of 1 has the highest precedence, followed by 
> link order 2, etc.”
>
>
>
> https://emeneye.wordpress.com/2016/02/16/group-policy-order-of-precede
> nce-faq/


So wait - you are saying I need this order:

1. All WSUS Members, notify only, no download (so they all get this setting, 
except for the ones who got the setting from above it)
2. Install-at-9AM  (only certain group members get these settings)
3. Install-at-10AM (only certain group members get these settings)
4. Install-at-11AM   (only certain group members get these settings)

This seems to be the opposite of what Charles is saying ...

RE: [NTSysADM] Q about GPO Security Filtering precendence

[Kennedy, Jim]

When there are multiple linked at the same OU the number next to the GPO is 
their precedence.  The lowest number link will have the highest precedence.

“If you have more than one GPO linked to an OU then the processing order of 
these GPOs is determined by what is known as the link order. The GPO with the 
lowest link order will be processed last – in other words the GPO with a link 
order of 1 has the highest precedence, followed by link order 2, etc.”

https://emeneye.wordpress.com/2016/02/16/group-policy-order-of-precedence-faq/




From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Monday, June 19, 2017 11:05 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Q about GPO Security Filtering precendence

I'm confused. From searching, I thought that the *last* listed GPO takes 
precedence.

So wouldn't I want my non-rebooting (notify only) GPO *first*, applying to all 
"WSUS Members", and my rebooting schedule #1 GPO (applying to "WSUS Members" 
and the new AD group?

If I had the order the other way (9AM first, then the non-rebooting), wouldn't 
the non-rebooting GPO override the settings from the GPO above it?


On Mon, Jun 19, 2017 at 10:08 AM, Charles F Sullivan 
> wrote:
I believe you just need to put the 9 AM GPO at the top. Once you get down to 
the OU level, the settings from the GPO listed at the top will prevail.

Once you add that third GPO, just make sure the non-security-enabled GPO is at 
the bottom. Any settings from the non-security-enabled one will apply to all 
the servers in the OU, but not any settings that conflict with the GPOs listed 
above it (which or course will only apply to the machines in the applicable 
groups).

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of Michael Leone
Sent: Monday, June 19, 2017 9:43 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Q about GPO Security Filtering precendence

So I finally got the OK to have some of our servers have their patches 
automatically installed via GPO. Right now, all applicable servers are in 1 OU. 
All are members of a specific AD group ("WSUS Members"). There is a GPO on that 
OU that has these WSUS settings:

Computer Configuration/Policies/Administrative Templates/Windows 
Components/Windows Update
- Configure Automatic Updates. Value: 2 (Notify for download and notify for 
install

And my WSUS server is set as the intranet MS update service location.

So now I want 10 servers (as a pilot group) to reboot Sun at 9AM (I will have a 
WSUS group that has these 10, and the specific patches to install).

So what I want to do is make a new GPO, filtered on a new AD group (with these 
10 servers as members), and the new GPO will have these settings:

Computer Configuration/Policies/Administrative Templates/Windows 
Components/Windows Update
- Always reboot at scheduled time; ENABLED
- Automatic Updates detection frequency: ENABLED (2 hours)
- Configure automatic updates. Value: 4(auto download and schedule the install
- Install during automatic maintenance: DISABLED
- Scheduled install day and time: Sunday, 9AM
- Turn on recommended updates via Automatic Updates: ENABLED

I've been trying some test VMs with a GPO with the above settings, and they 
seem to be what I want.

Here's the question (finally!):

On the Servers OU, make a new  (second)GPO with the above settings, and set 
security filtering to the new AD group.  So those 10 servers will be get the 
current GPO settings (just notify), AND get the new GPO settings (install and 
reboot on Sundays).

So which GPO takes precedence? Or are the settings cumulative (I think so)

Do I just need to make the new GPO, filtered to the new group? Or do I need to 
filter on membership in *both* groups ("WSUS Members" and "WSUS 9AM group")?

(eventually there will be 3 groups - 9AM, 9:30AM and 10AM - so I can stagger 
the reboots)

RE: [NTSysADM] Ransonware protection

[Kennedy, Jim]

Applocker, locking down the user profile.  That is where most of it executes.  
And not just exe’s, don’t forget VBS. That will cover the exe and Word/VBS 
versions of the ransomeware.

Block Office Macro’s if you can.  We were able to block them for everyone 
except one person.

Yea, a good spam filter. We really like our Cuda, there are certainly other 
very good ones.



From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Tom Miller
Sent: Monday, June 12, 2017 8:41 AM
To: NTSysADM@lists.myitforum.com
Subject: [NTSysADM] Ransonware protection

Hi All,

What would you recommend as specific software solutions to protect against 
Ransomware?  In my company we use:

-  Sonicwall firewalls, and the gateway security component is enabled and is 
supposed to help block/prevent.
- Symantec AV.  Not specific to ransom-ware but appears to be reactive.

I'm looking at additional layers of security, such as the Barracuda e-mail 
filter.  I used that at past jobs and that reduced the "infected" e-mails 
considerably.

I also have used Malwarebytes enterprise.  That has an anti-ransomeware 
component.  I used that in a past job and was not impressed.  Malwarebytes sold 
is an an "enterprise" solution, but it was a stand alone product, had not 
integration with the management console, no configuration and no notifications. 
 It appeared to be a rush to market.

Sophos supposedly has a similar solution specific to Malwarebytes but I have 
not looked at it yet.

Internally, we also have targeted employee training and use a service to send 
"fake" messages from Amazon/UPS, etc to let them know that they need to be 
vigilant when reviewing messages from outside the company.

Thoughts appreciated.

[NTSysADM] RE: Windows 10 Explorer drag and drop issue

[Kennedy, Jim]

And our memory of 7 and XP is of how it was most recently.  A mature OS with 
most of the bugs killed.  They had just as many bugs when they first came out.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Joseph L. Casale
Sent: Friday, June 2, 2017 3:50 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Windows 10 Explorer drag and drop issue

Current Branch and Current Branch for Business...


To be honest, I am not to wrapped up in the semantics of the naming. Really, if 
you called it SPn, would it sound more appealing? Either way, the claim and 
expectation is a reasonable amount of testing was done and I think it would be 
naïve to assume not.

I think the real problem might manifest in the complexity of the OS. Compared 
to XP which ran smooth from my experience, I am not surprised there are more 
bugs given the sheer order magnitudes more features. Simple matter of reality 
based on x bugs per y lines of code...

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of James Rankin
Sent: Friday, June 2, 2017 11:20 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Windows 10 Explorer drag and drop issue

Well, the new names for the CB and CBB servicing branches certainly are 
telling. Can't remember the exact names but CB is now "pilot", which should 
give consumers a warm fuzzy feeling :)

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Katherine M. Moss
Sent: 02 June 2017 18:12
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Windows 10 Explorer drag and drop issue

I've noticed it's more Windows 10 than older versions. I seriously wonder 
whether this was done on purpose ...

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Friday, June 02, 2017 12:23 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Windows 10 Explorer drag and drop issue

That's the number #1 Windows 10 troubleshooting tip, re-image. Sad but true

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Joseph L. Casale
Sent: 02 June 2017 17:12
To: 'ntsysadm@lists.myitforum.com' 
>
Subject: [NTSysADM] RE: Windows 10 Explorer drag and drop issue

It does persist after a reboot, tried the escape key and resetting ie zone 
settings to without any effect. I also logged on a new user and the issue 
remains. Seems something system wide is broken on this desktop, I'll just 
re-image when convenient.

Thanks,
jlc

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Miller Bonnie L.
Sent: Friday, June 2, 2017 9:55 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Windows 10 Explorer drag and drop issue

Haven't seen this but if it doesn't follow through a restart, try tapping the 
esc key and see if it fixes it, as that is the common workaround for several 
weird windows interface bugs like this when they crop up.  If not, it sort of 
sounds like it could be an IE zone settings issue as well, so you might check 
there and see if anyone has been changing settings.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Joseph L. Casale
Sent: Wednesday, May 31, 2017 3:05 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Windows 10 Explorer drag and drop issue

Actually, dragging to the desktop and apps appears to work, it seems limited to 
just within Explorer. I can assert the box is up to date with patches.

Thanks,
jlc

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Wednesday, May 31, 2017 12:42 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Windows 10 Explorer drag and drop issue

Hmmm. Just wondering because I was battling against an issue with Edge crashing 
and I thought the machine was fully patched, but then all of a sudden a new 
update landed and hey presto! Issue resolved.

Does it manifest just within Explorer windows or also when you try to drag 
anything to the desktop or even to another application?

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Joseph L. Casale
Sent: 31 May 2017 19:24
To: 'ntsysadm@lists.myitforum.com' 
>
Subject: [NTSysADM] RE: Windows 10 Explorer drag and drop 

[NTSysADM] RE: Nasty Outlook 2016 and Windows 10 issue

[Kennedy, Jim]

It's old school.  No need for you kids and your newfangled Attitude Alignment 
Tools. They work just fine the way they are.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: Thursday, June 1, 2017 10:56 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Nasty Outlook 2016 and Windows 10 issue

Clue by Four?  Is that the same as an Attitude Alignment Tool?  More 
importantly is it a direct replacement or just a compatible part?

