This is an automated archive.

The original was posted on /r/sysadmin by /u/VonTreece on 2024-01-23 16:52:09+00:00.

I stared working for a small family owned business of about 30 people six months ago. Since starting, I’ve quickly become “the tech guy” because of my relatively advanced computer knowledge compared to the rest of the employees/management. That knowledge however I’m sure pales in comparison to the majority of you browsing this subreddit, which is exactly why I’m here!

They want me to setup a total of 8 pcs for some private offices. They will only be using a handful of extremely basic programs like quickbooks, Microsoft 365 suite, photoshop, etc. and will also be file sharing locally. The amount of adware and bloat I’ve found on their current computers that I’m sure they’ve unknowingly installed is unreal so I’m thinking I’ll need some restrictions in place on that front as well.

My question is really how you would suggest approaching setting up such a small amount of computers while also doing it as “correctly” as can be. I appreciate any and all advice/direction and sorry if this isn’t the right place to ask this.

Edit: After reading much of the great advice here, I’m going to sit down with the owner so we can discuss and reevaluate this situation. Even if I’m capable of executing everything properly, for liability reasons I think it’s in my best interest to not attempt it. I’m going to get a quote for an MSP and bring it to him.

This is an automated archive.

The original was posted on /r/sysadmin by /u/TheDongles on 2024-01-23 16:31:03+00:00.

We have about 150 employees and about 90 of them work while traveling exclusively. These traveling employees use an iPad managed by our MDM. Being on the road a lot while dealing with some sensitive data, we’d like to implement a vpn so they don’t connect to hotel or airport WiFi all the time unprotected. It’s mostly iPads but there are a dozen supervisors in the mix that have other a Mac or pc. These folks in particular deal with customer and employee data. Most of them are good about using a hotspot on their phone. But it is a complaint they have. Their schedules all vary, so it’s not like all 90 are working at the same time, I would say closer to 50ish at a time max of just the traveling employees

Our director wants to provide a vpn for the traveling employees, but the vpn solutions that I find a really expensive for what we need looking around $5 per user per month. No way I’m getting that approved for 80-90 users considering the other projects slated for this year.

Another thought I had was running a client vpn from our network equipment. Unfortunately this was not in the back of our minds during our WiFi upgrade last year, and our Meraki Mx cannot have that many concurrent tunnels. So my thought is what if we had a separate appliance and it solely just was used as a vpn server? I’ve heard good things about PFsense, and appears pretty reasonably priced equipment.

I know there are downsides to this like reliability, only having one server vs many that a vpn provider could offer. But most importantly, im wondering how heavily the vpn appliance would affect the office users speeds. We only pay for 100mbps dedicated fiber. I’ve noted we’d likely need to up this at some point as we have about 60 users on site a day that do various things from office work to regular app and document downloads that can be 1gb a person.

So my questions are: Is it better to just bite the bullet on a vpn provider?

What kind of bandwidth issues could we hit? Note the folks on the road are downloading regular updates of documents and data that can be a gig or so regularly. Like nearly daily per person.

This is a bit out of my wheelhouse so any and all insights are appreciated.

This is an automated archive.

The original was posted on /r/sysadmin by /u/MrFixIt_theITguy on 2024-01-23 16:15:34+00:00.

I've read a bunch of documentation on this, and it seems it is possible for hybrid environments but I can't seem to find the GPO. I've downloaded the latest templates to our central store but it's not there. Looking for advice on how to accomplish this.

This is an automated archive.

The original was posted on /r/sysadmin by /u/StefanMcL-Pulseway2 on 2024-01-23 16:03:40+00:00.

Just read this from the Cyber news and thought I would share

This is an automated archive.

The original was posted on /r/sysadmin by /u/DoorDelicious8395 on 2024-01-23 15:57:23+00:00.

We have a on premise smtp relay server(postfix) that is used to route emails from our ERP system and various printers to the internet. The relay is setup to forward all of our emails to our exchange online smtp connector using ip auth. Well today exchange is replying to all emails with 550 5.7.1 Service unavailable, Client host [xx.xxx.xxx.xxx] blocked using Spamhaus. To request removal from this list see https://www.spamhaus.org/query/xx.xxx.xxx.xxx Our ip is owned by comcast but is an enterprise plan.

Does anyone have any recommendations on getting around the ip blacklist so we can forward them to our exchange connector?

Update

I opened a case with Comcast and the technician told me that he had 5 of these cases open this morning with the exact same issue. He mentioned that it was an issue on their end.

Either way I should move away from IP auth in exchange as there are more secure alternatives. Thank you everyone for the suggestions.

This is an automated archive.

The original was posted on /r/sysadmin by /u/TheJesusGuy on 2024-01-23 15:56:46+00:00.

GPO is running as computer configuration>Preferences>Windows settings>Files. Source is a Shared folder on the DC with Full Control on the share and NTFS permission for Everyone, Domain Computers, and Authenticated Users. They also have read access in the GPO itself. Destination is C:\Users\Public\desktop, but I've also tried variables. GPO is targeting Workstations OU with several working GPOs in. gpresult /r shows policy as targeting correctly. I've also tried sharing it as above but from our file server, same issue.

Group Policy object did not apply because it failed with error code "0x80070005" Access is denied. This error was suppressed. Event ID 4098.

Any help?

This is an automated archive.

The original was posted on /r/sysadmin by /u/alexferraz on 2024-01-23 12:14:40+00:00.

Hi, fellow sysadmin.

I work in a relative big company with around 6k office users and the thing which is driving me nuts currently is users complaining about every little micro degradation in their MS Teams call they have in office, and saying at home is much better.

We’re talking with some IT service providers and seems like it is a common issue. Here we already changed everything that both cisco and microsoft recommend and still can’t deliver the same experience the user has at home, not sure if it’s even possible, but the company execs think it is.

Are you guys facing similar issue? And if yes, could you gentle share how are you are tackling it?

What did improved a lot for us was changing internet egress to local, but still not the same experience the users have from home.

Thanks in advance for the attention here!

Cheers and happy 2024!

This is an automated archive.

The original was posted on /r/sysadmin by /u/learningdevops on 2024-01-23 12:09:07+00:00.

Curious for smaller organizations that don't have all the bigger tools at their disposal or have a very small dev team.From what I understand, managing vulnerabilities is usually pushed to the back burner (understandably so) or automated and not something people particularly want to think about when they have a product to deliver. We are trying to ideate something in this area, specifically the workflow of what happens after a scanner has been run. Does anyone care to share answers to these?

1. How do you stay on top of vulnerabilities (CVEs) in your environment(s)?
2. Is this something done regularly or adhoc or only when necessary?
3. Who is responsible for this process? Is there a dedicated person or is it put on someone else's plate?
4. What tools are used for managing this process?
5. How much time and effort does your team invest in researching and prioritizing vulnerabilities?

Posting this in different subreddits to get all types of answers from people in different adjacent roles :) enjoying reading all the different answers, please keep them coming!

EDIT: we are working on an MVP type of service () to tackle this- where we take the headache of figuring out what to update and which vulnerability to prioritize specific to one's environment - it's a human expert over 20 years doing this. We know we cannot scale going like this but our intention is to get feedback and understand this problem better- how much time does this tedious work (if you aren't automating) really take? is this something you'd rather not have to do? etc etcIf you have any feedback regarding this MVP or even the landing page- please feel free to dm or share here! We are looking for users for a closed beta at the moment and if you think you'd like to try out such a service- comment below!

This is an automated archive.

The original was posted on /r/sysadmin by /u/cisco_bee on 2024-01-23 15:40:38+00:00.

First off, I'm one of those "inbox zero" type of people.

How do you all utilize the quarantine? If something is an actual threat, do you delete it? When you delete it, do you "temporarily" delete it (the default) or check the "Permanently delete" checkbox? What happens when you "temporarily" delete it? This seems weird to me.

I think my reluctance/confusion comes down to the fact that as a rule I don't "delete" anything. I like data. Additionally, the column "Release status" throws me off. It always says "Needs review". I would expect to be able to say either "Yes, release" (In which case it's gone) or "I have reviewed this and it should not be released". But you can't. It's either "Needs review" or it's not there. Is this status just useless or am I completely missing how to use this tool?

This is an automated archive.