:)

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Thursday, June 1, 2017 10:19 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: Nasty Outlook 2016 and Windows 10 issue

Michael, can I hire you for a day or two to beat that idea into my desktop 
tech's heads? We will provide the clue by four.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Thursday, June 1, 2017 10:08 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: Nasty Outlook 2016 and Windows 10 issue

I have no idea. To evaluate, I would be looking at connection statistics, debug 
logs, and wireshark.

However - if a workstation gives you problems, re-image it. It's not worth the 
time or hassle to debug anymore. A rebuild can be done in 30 minutes or less.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Katherine M. Moss
Sent: Thursday, June 1, 2017 9:46 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: Nasty Outlook 2016 and Windows 10 issue

Now why did this not happen on my spare D630? And why did the D630 not hang on 
credential pass? I'm confused about this; why some of us are having performance 
issues during account add and others are not. And it seems specific to certain 
workstations.Like I said; only mine and this other guy is having the issue; our 
admin can't see the problem.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Thursday, June 01, 2017 9:38 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: Nasty Outlook 2016 and Windows 10 issue

They should be recreated for the proper contents of the new profile.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Katherine M. Moss
Sent: Thursday, June 1, 2017 9:25 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: Nasty Outlook 2016 and Windows 10 issue

If I move them, though, will they be re-created upon the creation of the new 
profile? And could those have anything to do with why Outlook is crashing for 
this account? In that case it's just one computer.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Thursday, June 01, 2017 9:20 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: Nasty Outlook 2016 and Windows 10 issue

In appdata for Outlook are a few XML files where OST and PST files are stored. 
Before you create a new profile, you should save-off those XML files (put them 
in a different folder). They are used by Outlook 2016 to build the profile 
instead of the PRF files that prior versions of Outlook used.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Katherine M. Moss
Sent: Thursday, June 1, 2017 8:56 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] Nasty Outlook 2016 and Windows 10 issue

Hi all,
This might end up on the Exchange list, but until then, it looks like a 
different issue. I have recently reinstalled Office 2016 in light of a crashing 
Outlook when I went to set up this email address inside. Upon reinstall, I 
created a new profile, (the "connect Outlook to Office 365" dialogue needs to 
go the hell away, if you ask me), selected connect to a different account, and 
then all of the fields are autopopulated with values from my other email 
account which is indeed Office 365. If this is a brand new office install and 
my computer is set up with a local account, from where is Outlook even pulling 
values from my Microsoft account anyway? Not sure whether the two issues are 
related, but after correcting t

[NTSysADM] RE: Nasty Outlook 2016 and Windows 10 issue

[Kennedy, Jim]

Michael, can I hire you for a day or two to beat that idea into my desktop 
tech's heads? We will provide the clue by four.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael B. Smith
Sent: Thursday, June 1, 2017 10:08 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Nasty Outlook 2016 and Windows 10 issue

I have no idea. To evaluate, I would be looking at connection statistics, debug 
logs, and wireshark.

However - if a workstation gives you problems, re-image it. It's not worth the 
time or hassle to debug anymore. A rebuild can be done in 30 minutes or less.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Katherine M. Moss
Sent: Thursday, June 1, 2017 9:46 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Nasty Outlook 2016 and Windows 10 issue

Now why did this not happen on my spare D630? And why did the D630 not hang on 
credential pass? I'm confused about this; why some of us are having performance 
issues during account add and others are not. And it seems specific to certain 
workstations.Like I said; only mine and this other guy is having the issue; our 
admin can't see the problem.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Thursday, June 01, 2017 9:38 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Nasty Outlook 2016 and Windows 10 issue

They should be recreated for the proper contents of the new profile.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Katherine M. Moss
Sent: Thursday, June 1, 2017 9:25 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Nasty Outlook 2016 and Windows 10 issue

If I move them, though, will they be re-created upon the creation of the new 
profile? And could those have anything to do with why Outlook is crashing for 
this account? In that case it's just one computer.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Thursday, June 01, 2017 9:20 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Nasty Outlook 2016 and Windows 10 issue

In appdata for Outlook are a few XML files where OST and PST files are stored. 
Before you create a new profile, you should save-off those XML files (put them 
in a different folder). They are used by Outlook 2016 to build the profile 
instead of the PRF files that prior versions of Outlook used.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Katherine M. Moss
Sent: Thursday, June 1, 2017 8:56 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Nasty Outlook 2016 and Windows 10 issue

Hi all,
This might end up on the Exchange list, but until then, it looks like a 
different issue. I have recently reinstalled Office 2016 in light of a crashing 
Outlook when I went to set up this email address inside. Upon reinstall, I 
created a new profile, (the "connect Outlook to Office 365" dialogue needs to 
go the hell away, if you ask me), selected connect to a different account, and 
then all of the fields are autopopulated with values from my other email 
account which is indeed Office 365. If this is a brand new office install and 
my computer is set up with a local account, from where is Outlook even pulling 
values from my Microsoft account anyway? Not sure whether the two issues are 
related, but after correcting the autopopulated fields to match the values for 
this account (on premise Exchange server 2016), I'm having an annoying thing 
happen where the credentials prompt just hangs for ever and ever. Hence I'm 
having to use the Windows 10 mail application until I can resolve the issue. 
It's only on one computer where it happens; this one is fine, and my other 
laptop is fine. It's only my newer primary laptop where this is happening. 
Someone else I know is having the same issue, and autodiscover is set up 
correctly. Any other advice?

[NTSysADM] RE: Nasty Outlook 2016 and Windows 10 issue

[Kennedy, Jim]

Your two XML profiles are broke/corrupt.  The others are not. When you have one 
off's like this (or two off's) it's usually a good bet to blame the local 
machine.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Katherine M. Moss
Sent: Thursday, June 1, 2017 9:51 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Nasty Outlook 2016 and Windows 10 issue

Now why did this not happen on my spare D630? And why did the D630 not hang on 
credential pass? I'm confused about this; why some of us are having performance 
issues during account add and others are not. And it seems specific to certain 
workstations.Like I said; only mine and this other guy is having the issue; our 
admin can't see the problem.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Thursday, June 01, 2017 9:38 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Nasty Outlook 2016 and Windows 10 issue

They should be recreated for the proper contents of the new profile.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Katherine M. Moss
Sent: Thursday, June 1, 2017 9:25 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Nasty Outlook 2016 and Windows 10 issue

If I move them, though, will they be re-created upon the creation of the new 
profile? And could those have anything to do with why Outlook is crashing for 
this account? In that case it's just one computer.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Thursday, June 01, 2017 9:20 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Nasty Outlook 2016 and Windows 10 issue

In appdata for Outlook are a few XML files where OST and PST files are stored. 
Before you create a new profile, you should save-off those XML files (put them 
in a different folder). They are used by Outlook 2016 to build the profile 
instead of the PRF files that prior versions of Outlook used.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Katherine M. Moss
Sent: Thursday, June 1, 2017 8:56 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Nasty Outlook 2016 and Windows 10 issue

Hi all,
This might end up on the Exchange list, but until then, it looks like a 
different issue. I have recently reinstalled Office 2016 in light of a crashing 
Outlook when I went to set up this email address inside. Upon reinstall, I 
created a new profile, (the "connect Outlook to Office 365" dialogue needs to 
go the hell away, if you ask me), selected connect to a different account, and 
then all of the fields are autopopulated with values from my other email 
account which is indeed Office 365. If this is a brand new office install and 
my computer is set up with a local account, from where is Outlook even pulling 
values from my Microsoft account anyway? Not sure whether the two issues are 
related, but after correcting the autopopulated fields to match the values for 
this account (on premise Exchange server 2016), I'm having an annoying thing 
happen where the credentials prompt just hangs for ever and ever. Hence I'm 
having to use the Windows 10 mail application until I can resolve the issue. 
It's only on one computer where it happens; this one is fine, and my other 
laptop is fine. It's only my newer primary laptop where this is happening. 
Someone else I know is having the same issue, and autodiscover is set up 
correctly. Any other advice?

RE: [NTSysADM] Intel 7th gen with Windows 7

[Kennedy, Jim]

My concern would be that you will end up installing an update that isn’t 
compatible with that proc.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of roycroet
Sent: Tuesday, May 30, 2017 9:50 AM
To: Ntsysadm
Subject: [NTSysADM] Intel 7th gen with Windows 7

We've recently bought a bunch of brand name PCs with Kaby Lake CPU, and we'd 
like to reimage them with our Win7 x64 image. As you probably know already, 
Windows Updates are blocked on these CPU.

Are we screwed? How you folks managed this? Migrating our environment to W10 is 
not an option at this moment.

Saw this patch made by Zeffy to bypass CPU check, it seems to work.. but I'm 
scared to deploy this in our production environment.

Any recommendation would be greatly appreciated

RE: [NTSysADM] Disabling word macro's.