The original was posted on /r/sysadmin by /u/adidasnmotion13 on 2024-01-23 15:40:19+00:00.

Is anyone else using Office 365 experiencing this or is this only happening to us?

This is an automated archive.

The original was posted on /r/sysadmin by /u/Techman2k on 2024-01-23 15:38:59+00:00.

Hopefully the correct sub.

Certificate guy is on leave and we have to update the Web Server Certs.

Can anyone advise what file type a web server template is or how to create?

I have the PEM files and converted to PFX using openSSL as per rough instruction but this is not the correct template type.

Can anyone advise?

This is an automated archive.

The original was posted on /r/sysadmin by /u/neuroticelite on 2024-01-23 15:38:32+00:00.

Hello!

I worked MSP for 10 years before transitioning to an internal IT team the last year and we really need a simple ticketing/project management system and am looking for recommendations.

Before I get into the details I need to stress how simple the product needs to be that we're looking for. We just need something that provides a glance (board) where we can all see active projects and tickets and leave comments as we have updates. The team is just 3 members and we've still worked efficiently without a ticketing system by just working closely together. Projects that last more than a few days have been rare, but are ramping up recently hence this need.

Just some notes on ones I've worked with and why I'm skipping them.

• ConnectWise - Worked with for 7+ years. This is the exact "type" of system we're looking for, but it's way too robust for what we need.
• AirTable - We already have this internally for our marketing team, but again just not the type of product we need.
• Jira - Have internally for our development team, same issue as above.
• Microsoft Project - Seems OK, but haven't found a way to have an accessible glance/board for the entire team without manually sharing each project or ticket?

Thanks!

This is an automated archive.

The original was posted on /r/sysadmin by /u/Cranapplesause on 2024-01-23 15:28:32+00:00.

Hello All,

I am trying to create a working Archive Policy in Exchange Online.

We want users to choose their Archive policy and not force any Archive period on the users.

We have attempted to create two different MRM Retention Policies.

• The first one is set with the following tags:

1. A Tag for the entire mailbox (DPT) with a archive setting of NEVER (This setting will disable the retention action)
2. Seven Personal tags. (Each is for years 1 through 7)

• The second one is set with the following tags:

1. ONLY seven Personal tags. (Each is for years 1 through 7)

• I was not sure if the issue is that the (DPT) from the first one is just disabling the entire archive process. So I built this MRM without a Default. Still nothing.

I can confirm that a stand alone DPT will function with an Archive period set as default, but this removes the power from the users.

I am changing my Retention Policy under the users Mailbox to the MRM I am testing.

I am Connecting to Exchange Online with Powershell. Connect-ExchangeOnline

I am running Start-ManagedFolderAssistant -Identity XXXXXXXXX after each Archive Policy change.

I am setting polices under OWA.

I opened a ticket with Microsoft and the guy told me to just use DPT... Then when we confirmed that DPT worked, he said he was going to close the ticket. I told him no because the personal isn't working. Which I am guessing he has no idea how to fix it. I am thinking of just closing the ticket and opening a new one. Roll the dice and see if I get someone better?

This is an automated archive.

The original was posted on /r/sysadmin by /u/bashb0y on 2024-01-23 15:22:59+00:00.

Hello fellow Admins,

is anybody experienced with shared workspace/desktop solutions.

We are implementing a shared workspace solution in which employees have their own end devices (mouse/keyboard/headset). These are to be connected to static thin clients via Bluetooth. Ideally, the user does not have to pair the end devices every morning at their new workstation.

We use NoTouchOS for our Devices.

This is an automated archive.

The original was posted on /r/sysadmin by /u/Koen1997NL on 2024-01-23 15:16:49+00:00.

Hello,

My name is Koen and I am responsible for Microsoft 365 in my organization. I have the following problem.

We are using Windows laptops, with an Microsoft 365 installation. The mobile phones are all iPhones.

We are using the GAL for company-specific contacts. Our users can copy the GAL data to their personal address books, so they can keep a copy of it in their phone. But after a period of time, most of the contacts have been duplicated (multiple times).

So when you are getting a call from John Doe and he has multiple contact entries in your phone, it shows John Doe and xxx others. It also messes up Bluetooth vehicles of ours, because it cannot take so much contacts.

The contacts are added from the Microsoft 365 > Outlook app.

Does anyone know how I can solve this problem?

I already found this article: Duplicate Outlook contacts appear in iOS Contacts app - Exchange | Microsoft Learn but this only acknowledges the issue instead of offering a solution

Any kind of help will be very much appreciated!

This is an automated archive.

The original was posted on /r/sysadmin by /u/Project__5 on 2024-01-23 15:01:24+00:00.

I'm familiar with using Entra AD (Azure AD) to review sign-in logs. E.g. if a user fails conditional access policy, looking up the Request ID from their error message in the sign in logs to gain more information.

I'm assisting a vendor log into our Azure DevOps site (https://dev.azure.com/[ourOrganization]). Everyone logging into this is using an Entra AD account managed at our tenant.

The problem is, I'm not seeing any logins getting logged ANYWHERE. I have a vendor failing to log in, he gives me the Request ID from his error message, but that ID is nowhere to be found in Entra. Everything else BUT DevOps logins seems to be getting logged just fine.

I have tried enabling auditing in DevOps, but shows auditing for object changes, not logins. I have confirmed DevOps is linked to our tenant.

Where can I find this information or where can I troubleshoot failed login attempts for Azure DevOps?

Thanks.

This is an automated archive.

The original was posted on /r/sysadmin by /u/Jusan999 on 2024-01-23 14:57:17+00:00.

Hi everyone, I'm new to the community and had a question. I'm currently studying system administration and for my final project was thinking about making a plug and play firewall, mainly marketed to homes and small shops maybe. I know some already exist, but I haven't seen any that really seem useful or don't plain out steal your data or slow your network too much to be worthy.

If anyone knew of any I could check out or any recommendations on how to do this, please leave a comment it would help a lot.

This is an automated archive.

The original was posted on /r/sysadmin by /u/Intelligent_Ad3362 on 2024-01-23 14:52:46+00:00.

Hello Reddit Community,

I hope you're all doing well. I'm currently facing the challenge of running a PowerShell script via Task Scheduler and wondering what the minimum permissions required for successful execution are.

So far, I've only been able to execute the script successfully as a domain administrator. However, I'd like to grant only the essential permissions to adhere to security policies. I'm seeking information on the specific permissions needed to run the script properly.

The script involves actions such as gathering information on Remote Desktop Sessions. Could you please share insights on the exact permissions required for Task Scheduler to successfully run the script without needing extensive domain administrator rights?

Thank you in advance for your assistance!

# Verification

$Date = (Get-Date).AddMonths(-1).ToString('MM.yyyy') if (-Not (Test-Path "C:\Scripts\RDS\Archive\RDS $Date.csv")) { if ((Get-Date).Day -eq '1') { Move-Item -Path "$pathForCsv\RDS.csv" -Destination "C:\Scripts\RDS\Archive\RDS $Date.csv" Move-Item -Path "$pathForCsv\RDSNamen.csv" -Destination "C:\Scripts\RDS\Archive\RDSNamen $Date.csv" } }

Get our FQDN

$ourname = "$env:COMPUTERNAME.$env:USERDNSDOMAIN".ToLower()

FQDN of the Active Management Server

$rdsMgmtServer = (Get-RDConnectionBrokerHighAvailability | Select-Object -ExpandProperty ActiveManagementServer).ToLower() $rdsMgmtServer if (-Not ($ourname.Equals($rdsMgmtServer))) { Write-Host 'Error: The Remote Desktop Services deployment is not present on "cb1.company.co.at". This operation can be performed after creating a deployment.' exit }

Array with all collections to query

$collectionArray = @("Collection1")

Get current date and time

$currentDatetime = (Get-Date).ToString('dd.MM.yyyy HH:mm:ss')

Path for CSV

$pathForCsv = 'C:\Scripts\RDS'

Actual CSV names

$csvCount = "$pathForCsv\RDS.csv" $csvNames = "$pathForCsv\RDSNamen.csv"

foreach ($collectionName in $collectionArray) {

List of all currently logged-in users

$rdsUserList = (Get-RDUserSession -CollectionName $collectionName -ConnectionBroker $rdsMgmtServer).UserName

Number of currently logged-in users

$rdsUserCount = $rdsUserList.Count

# We now save individual usernames to the $csvNames file
foreach ($username in $rdsUserList) {
    $namesText = "$collectionName`t$currentDatetime`t$username"
    $namesText | Add-Content -Path $csvNames -Encoding UTF8 -Force
}

# Composition of the CSV file `t indicates tab
$countText = "$collectionName`t$currentDatetime`t$rdsUserCount"
$countText | Add-Content -Path $csvCount -Encoding UTF8 -Force

}

This is an automated archive.