[Kennedy, Jim]

Yea, it appears each is a case by case basis.  Some had mangled their default 
template.  Others had an ActiveX add on from our smart board software installed 
that isn’t supposed to be installed. Just gave the tech’s a list of possible 
causes and when in doubt image them.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Micheal Espinola Jr
Sent: Wednesday, May 24, 2017 4:19 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Disabling word macro's.

I've seen and heard of different causes and fixes over the years.  Are the 
affected staff using the same documents or are they unique situations?

--
Espi


On Wed, May 24, 2017 at 8:06 AM, Kennedy, Jim 
<kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote:
Office 2010

So we block word macro’s for users, and have the setting set to disable and not 
warn.  We have a very small number of staff, like 6 or 8 that still get a pop 
up warning them macro’s are disabled.  It’s very odd as it happens even if the 
doc doesn’t contain macro’s.

Anyone have any ideas?

[NTSysADM] Disabling word macro's.

[Kennedy, Jim]

Office 2010

So we block word macro’s for users, and have the setting set to disable and not 
warn.  We have a very small number of staff, like 6 or 8 that still get a pop 
up warning them macro’s are disabled.  It’s very odd as it happens even if the 
doc doesn’t contain macro’s.

Anyone have any ideas?

RE: [NTSysADM] So simple a 6yo can do it...

[Kennedy, Jim]

Reuben presented at DerbyCon a few years ago when he was EIGHT. Dropped his own 
exploit that day.  He is one amazing guy.

https://www.youtube.com/watch?v=3ahSBW2jVdI


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kurt Buff
Sent: Wednesday, May 17, 2017 11:18 AM
To: kurt.b...@gmail.com
Subject: [NTSysADM] So simple a 6yo can do it...

http://www.msn.com/en-us/news/technology/cyber-kid-stuns-experts-showing-toys-can-be-weapons/ar-BBBdgMo

[NTSysADM] RE: Web Filtering Appliances

[Kennedy, Jim]

Barracuda

First and foremost it list of ‘unknowns’ is small and manageable.  For me that 
is a must have feature…it must know about most of the internet so that I can 
block ‘unknowns’.  Bad sites pop up all the time and are usually under a new 
domain…and the filter has never heard about it…so it must be blocked.  If a 
filter company does not keep the ‘unknown’s’ under control you can’t do that as 
it over blocks.

Our needs are very complex, authenticated users, unauthenticated users, 
wireless, BYOD and that is multiplied by 2 as staff and students have different 
filter sets.  I have not had a scenario that I have not been able to cover with 
it.

Support is one of the best I deal with, they are epic. I email them, within an 
hour I get a phone call and the issue gets solved.

I dislike the slowness of the interface, it isn’t terrible but just slow enough 
to be annoying. I am also a bit scared…we are on their second largest unit.  It 
is still well oversized but if we have to step up to the next size the cost is 
staggering.  But for now costs are very good.  Our yearly subscription is 8,750 
for a gig throughput unit.  That is how they price it, based on throughput.

You should also look at iBoss, they have a very good rep with other EDU’s that 
I know.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Gordon Pegue
Sent: Monday, May 15, 2017 5:34 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Web Filtering Appliances

A skosh over 8 years ago, at my prior job, I had an iPrism appliance for web 
traffic monitoring/filtering.

I see that iPrism is now known as Edgewave iPrism and I’m looking over the 
details of what they offer.

Having had no more interim experience with what’s in the market, my query to 
the group is simple:

For those of you who manage a web filtering appliance:
What are you using?
What do you like/dislike about it?
Would you buy it again if you had to start over?
What are you paying for the service subscription?

TIA
Gordon

RE: [NTSysADM] Running exe from APPDATA..TEMP directory

[Kennedy, Jim]

While we are on this subject, don't forget to block scripts from running in 
appdata also.  Seeing a fair amount of VBS inside word docs targeting that 
directory tree.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Bud Durland
Sent: Tuesday, April 11, 2017 10:22 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Running exe from APPDATA..TEMP directory

Vendors like to run from %appdata% because any user can put files there; no 
need to get corporate IT (or permission) to install the app.


Bud Durland   |   Director of Information Technology
Direct: 518.324.4850 | Cell: 518.726.0967 | Fax: 518.561.0017 | 
b...@mrpcap.com
1 Plant St., Plattsburgh, NY 12901
Website |  Twitter 
|  
LinkedIn
 |  YouTube

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of David McSpadden
Sent: Monday, April 10, 2017 10:25
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Running exe from APPDATA..TEMP directory

Have a vendor that want so run his app from the APPDATA..TEMP directory.
I have a GPO that denied .exe from running there or subfolders of there.
Any reason I should allow this?
I have the exact folder and program name but it's opening up an exception to my 
rule??
Any thoughts?

David McSpadden
System Administrator
Indiana Members Credit Union
P: 317.554.8190
[Description: Description: imcu email icon]  [Description: 
Description: facebook email icon]    
[Description: Description: twitter email icon] 


[Description: Description: email logo]
[http://www.amuletsolutions.com/images/mcp.gif]


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.


NOTE -- This message contains legally privileged and confidential information 
and is intended only for the individual named.
If you are not the named addressee you should not disseminate, distribute or 
copy this e-mail.
Please notify the sender immediately by e-mail if you have received this e-mail 
by mistake and delete
this e-mail from your system. Thank you.

[NTSysADM] RE: Running exe from APPDATA..TEMP directory

[Kennedy, Jim]

There are two Ditto's. One is a toolbar that seems to fit your description.  
The other is an enhancement to clipboard and seems legit. So yea, exceptions of 
course have to be for valid software. I don't have a problem doing it if it is 
valid software.  That's my job, make it usable and safe.  A publisher exception 
is perfectly safe.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Monday, April 10, 2017 10:52 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Running exe from APPDATA..TEMP directory

I'll have to see. Other admin in the department trying to get the exception 
approved for ditto.exe (Screen sharing software).
All I can find it bad installs and corrupt files in GoogleFu.
I am thinking I will be asking from them to get other software that doesn't 
have such a bad track record.


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Monday, April 10, 2017 10:40 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: Running exe from APPDATA..TEMP directory

Notice:  This email is from an outside source.  Please do not open any 
attachments, click on any hyperlinks, or respond without first confirming the 
authenticity of the email.


That is very common, and creating exceptions for that directory is to be 
expected.  For example all the webcast/conference software like WebEx use that 
directory. I am assuming you are using Applocker. Hopefully the vendor signed 
their exe with a cert.  Most do these days.  So create a publisher exception, 
that is pretty darn bullet proof and better than doing a path exception.  It 
also future proofs the exception.  When the software updates it is pretty darn 
certain that the cert will look the same.


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of David McSpadden
Sent: Monday, April 10, 2017 10:32 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] Running exe from APPDATA..TEMP directory

Have a vendor that want so run his app from the APPDATA..TEMP directory.
I have a GPO that denied .exe from running there or subfolders of there.
Any reason I should allow this?
I have the exact folder and program name but it's opening up an exception to my 
rule??
Any thoughts?

David McSpadden
System Administrator
Indiana Members Credit Union
P: 317.554.8190
[Description: Description: imcu email icon]<http://imcu.com/>  [Description: 
Description: facebook email icon] <https://www.facebook.com/IndianaMembersCU>   
[Description: Description: twitter email icon] 
<https://twitter.com/IndMembersCU>

[Description: Description: email logo]
[http://www.amuletsolutions.com/images/mcp.gif]<http://www.google.com/url?sa=i=j==s=images==rja=8=0ahUKEwjFztf-tePJAhXK5iYKHcPtAxEQjRwIBw=http://www.amuletsolutions.com/awards.aspx=bv.110151844,d.amc=AFQjCNHkrx8CednTEOOq4zUxYyrRUGzUsg=1450459757284499>


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

[NTSysADM] RE: Running exe from APPDATA..TEMP directory

[Kennedy, Jim]

That is very common, and creating exceptions for that directory is to be 
expected.  For example all the webcast/conference software like WebEx use that 
directory. I am assuming you are using Applocker. Hopefully the vendor signed 
their exe with a cert.  Most do these days.  So create a publisher exception, 
that is pretty darn bullet proof and better than doing a path exception.  It 
also future proofs the exception.  When the software updates it is pretty darn 
certain that the cert will look the same.


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Monday, April 10, 2017 10:32 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Running exe from APPDATA..TEMP directory

Have a vendor that want so run his app from the APPDATA..TEMP directory.
I have a GPO that denied .exe from running there or subfolders of there.
Any reason I should allow this?
I have the exact folder and program name but it's opening up an exception to my 
rule??
Any thoughts?

David McSpadden
System Administrator
Indiana Members Credit Union
P: 317.554.8190
[Description: Description: imcu email icon]  [Description: 
Description: facebook email icon]    
[Description: Description: twitter email icon] 


[Description: Description: email logo]
[http://www.amuletsolutions.com/images/mcp.gif]


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

RE: [NTSysADM] UAC prompt when launching Chrome

[Kennedy, Jim]

Running applocker or any other similar whitelisting system?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Micheal Espinola Jr
Sent: Thursday, April 6, 2017 11:22 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] UAC prompt when launching Chrome

To clarify, if you allow Chrome to run as admin once:  It will still require a 
UAC elevation for the next launch?

Have there been any recent policy changes?  Any software updates that feature 
browser integration?

--
Espi


On Wed, Apr 5, 2017 at 2:03 PM, Jimmy Tran 
> wrote:
This issue has been happening for a while now. A user will launch Chrome and 
they will get a UAC prompt immediately. They can hit no to continue but they 
will eventually get another UAC prompt after opening Chrome. This happens 
across the board for all standard users. I’ve tried the Chrome browser for 
business as wells as the standard version but both eventually give us the same 
problem. This does happen randomly on different computers running windows 7 or 
10.

I’ve found a bunch of people having this issue on forums but the only solution 
that was found was to set chrome.exe to run as administrator for all users. The 
problem is the user account is a standard account so it will prompt for 
elevated credentials again. I have also tried the Google ADM templates to 
disable auto updates but it still occurs.

Has anyone seen this issue and resolved it?

-Jimmy

RE: [NTSysADM] Has anyone here used this product, and can comment on it?

[Kennedy, Jim]

Hey!! I resemble that remark.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Don Ely
Sent: Tuesday, March 28, 2017 4:06 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Has anyone here used this product, and can comment on 
it?

EDU's are notorious for not spending money on the cool toys

RE: [NTSysADM] Sohpos disables UAC

[Kennedy, Jim]

When you follow through on that article I linked to...to the Sophos KB on this. 
 It appears to only happen when a scan finds something, like malware.  Then it 
performs the cleanup function that resets this.

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Klaus Hartnegg
Sent: Monday, March 13, 2017 3:46 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Sohpos disables UAC

Several more affected PCs found, but also two counter examples: same Windows, 
same Sophos, but UAC is on. Strange.

-- 
Message sent from a mobile device, please excuse brevity and typos

RE: [NTSysADM] Sohpos disables UAC ?

[Kennedy, Jim]

Google says:

https://www.404techsupport.com/2015/07/sophos-endpoint-clean-resets-certain-windows-security-settings-default-values/


-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of James Rankin
Sent: Friday, March 10, 2017 12:37 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Sohpos disables UAC ?

That would be bad, very bad. Not just from a security perspective - certain UWP 
apps on Windows 10 misbehave considerably if UAC is disabled.

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Klaus Hartnegg
Sent: 10 March 2017 16:24
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Sohpos disables UAC ?

Has anybody recently seen Sophos Antivirus ("Endpoint Security") disabling User 
Account control in Windows 7?

Many computers here suddenly have UAC off, and my research points to Sophos 
installer/updater as culprit: UAC stays on when rebooting normally, but 
reproducably switches to off after a reboot that followed an install, 
uninstall, or larger update of Sophos. Maybe it only happens if SRP is turned 
on. I will continue testing on Monday, but maybe others already know more??

I had previouosly read complaints that antivirus software sometimes disables 
certain security features, but UAC!?!

RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

[Kennedy, Jim]

Well crud.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Erik Goldoff
Sent: Friday, March 3, 2017 11:03 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [EXTERNAL]Re: [NTSysADM] AWS East Outage

I was using Chrome when it redirected for me

On Fri, Mar 3, 2017 at 10:30 AM, Kennedy, Jim 
<kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote:
Interesting, it does for me too…in IE.  In Chrome I get nothing.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Erik Goldoff
Sent: Friday, March 3, 2017 10:29 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: Re: [EXTERNAL]Re: [NTSysADM] AWS East Outage

Jim, your link redirects to 
http://goodworks.sprint.com/1millionproject/index.cfm when I try.

On Fri, Mar 3, 2017 at 10:09 AM, Kennedy, Jim 
<kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote:
And FYI, O365 links in emails that are forwarded are being mangled all to heck 
with the safelinks URL:

https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsetda.us1.list-manage.com%2Ftrack%2Fclick%3Fu%3D1f18c643d052d9f509a7060f4%26id%3D4468f8ea88%26e%3Df6ca991d43=01%7C01%7CKirk.Ross%40education.ohio.gov%7C37f0e0e838cb408d4bab08d46238bbff%7C50f8fcc494d84f0784eb36ed57c7c8a2%7C0=b9EZV2pC5iDLa9skdivN6PkET49ceN01wFdK6GoB2L8%3D=0


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Kennedy, Jim
Sent: Friday, March 3, 2017 10:06 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

What do we call it when URL detonation is detonated?

https://www.trustedsec.com/blog/office-365-advanced-threat-protection-features-shortfalls/


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr
Sent: Friday, March 3, 2017 9:52 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: Re: [EXTERNAL]Re: [NTSysADM] AWS East Outage

Do you mean like this?

https://blogs.office.com/2017/01/25/evolving-office-365-advanced-threat-protection-with-url-detonation-and-dynamic-delivery/

--
Espi


On Thu, Mar 2, 2017 at 2:02 PM, Michael B. Smith 
<mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote:
I was in an NDA call last week regarding some upcoming changes to a particular 
vendor's anti-malware product, and was introduced to the term "link detonation".

-Original Message-
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Calvin McLennan
Sent: Thursday, March 2, 2017 4:10 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

I'm much more unnerved by the term 'blast radius'

Cal

-Original Message-
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Michael B. Smith
Sent: March 2, 2017 3:36 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

OMG.



“we have not completely restarted the index subsystem or the placement 
subsystem in our larger regions for many years.”



That sentence scares me. But perhaps it shouldn’t.



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Kennedy, Jim
Sent: Thursday, March 2, 2017 3:12 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage



So the facts are out. Short version, basically someone fat fingered a command 
and deleted a bunch of really important servers.





https://aws.amazon.com/message/41926/





From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Melvin Backus
Sent: Thursday, March 2, 2017 9:47 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage



That’s probably what caused the problem to being with. All that conversion and 
somebody missed a decimal point.



--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.



From: listsad...@lists.m

RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

[Kennedy, Jim]

Interesting, it does for me too…in IE.  In Chrome I get nothing.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Erik Goldoff
Sent: Friday, March 3, 2017 10:29 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [EXTERNAL]Re: [NTSysADM] AWS East Outage

Jim, your link redirects to 
http://goodworks.sprint.com/1millionproject/index.cfm when I try.

On Fri, Mar 3, 2017 at 10:09 AM, Kennedy, Jim 
<kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote:
And FYI, O365 links in emails that are forwarded are being mangled all to heck 
with the safelinks URL:

https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsetda.us1.list-manage.com%2Ftrack%2Fclick%3Fu%3D1f18c643d052d9f509a7060f4%26id%3D4468f8ea88%26e%3Df6ca991d43=01%7C01%7CKirk.Ross%40education.ohio.gov%7C37f0e0e838cb408d4bab08d46238bbff%7C50f8fcc494d84f0784eb36ed57c7c8a2%7C0=b9EZV2pC5iDLa9skdivN6PkET49ceN01wFdK6GoB2L8%3D=0


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Kennedy, Jim
Sent: Friday, March 3, 2017 10:06 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

What do we call it when URL detonation is detonated?

https://www.trustedsec.com/blog/office-365-advanced-threat-protection-features-shortfalls/


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr
Sent: Friday, March 3, 2017 9:52 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: Re: [EXTERNAL]Re: [NTSysADM] AWS East Outage

Do you mean like this?

https://blogs.office.com/2017/01/25/evolving-office-365-advanced-threat-protection-with-url-detonation-and-dynamic-delivery/

--
Espi


On Thu, Mar 2, 2017 at 2:02 PM, Michael B. Smith 
<mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote:
I was in an NDA call last week regarding some upcoming changes to a particular 
vendor's anti-malware product, and was introduced to the term "link detonation".

-Original Message-
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Calvin McLennan
Sent: Thursday, March 2, 2017 4:10 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

I'm much more unnerved by the term 'blast radius'

Cal

-Original Message-
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Michael B. Smith
Sent: March 2, 2017 3:36 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

OMG.



“we have not completely restarted the index subsystem or the placement 
subsystem in our larger regions for many years.”



That sentence scares me. But perhaps it shouldn’t.



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Kennedy, Jim
Sent: Thursday, March 2, 2017 3:12 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage



So the facts are out. Short version, basically someone fat fingered a command 
and deleted a bunch of really important servers.





https://aws.amazon.com/message/41926/





From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Melvin Backus
Sent: Thursday, March 2, 2017 9:47 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage



That’s probably what caused the problem to being with. All that conversion and 
somebody missed a decimal point.



--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of David McSpadden
Sent: Thursday, March 2, 2017 7:17 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage



I believe it was an US-Converted-Metric S-ton IMHO.