The original was posted on /r/sysadmin by /u/Alzzary on 2024-01-23 14:31:39+00:00.

Hello there !

I am the sole IT for a 100 users law firm and our baseline policy is that all sharing websites such as Box, Dropbox, Google Drive, etc are blocked by default, mainly for security reasons.

However, it regularly happens that I must allow exception because clients and third parties use that medium, even though we have our own file sharing solution, and so I constantly enable and disable exceptions for these cases.

I was wondering if there were more efficent ways to manage this ?

I am using a FortiGate for web filtering / application control.

At first I thought about developping myself a small Outlook addin that would interact with the FortiGate's API with a small input for URLs, so I'd just enter a link and it would push the URL to the FortiGate, changing dynamically the rule, but it seems that unless you have a subscription with Fortinet's developer network, you can't get an API key to begin with.

Any better idea on how to handle this ?

This is an automated archive.

The original was posted on /r/sysadmin by /u/tperondi on 2024-01-23 14:28:51+00:00.

Hi everyone,

I have a dilemma at work today. One of our customers has asked us for a specific type of GPU for machine learning operations to be installed in their ML350 Gen11. HP officially supports only a few graphics accelerators that are out of the budget for this project. Has anyone of you ever tried to install non-officially supported video cards on these servers? Unfortunately, since they are relatively new models, I have found very little information about it. My fear is that HP may have inserted some hardware block that prevents unauthorized hardware from working. What do you think?

Thanks.

This is an automated archive.

The original was posted on /r/sysadmin by /u/that_afro_guy on 2024-01-23 14:24:26+00:00.

Do you know of any success stories of a company that used multiple login IDs or methods and switched to SSO?

If possible, I would like to know what the scenario was like before, what was done and the results of implementing SSO.

Feel free to point me to any documentation or site that describes such cases.

Thanks in advance.

This is an automated archive.

The original was posted on /r/sysadmin by /u/the_DOS_god on 2024-01-23 14:09:19+00:00.

I am curious about Firmware management and who is responsible for it. It seems that most places I've been at or know about nobody really updates FW on servers regularly and it always gets passed around to some other group.

So who would be responsible for that? Sysadmins? Data Center personnel? NOC? Engineers? Also if you manage and update FW on servers what do you normally use?

This is an automated archive.

The original was posted on /r/sysadmin by /u/RestinRIP1990 on 2024-01-23 13:52:11+00:00.

In an effor to reduce ntlm authentication, I have built an ELK based dash to monitor any NTLM auths in the enterprise. I was able to get rid of a lot, however one that is sticking is the print servers on the network.

The issue is as described here:

I have made this registry change organization wide, and it seemingly does not work. I have run a query on this key and it is set on every machine. I am not sure how to procede further. klist shows valid tickets for the print servers as well

This is an automated archive.

The original was posted on /r/sysadmin by /u/chewy747 on 2024-01-23 13:42:22+00:00.

We have an offline root and online sub Microsoft cert authority. We are going to be moving them to new servers with new names and new IP's. Anything special we need to do besides these broad steps?

backup cert authority database & config

export ca registry key

stop services on original

restore CA backup & config

restore registry

Do we need to do anything in DNS? Or anything else Im missing?

This is an automated archive.

The original was posted on /r/sysadmin by /u/Altruistic_Movie_997 on 2024-01-23 13:35:50+00:00.

Hi y'all,

please I have VNC service applied and installed through GPO with mst transformation for password to whole AD but on some password from mst file doesn't work so VNC is not usable.

On 70% of computers it works but on some it's only TightVNC installed but password from mst file doesn't work.

Do you know where could be a problem?

Thank you