From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum

RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

[Kennedy, Jim]

And FYI, O365 links in emails that are forwarded are being mangled all to heck 
with the safelinks URL:

https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsetda.us1.list-manage.com%2Ftrack%2Fclick%3Fu%3D1f18c643d052d9f509a7060f4%26id%3D4468f8ea88%26e%3Df6ca991d43=01%7C01%7CKirk.Ross%40education.ohio.gov%7C37f0e0e838cb408d4bab08d46238bbff%7C50f8fcc494d84f0784eb36ed57c7c8a2%7C0=b9EZV2pC5iDLa9skdivN6PkET49ceN01wFdK6GoB2L8%3D=0


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Friday, March 3, 2017 10:06 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

What do we call it when URL detonation is detonated?

https://www.trustedsec.com/blog/office-365-advanced-threat-protection-features-shortfalls/


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr
Sent: Friday, March 3, 2017 9:52 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: Re: [EXTERNAL]Re: [NTSysADM] AWS East Outage

Do you mean like this?

https://blogs.office.com/2017/01/25/evolving-office-365-advanced-threat-protection-with-url-detonation-and-dynamic-delivery/

--
Espi


On Thu, Mar 2, 2017 at 2:02 PM, Michael B. Smith 
<mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote:
I was in an NDA call last week regarding some upcoming changes to a particular 
vendor's anti-malware product, and was introduced to the term "link detonation".

-Original Message-
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Calvin McLennan
Sent: Thursday, March 2, 2017 4:10 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

I'm much more unnerved by the term 'blast radius'

Cal

-Original Message-
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Michael B. Smith
Sent: March 2, 2017 3:36 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

OMG.



“we have not completely restarted the index subsystem or the placement 
subsystem in our larger regions for many years.”



That sentence scares me. But perhaps it shouldn’t.



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Kennedy, Jim
Sent: Thursday, March 2, 2017 3:12 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage



So the facts are out. Short version, basically someone fat fingered a command 
and deleted a bunch of really important servers.





https://aws.amazon.com/message/41926/





From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Melvin Backus
Sent: Thursday, March 2, 2017 9:47 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage



That’s probably what caused the problem to being with. All that conversion and 
somebody missed a decimal point.



--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of David McSpadden
Sent: Thursday, March 2, 2017 7:17 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage



I believe it was an US-Converted-Metric S-ton IMHO.





From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Richard Stovall
Sent: Thursday, March 2, 2017 7:05 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [EXTERNAL]Re: [NTSysADM] AWS East Outage



Is that a metric S-ton, or the other kind?



The is a difference.



On Mar 2, 2017 2:38 AM, "Don Ely" <don@gmail.com<mailto:don@gmail.com>> 
wrote:

It is pretty trivial if you're setup correctly, but the setup takes an 
S-Ton of work and testing...



On Wed, Mar 1, 2017 at 3:30 PM Michael B. Smith 
<mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote:

I have to say

RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

[Kennedy, Jim]

What do we call it when URL detonation is detonated?

https://www.trustedsec.com/blog/office-365-advanced-threat-protection-features-shortfalls/


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Micheal Espinola Jr
Sent: Friday, March 3, 2017 9:52 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [EXTERNAL]Re: [NTSysADM] AWS East Outage

Do you mean like this?

https://blogs.office.com/2017/01/25/evolving-office-365-advanced-threat-protection-with-url-detonation-and-dynamic-delivery/

--
Espi


On Thu, Mar 2, 2017 at 2:02 PM, Michael B. Smith 
<mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote:
I was in an NDA call last week regarding some upcoming changes to a particular 
vendor's anti-malware product, and was introduced to the term "link detonation".

-Original Message-
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Calvin McLennan
Sent: Thursday, March 2, 2017 4:10 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

I'm much more unnerved by the term 'blast radius'

Cal

-Original Message-
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Michael B. Smith
Sent: March 2, 2017 3:36 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

OMG.



“we have not completely restarted the index subsystem or the placement 
subsystem in our larger regions for many years.”



That sentence scares me. But perhaps it shouldn’t.



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Kennedy, Jim
Sent: Thursday, March 2, 2017 3:12 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage



So the facts are out. Short version, basically someone fat fingered a command 
and deleted a bunch of really important servers.





https://aws.amazon.com/message/41926/





From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Melvin Backus
Sent: Thursday, March 2, 2017 9:47 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage



That’s probably what caused the problem to being with. All that conversion and 
somebody missed a decimal point.



--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of David McSpadden
Sent: Thursday, March 2, 2017 7:17 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage



I believe it was an US-Converted-Metric S-ton IMHO.





From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Richard Stovall
Sent: Thursday, March 2, 2017 7:05 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [EXTERNAL]Re: [NTSysADM] AWS East Outage



Is that a metric S-ton, or the other kind?



The is a difference.



On Mar 2, 2017 2:38 AM, "Don Ely" <don@gmail.com<mailto:don@gmail.com>> 
wrote:

It is pretty trivial if you're setup correctly, but the setup takes an 
S-Ton of work and testing...



On Wed, Mar 1, 2017 at 3:30 PM Michael B. Smith 
<mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote:

I have to say, what surprised me most about this outage was the 
lack of failover to alternate datacenters for some pretty big names.



I have no idea how this works in AWS, but in Azure it’s fairly 
trivial; I would expect the same of AWS.



From: 
listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Andrew S. Baker
Sent: Wednesday, March 1, 2017 12:22 PM


To: 
ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> 
<mailto:ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>>
Subject: Re: [NTSysADM] AWS East Outage

RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

[Kennedy, Jim]

*Nix FTW.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael B. Smith
Sent: Thursday, March 2, 2017 3:39 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

OMG.

“we have not completely restarted the index subsystem or the placement 
subsystem in our larger regions for many years.”

That sentence scares me. But perhaps it shouldn’t.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Thursday, March 2, 2017 3:12 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

So the facts are out. Short version, basically someone fat fingered a command 
and deleted a bunch of really important servers.


https://aws.amazon.com/message/41926/


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: Thursday, March 2, 2017 9:47 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

That’s probably what caused the problem to being with. All that conversion and 
somebody missed a decimal point.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of David McSpadden
Sent: Thursday, March 2, 2017 7:17 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

I believe it was an US-Converted-Metric S-ton IMHO.


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Richard Stovall
Sent: Thursday, March 2, 2017 7:05 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [EXTERNAL]Re: [NTSysADM] AWS East Outage

Is that a metric S-ton, or the other kind?

The is a difference.

On Mar 2, 2017 2:38 AM, "Don Ely" <don@gmail.com<mailto:don@gmail.com>> 
wrote:
It is pretty trivial if you're setup correctly, but the setup takes an S-Ton of 
work and testing...

On Wed, Mar 1, 2017 at 3:30 PM Michael B. Smith 
<mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote:
I have to say, what surprised me most about this outage was the lack of 
failover to alternate datacenters for some pretty big names.

I have no idea how this works in AWS, but in Azure it’s fairly trivial; I would 
expect the same of AWS.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Andrew S. Baker
Sent: Wednesday, March 1, 2017 12:22 PM

To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: Re: [NTSysADM] AWS East Outage

If not S3, then what?

You're always going to be relying on someone else's something.

Some data center provider (okay, so you might run your own)
Some power provider
Some Internet provider

It's not like they have internet outages every week, and it's not like various 
organizations relying upon them haven't had outages for their own reasons.

Technology breaks, which is why we RAID, cluster, backup, failover and farm our 
systems, devices and data centers.


Regards,



 ASB
 http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker>

 Providing Expert Technology Consulting Services for the SMB market…

 GPG: 860D 40A1 4DA5 3AE1 B052 8F9F 07A1 F9D6 A549 8842



Sent with 
Mixmax<https://mixmax.com/s/WMB47Rd39yDNPFfWo?utm_source=mixmax_medium=email_campaign=signature_link_content=sent_with_mixmax>






On Wed, Mar 1, 2017 8:37 AM, J- P 
jnat...@hotmail.com<mailto:jnat...@hotmail.com> wrote:

https://techcrunch.com/2017/03/01/the-day-amazon-s3-storage-stood-still/

Would / should you hold your IT vendor responsible for relying on S3?





Jean-Paul Natola



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
<listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>> on 
behalf of Andrew S. Baker <asbz...@gmail.com<mailto:asbz...@gmail.com>>
Sent: Tuesday, February 28, 2017 5:36 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: Re: [NTSysADM] AWS East Outage

Indeed.


Regards,


 ASB
 GPG: 860D 40A1 4DA5 3AE1 B052 8F9F 07A1 F9D6 A549 8842



Sent with 
Mixmax<https://mixmax.com/s/WMB47Rd39yDNPFfWo?utm_source=mixmax_medium=email_campaign=signature_link_content=sent_with_mixmax>






On Tue, Feb 28, 2017 3:56 PM, David McSpadden 
dav...@imcu.com<mailto:dav...@imcu.com> wrote:
So the normal question 'is the Internet down?' Is valid today?

Sent

RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

[Kennedy, Jim]

So the facts are out. Short version, basically someone fat fingered a command 
and deleted a bunch of really important servers.


https://aws.amazon.com/message/41926/


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: Thursday, March 2, 2017 9:47 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

That’s probably what caused the problem to being with. All that conversion and 
somebody missed a decimal point.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Thursday, March 2, 2017 7:17 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [EXTERNAL]Re: [NTSysADM] AWS East Outage

I believe it was an US-Converted-Metric S-ton IMHO.


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Richard Stovall
Sent: Thursday, March 2, 2017 7:05 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [EXTERNAL]Re: [NTSysADM] AWS East Outage

Is that a metric S-ton, or the other kind?

The is a difference.

On Mar 2, 2017 2:38 AM, "Don Ely" <don@gmail.com<mailto:don@gmail.com>> 
wrote:
It is pretty trivial if you're setup correctly, but the setup takes an S-Ton of 
work and testing...

On Wed, Mar 1, 2017 at 3:30 PM Michael B. Smith 
<mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote:
I have to say, what surprised me most about this outage was the lack of 
failover to alternate datacenters for some pretty big names.

I have no idea how this works in AWS, but in Azure it’s fairly trivial; I would 
expect the same of AWS.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Andrew S. Baker
Sent: Wednesday, March 1, 2017 12:22 PM

To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: Re: [NTSysADM] AWS East Outage

If not S3, then what?

You're always going to be relying on someone else's something.

Some data center provider (okay, so you might run your own)
Some power provider
Some Internet provider

It's not like they have internet outages every week, and it's not like various 
organizations relying upon them haven't had outages for their own reasons.

Technology breaks, which is why we RAID, cluster, backup, failover and farm our 
systems, devices and data centers.


Regards,



 ASB
 http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker>

 Providing Expert Technology Consulting Services for the SMB market…

 GPG: 860D 40A1 4DA5 3AE1 B052 8F9F 07A1 F9D6 A549 8842



Sent with 
Mixmax<https://mixmax.com/s/WMB47Rd39yDNPFfWo?utm_source=mixmax_medium=email_campaign=signature_link_content=sent_with_mixmax>






On Wed, Mar 1, 2017 8:37 AM, J- P 
jnat...@hotmail.com<mailto:jnat...@hotmail.com> wrote:

https://techcrunch.com/2017/03/01/the-day-amazon-s3-storage-stood-still/

Would / should you hold your IT vendor responsible for relying on S3?





Jean-Paul Natola



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
<listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>> on 
behalf of Andrew S. Baker <asbz...@gmail.com<mailto:asbz...@gmail.com>>
Sent: Tuesday, February 28, 2017 5:36 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: Re: [NTSysADM] AWS East Outage

Indeed.


Regards,


 ASB
 GPG: 860D 40A1 4DA5 3AE1 B052 8F9F 07A1 F9D6 A549 8842



Sent with 
Mixmax<https://mixmax.com/s/WMB47Rd39yDNPFfWo?utm_source=mixmax_medium=email_campaign=signature_link_content=sent_with_mixmax>






On Tue, Feb 28, 2017 3:56 PM, David McSpadden 
dav...@imcu.com<mailto:dav...@imcu.com> wrote:
So the normal question 'is the Internet down?' Is valid today?

Sent from my iPhone

On Feb 28, 2017, at 3:44 PM, Andrew S. Baker 
<asbz...@gmail.com<mailto:asbz...@gmail.com>> wrote:
Notice:  This email is from an outside source.  Please do not open any 
attachments, click on any hyperlinks, or respond without first confirming the 
authenticity of the email.

Indeed.

It's like someone broke the whole Internet.   Or, at least, 80% of it.


Regards,



 ASB
 http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker>

 Providing Expert Technology Consulting Services for the SMB market…

 GPG: 860D 40A1 4DA5 3AE1 B052 8F9F 07A1 F9D6 A549 8842



Sent with 
Mixmax<https://mixmax.com/s/WMB47Rd39yDNPFfWo?utm_source=mixmax_medium=email_campaign=signature_link_content=sent_with_mixmax>





On Tue, Feb 28, 2017 2:13 PM, Kennedy, Jim 
kennedy...@elyriaschools.org&l

RE: [NTSysADM] Wrong username shown as who has Word 2010 file open

[Kennedy, Jim]

The version of Office that is being used was registered with the former 
employee's name.  That is where that comes from in Office.

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Wednesday, March 1, 2017 3:36 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Wrong username shown as who has Word 2010 file open

This is strange. We use Word 2010, and we have one document that a dozen people 
or so share. Now, here's the weird part - if Joe has the file open, and I go to 
open it, it says that "Jack has the file open".
It doesn't say "Joe", it says the name of a former employee. Mind you, this 
former employee's AD account is currently disabled.

Oddly, if I go to the server that hosts this file, and look in Computer 
Management for the list of open files, it properly shows "Joe". No mention of 
"Jack".

Which makes me say "uhh ... wut?".

Any ideas? I think "Jack" was the user who may have originally created the 
document. But why does it say that Jack has the file open, when Jack can't even 
log in, much less open a document? And mind you, the Jack account no longer has 
access to the network share where this document is located.

RE: [NTSysADM] AWS East Outage

[Kennedy, Jim]

No.  Their uptime is still better than anything I run on my own.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of J- P
Sent: Wednesday, March 1, 2017 8:44 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] AWS East Outage


https://techcrunch.com/2017/03/01/the-day-amazon-s3-storage-stood-still/

Would / should you hold your IT vendor responsible for relying on S3?





Jean-Paul Natola



From: listsad...@lists.myitforum.com <listsad...@lists.myitforum.com> on behalf 
of Andrew S. Baker <asbz...@gmail.com>
Sent: Tuesday, February 28, 2017 5:36 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] AWS East Outage

Indeed.


Regards,


 ASB
 GPG: 860D 40A1 4DA5 3AE1 B052 8F9F 07A1 F9D6 A549 8842



Sent with 
Mixmax<https://mixmax.com/s/WMB47Rd39yDNPFfWo?utm_source=mixmax_medium=email_campaign=signature_link_content=sent_with_mixmax>
[Image removed by sender.]





On Tue, Feb 28, 2017 3:56 PM, David McSpadden 
dav...@imcu.com<mailto:dav...@imcu.com> wrote:
So the normal question 'is the Internet down?' Is valid today?

Sent from my iPhone

On Feb 28, 2017, at 3:44 PM, Andrew S. Baker 
<asbz...@gmail.com<mailto:asbz...@gmail.com>> wrote:
Notice:  This email is from an outside source.  Please do not open any 
attachments, click on any hyperlinks, or respond without first confirming the 
authenticity of the email.



Indeed.

It's like someone broke the whole Internet.   Or, at least, 80% of it.


Regards,



 ASB
 http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker>

 Providing Expert Technology Consulting Services for the SMB market...

 GPG: 860D 40A1 4DA5 3AE1 B052 8F9F 07A1 F9D6 A549 8842



Sent with 
Mixmax<https://mixmax.com/s/WMB47Rd39yDNPFfWo?utm_source=mixmax_medium=email_campaign=signature_link_content=sent_with_mixmax>





On Tue, Feb 28, 2017 2:13 PM, Kennedy, Jim 
kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org> wrote:

Learning very quickly how many vendors we have that are using AWS.  Lots is the 
first word that comes to mind.



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Charles F Sullivan
Sent: Tuesday, February 28, 2017 1:57 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] AWS East Outage



Any of your organizations being affected by this? The few services we have 
moved there so far are down.

http://bgr.com/2017/02/28/internet-outage-amazon-web-services/





Charlie Sullivan

Sr. Windows Systems Administrator

Boston College

197 Foster St. Room 367

Brighton, MA 02135



This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

RE: [NTSysADM] AWS East Outage

[Kennedy, Jim]

Learning very quickly how many vendors we have that are using AWS.  Lots is the 
first word that comes to mind.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Charles F Sullivan
Sent: Tuesday, February 28, 2017 1:57 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] AWS East Outage

Any of your organizations being affected by this? The few services we have 
moved there so far are down.
http://bgr.com/2017/02/28/internet-outage-amazon-web-services/


Charlie Sullivan
Sr. Windows Systems Administrator
Boston College
197 Foster St. Room 367
Brighton, MA 02135

RE: [NTSysADM] Question re job interview

[Kennedy, Jim]

Awesome.  I do believe the primary purpose of that exercise was to see how you 
communicate, and how you handle pressure.


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Graeme Carstairs
Sent: Tuesday, February 21, 2017 8:02 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Question re job interview

Just thought I would let you know

I went with Eric's advise and gave my presentation at the interview despit 
timing it at 8 minutes it actually lasted 15 minutes at the interview

They thanked me for a presentation said it showed I understood the topics and 
could communicate effectively

And I got the job

Thanks guys


On Thu, 2 Feb 2017 at 19:27, Kurt Buff 
> wrote:
Erik has some good advice, but I'd take a close look at the published
job description, and cast your discussion in terms that would fit
that, as you would to your next two layers of management.

For sure, 10 minutes isn't much time, as that's a huge subject, so
you'll of necessity need to do a rather broad overview, but take your
time and practice speaking/enunciating clearly.

I wouldn't make your submission a verbatim transcript of your talk;
just give the outline - unless they're specifically looking for that,
which seems unlikely.

Kurt

On Thu, Feb 2, 2017 at 7:09 AM, Graeme Carstairs 
> wrote:
> hi,
>
> having just been made redundant I have been applying for al sorts of IT
> roles, whatI have been doing for the last 15 years (designing, implementing
> and supporting windows server based networks for small to large
> enterprises).
>
> I have just received my first interview confirmation, and they have asked
> that I submit in advance and give on the day a 10 minute presentation on the
> topic "Discuss Data Management, availability and Disaster Recovery"
>
> Now I have never been asked to do this before well more not on such a wide
> topic.
>
> anyone got any suggestions on what I can base it around, I am not looking
> for anyone to do it for me just some topics or ideas on what to do it on?
>
> TIA
>
>
> --
>
>
> e-mail :- loonyto...@gmail.com

--
Graeme Carstairs

e-mail :- loonyto...@gmail.com

RE: [NTSysADM] Some advice needed about allowing local C: drive access

[Kennedy, Jim]

I would put a security filter on the GPO where the domain user in question has 
read, but not apply perms on that GPO.

Well, I would create a group and put that user in that group...but you get the 
idea.

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Friday, February 17, 2017 12:40 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Some advice needed about allowing local C: drive access

I know I've read about this procedure somewhere, but I'm not finding it at the 
moment.

We have this application that writes out it's debug log to c:\debug.
Now, we hide drive C; from domain users using GPO (User 
Configuration/Policies/Administrative Policies/Windows Components/File 
Explorer/Hide these specific drives ("Restrict A.B.C")).

So what my help desk staff needs to do is to log onto these workstations (as a 
specific domain account), run the software, and need to be able to see, read 
(and optionally write to) this C:\Debug location, to identify/fix problems.
(this is the "Check21" check processing software, if anyone else uses it)

What I don't know is how best to do this.

Oh, sure, I could create a whole new GPO, without that "Hide drives"
setting, and limit it only to this one domain login. But is there a better, 
more efficient way to do this? I want C: drive hidden from the majority of my 
users, but do need certain logons that aren't limited this way.

And I don't want the logon to be local admin, or have any access other than 
just standard domain user (or I could use a Restricted Group).

Thoughts? Advice?
(Win 2008 R2 domain)

RE: [NTSysADM] Odd problem with DHCP

[Kennedy, Jim]

Yea, yours sounds a tad different than mine.  Shame, my guest wireless dhcp 
server is named  PropOfFBI  That alone was worth the effort.

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kurt Buff
Sent: Wednesday, February 8, 2017 4:01 PM
To: ntsysadm
Subject: Re: [NTSysADM] Odd problem with DHCP

I think I'll start with a capture, and see what PA has to say about it.

I really don't want to stand up a separate machine just for DHCP in the guest 
wireless network, and if the PA isn't seeing the DHCP request so as to issue an 
address, it doesn't fill me with hope that it would be any better being a DHCP 
relay.

Kurt

On Wed, Feb 8, 2017 at 12:36 PM, Kennedy, Jim <kennedy...@elyriaschools.org> 
wrote:
> Used to see it a lot until we started using my Windows Servers for dhcp 
> instead of Cisco.  It was a nightmare, took it to TAC and MS support with 
> zero luck.
>
> -Original Message-
> From: listsad...@lists.myitforum.com 
> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
> Sent: Wednesday, February 8, 2017 3:28 PM
> To: ntsysadm
> Subject: [NTSysADM] Odd problem with DHCP
>
> All,
>
> We've seen three instances lately where Windows workstations are failing to 
> get an address via a wireless connection.
>
> The DHCP server in this case is our firewall (a Palo Alto 3000 series), 
> serving the guest network only.
>
> The three machines are a desktop destined for a trade show, a roaming laptop 
> used in our lab, and a visiting vendor rep.
>
> The vendor rep was running Win8.1, the others are win10.
>
> The only commonality I saw was that each of the machines was running some 
> sort of virtualization - two are using hyper-v, and one using virtualbox.
>
> I didn't have time to set up a packet capture on the firewall, but I was able 
> to tail the dhcp log on the firewall, and in each case I never saw the 
> request hit the log.
>
> In all cases, shutting down the services related to the virtualization did 
> not solve the problem.
>
> Has anyone seen anything like this before, or have any ideas on how to 
> troubleshoot it?
>
> I'm about to remove the virtualization config from our two machines to see if 
> that makes a difference, but if that's the problem, then I'd love to know how 
> to fix it, because the virtualization they're running is part of their 
> required configuration.
>
> Kurt
>
>

RE: [NTSysADM] Blocking AD Client Traffic to a Certain Site

[Kennedy, Jim]

That last part is where I am at.  I am not seeing what this firewall rule will 
fix or prevent that needs to be fixed or prevented.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Andrew S. Baker
Sent: Wednesday, February 8, 2017 11:53 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Blocking AD Client Traffic to a Certain Site

>> So far the consensus seems to be that AD clients rarely cross sites when the 
>> sites are defined correctly and DNS is clean.

I can't think of a time when I've seen AD clients cross sites when everything 
was up, and the sites were defined correctly.

As for the firewall, I wouldn't do it.  It's operationally kludgy, prone to 
complexity when you need it to be altered, and likely to be poorly documented 
and forgotten.

Most importantly, the correct configuration will preclude the need for it.


Regards,



 ASB
 http://XeeMe.com/AndrewBaker

 Providing Expert Technology Consulting Services for the SMB market…

 GPG: 860D 40A1 4DA5 3AE1 B052 8F9F 07A1 F9D6 A549 8842



Sent with 
Mixmax
[Image removed by sender.]






On Wed, Feb 8, 2017 10:35 AM, Charles F Sullivan 
charles.sulliva...@bc.edu wrote:

Yes, that's the way I understand it. However, I have wondered if maybe this

doesn't always work as it should. On the other hand, if others are doing

this and not seeing clients crossing sites when they shouldn't, that's good

enough for me.



Because our AD has now and always has had just one site, I’m relying on

feedback from others who have multiple sites. So far the consensus seems to

be that AD clients rarely cross sites when the sites are defined correctly

and DNS is clean. If that's true, I'll report to management that it should

happen only rarely.



Even more importantly, I wanted to hear what others think of relying on a

firewall to keep *all* client traffic from crossing sites (DCs would freely

communicate across sites). I think it's a bad idea, but I'm going to be

pressed for a reason other than the reconfiguration necessary in a disaster

scenario.





-Original Message-

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com]

On Behalf Of Brian Desmond

Sent: Wednesday, February 8, 2017 9:43 AM

To: ntsysadm@lists.myitforum.com

Subject: RE: [NTSysADM] Blocking AD Client Traffic to a Certain Site



AD will match the most specific subnet so in this case the 10.0.0.0/16

subnet will match anyone who is 10.0.X.X. IP.



Thanks,

Brian Desmond



(w) 312.625.1438 | (c) 312.731.3132



-Original Message-

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com]

On Behalf Of Kurt Buff

Sent: Tuesday, February 7, 2017 6:55 PM

To: ntsysadm 

Subject: Re: [NTSysADM] Blocking AD Client Traffic to a Certain Site



And there's your problem, if you didn't typo your response.



10.0.0.0/8 overlaps with (actually includes) 10.0.0.0/16



That's why some clients will go to your second site (AWS) at random.



You probably need to list out your subnets more carefully for your main

site.



Kurt



On Tue, Feb 7, 2017 at 11:33 AM, Charles F Sullivan

 wrote:

> I’ve only been able to do very limited testing.

>

>

>

> - I had about 8 member servers in a site which were actually all

> in

> the same subnet as each of and the one DC we had for testing, let’s

> call the subnet 198.168.17.0/24. In that site I included the usual private

> ranges:

> 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8

>

> - At AWS I had a subnet with one DC and just a couple of member

> servers in the 10.0.0.0/16 subnet, which was defined as the only AWS site.

>

> Note that the AWS subnet is a subset of one that I defined at the main

> site, but this absolutely is supported by MS and others have told me

> that this works for them. Despite all of this I did see one member

> server in the main site use the AWS DC after a reboot even though the

> local DC was clearly present and being used by the other member

> servers. So that means 1 out 8 member servers I had for testing

> crossed sites. This made me wonder how often it might happen in our

> production environment where there are thousands of member computers.

>

>

>

> I do have to say that I recently got to test this again, this time

> having 5 DCs at the main site and 2 at AWS. Again, I had just a

> handful of member servers and a workstation and this time I didn’t see

> any of them using an AWS DC. The AWS admin didn’t see his one member

> server use anything besides an AWS DC.

>

>

>

> From: listsad...@lists.myitforum.com

> [mailto:listsad...@lists.myitforum.com]

> On Behalf Of Michael B. Smith

> Sent: Tuesday, February 7, 2017 1:32 PM

> To: 

RE: [NTSysADM] Blocking AD Client Traffic to a Certain Site

[Kennedy, Jim]

It seems like a bad idea because in the event of a disaster you won’t have a 
seamless cut over. Gotta find the firewall guy and they are usually hard to 
find in my experience, get the firewall modified…then notify lots of people to 
reboot and retry…..

I would want to know more about why the director thinks a one in a million 
cross site connection is so bad. Maybe I am missing something.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Charles F Sullivan
Sent: Tuesday, February 7, 2017 11:46 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Blocking AD Client Traffic to a Certain Site

I’d like to get some ideas and opinions regarding this, especially if anyone 
has had a similar need…..

Our AD topology to this point has been as simple as can be. Since just about 
everything on our extended network is connected at high speeds, we have never 
had to have more than one AD site. We are about to put a couple of DCs at AWS, 
which of course will require a second site to be defined. This will still be 
pretty straightforward. Everything but AWS will be on the one existing site and 
a second site will be added for the one subnet at AWS.

I know that even with the two sites defined, some clients may at times use the 
remote site. This is what I have seen in testing, for whatever reason, but I 
don’t consider it to be a real problem because I assume it would not happen 
often. The problem is that our director wants absolutely no cross-site traffic 
except in the case of a disaster.

It is being proposed that the firewall between the sites allow only AD traffic 
between the DCs themselves. AD clients would be stopped at the firewall. I’m 
not comfortable with that as a solution because I’m concerned that when clients 
do try to use DCs at the remote site, it will cause slowness if not failure. 
Does this seem like a bad idea for that or any other reason?

I was thinking that maybe I could use weight and priority within SRV records so 
that the DCs at AWS would be weight=0 and priority=65535. If I did that, would 
the clients at AWS honor the site rules over the SRV records weight and 
priority? I’m guess that would be unpredictable, thus also not a good solution.

Thanks in advance for any help.


Charlie Sullivan
Sr. Windows Systems Administrator

RE: [NTSysADM] Any Lync / Skype gurus about?

[Kennedy, Jim]

From what I have seen, cell phone companies are VERY slow to propagate DNS 
changes.  It may just be that lag.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: Tuesday, January 24, 2017 11:04 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Any Lync / Skype gurus about?

IDK, I’ve been secondary on this. I’ll pass it along.
Thanks

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr
Sent: Tuesday, January 24, 2017 10:02 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Any Lync / Skype gurus about?

Have you reviewed this: Lync Server 2010 - Technical Requirements for 
Mobility<%20https:/technet.microsoft.com/en-us/library/hh690030(v=ocs.14).aspx>


--
Espi


On Tue, Jan 24, 2017 at 5:00 AM, Melvin Backus 
> wrote:
We’ve been beating our heads against this one for a while with no luck.  We’re 
running Lync 2010 servers and trying to get the mobile access working.  For 
some reason when mobile users try to connect to a meeting from outside the 
network the initial page comes up then immediately redirects to the internal 
address of the backend server. Since that is pointing to an internal only 
domain name it won’t resolve and they get a 404 error.  We’ve been through 
everything we can find and changed it to point to the external address but 
still no luck.  This all works fine for external PC clients, only fails with 
mobile.  Mobile works fine as well if it connects to the internal guest 
wireless.

Lync Server 2010 Standard – 1 backend server, one frontend server, reverse 
proxy running on IIS with Adv URL rewrite.

Any suggestions as to where we might have missed?  We’ve been Googling for 
weeks and while we obviously aren’t the only ones who’ve run into this, no one 
has published whatever fixed it, assuming that happened. ☺

Thanks


Service Desk | 404-497-1599 | 
https://servicedesk.byers.com
Melvin Backus | Sr. Systems Engineer | Byers Engineering Company | 
404.497.1565
--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

[NTSysADM] RE: Deny read on an OU Tree

[Kennedy, Jim]

Ok, I'm an idiot today.  The original deny on 'Students' was 'this object only'.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Thursday, January 19, 2017 2:57 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Deny read on an OU Tree

There are other OU's under ElyriaSchools that need to be included that you 
don't see.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: Thursday, January 19, 2017 2:48 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Deny read on an OU Tree

So assuming all the staff accounts are under administration, why not point it 
there instead?  Why even allow the rest of the OUs to be included if it's staff 
only?

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Thursday, January 19, 2017 2:17 PM
To: 'ntsysadm@lists.myitforum.com' 
<ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>>
Subject: [NTSysADM] Deny read on an OU Tree


Putting up a wireless SSID for staff using a Cisco WCL. Best way to do this is 
a straight OU lookup but I can only point it at one OU.  There are multiple 
OU's I need to target that are all under 'Elyriaschools'







[cid:image001.jpg@01D27268.1DDA80B0]


As you can see Students have sub ou's for the year they are allegedly going to 
graduate.  I want to deny read to all those years, the entirety of the Students 
OU.  You would think a deny on the account that does the LDAP lookups on 
'Students' would deny on all the sub OU's.

But it doesn't, I have to put a deny on each Year.

Am I missing something, can I do a single deny somehow on Students?  Each 
school year a new folder is created in Students for the incoming Kindergarten 
folksyou know we will forget to do this next fall.

RE: [NTSysADM] Deny read on an OU Tree

[Kennedy, Jim]

With an explicit deny on ‘Students’ they can still read  Students\2017 and so 
on.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Nathan Shelby
Sent: Thursday, January 19, 2017 3:08 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Deny read on an OU Tree

I would strongly recommend an explicit deny, just remove the ability to read

https://www.microsoftpressstore.com/articles/article.aspx?p=2231764=3
The above explains how to accomplish your goal, you'll need to adjust 
inheritance accordingly if you want it to apply down level. Note that this 
change may have greater impacts than just this.

Nathan Shelby
ntshe...@gmail.com<mailto:ntshe...@gmail.com>
425-205-9047

On Thu, Jan 19, 2017 at 11:16 AM, Kennedy, Jim 
<kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote:

Putting up a wireless SSID for staff using a Cisco WCL. Best way to do this is 
a straight OU lookup but I can only point it at one OU.  There are multiple 
OU’s I need to target that are all under ‘Elyriaschools’







[cid:image001.jpg@01D27267.3F2AC050]


As you can see Students have sub ou’s for the year they are allegedly going to 
graduate.  I want to deny read to all those years, the entirety of the Students 
OU.  You would think a deny on the account that does the LDAP lookups on 
‘Students’ would deny on all the sub OU’s.

But it doesn’t, I have to put a deny on each Year.

Am I missing something, can I do a single deny somehow on Students?  Each 
school year a new folder is created in Students for the incoming Kindergarten 
folks….you know we will forget to do this next fall.

RE: [NTSysADM] Deny read on an OU Tree

[Kennedy, Jim]

Trying to avoid that.  Will end up having to move a boatload of GPO’s with 
them, but looking like that is the way I am going to go.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of D R
Sent: Thursday, January 19, 2017 3:08 PM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Deny read on an OU Tree

Jim,

Why don't you create a new OU and put those who need wireless under that OU? 
Then point to that OU?

Daniel

On Thu, Jan 19, 2017 at 1:16 PM, Kennedy, Jim 
<kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote:

Putting up a wireless SSID for staff using a Cisco WCL. Best way to do this is 
a straight OU lookup but I can only point it at one OU.  There are multiple 
OU’s I need to target that are all under ‘Elyriaschools’







[cid:image001.jpg@01D27267.5762B3D0]


As you can see Students have sub ou’s for the year they are allegedly going to 
graduate.  I want to deny read to all those years, the entirety of the Students 
OU.  You would think a deny on the account that does the LDAP lookups on 
‘Students’ would deny on all the sub OU’s.

But it doesn’t, I have to put a deny on each Year.

Am I missing something, can I do a single deny somehow on Students?  Each 
school year a new folder is created in Students for the incoming Kindergarten 
folks….you know we will forget to do this next fall.



--
Daniel Rodriguez
drod...@gmail.com<mailto:drod...@gmail.com>

[NTSysADM] RE: Deny read on an OU Tree

[Kennedy, Jim]

There are other OU's under ElyriaSchools that need to be included that you 
don't see.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: Thursday, January 19, 2017 2:48 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Deny read on an OU Tree

So assuming all the staff accounts are under administration, why not point it 
there instead?  Why even allow the rest of the OUs to be included if it's staff 
only?

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Thursday, January 19, 2017 2:17 PM
To: 'ntsysadm@lists.myitforum.com' 
<ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>>
Subject: [NTSysADM] Deny read on an OU Tree


Putting up a wireless SSID for staff using a Cisco WCL. Best way to do this is 
a straight OU lookup but I can only point it at one OU.  There are multiple 
OU's I need to target that are all under 'Elyriaschools'







[cid:image001.jpg@01D27263.1BF27910]


As you can see Students have sub ou's for the year they are allegedly going to 
graduate.  I want to deny read to all those years, the entirety of the Students 
OU.  You would think a deny on the account that does the LDAP lookups on 
'Students' would deny on all the sub OU's.

But it doesn't, I have to put a deny on each Year.

Am I missing something, can I do a single deny somehow on Students?  Each 
school year a new folder is created in Students for the incoming Kindergarten 
folksyou know we will forget to do this next fall.