Options

The [sysadmins] Thread: Quick, hide your user friendly policies, Bowen is coming back!

15681011100

Posts

  • Options
    bowenbowen How you doin'? Registered User regular
    That's when I refuse to help them at all.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Options
    CogCog What'd you expect? Registered User regular
    User who just unboxed a new laptop: 'Can you backup all of my old files and put them on my new machine? This is hurting my productivity'
    Us: 'Sure, of course, just power on the old one and the new one and give me a few minutes.'
    User: 'I don't have time for that right now. I'm on a deadline.'

    I...uh...I....wut? Us: 'No problem, just give us a call back when you're free.' *click*

  • Options
    lwt1973lwt1973 King of Thieves SyndicationRegistered User regular
    "So all the things on my desktop that aren't shortcuts won't be saved on the server?"
    "Nothing on your desktop will be saved."
    "Are you sure?"
    "...Yes...I am sure."

    "He's sulking in his tent like Achilles! It's the Iliad?...from Homer?! READ A BOOK!!" -Handy
  • Options
    bowenbowen How you doin'? Registered User regular
    lwt1973 wrote: »
    "So all the things on my desktop that aren't shortcuts won't be saved on the server?"
    "Nothing on your desktop will be saved."
    "Are you sure?"
    "...Yes...I am sure."

    :) I've done this.

    Luckily it wasn't a server crash that caused the loss, but their own stupidity.

    They deleted a folder and wanted me to get a backup.

    "I need you to restore a document I deleted from my desktop."

    "I don't back up your desktop. There's no way for me to do that logistically (a lie, but it's not worth the effort). If you want to keep something, put it in my documents folder."

    "But I need it!"

    "Well I need a new car, doesn't mean it's going to happen."

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Options
    AiouaAioua Ora Occidens Ora OptimaRegistered User regular
    Did I tell you guys about the time I found business-critical software that had its database stored on the C: drive of an end-user's HP d530?

    life's a game that you're bound to lose / like using a hammer to pound in screws
    fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
    that's right we're on a fucked up cruise / God is dead but at least we have booze
    bad things happen, no one knows why / the sun burns out and everyone dies
  • Options
    BigityBigity Lubbock, TXRegistered User regular
    You worked at my old school district job?

  • Options
    AiouaAioua Ora Occidens Ora OptimaRegistered User regular
    Bigity wrote: »
    You worked at my old school district job?

    No, it's okay, nothing as important as education. This was in a hospital pharmacy.

    life's a game that you're bound to lose / like using a hammer to pound in screws
    fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
    that's right we're on a fucked up cruise / God is dead but at least we have booze
    bad things happen, no one knows why / the sun burns out and everyone dies
  • Options
    bowenbowen How you doin'? Registered User regular
    Or my office before I took over.

    Oracle DB running on an end user's PC for the laboratory equipment and data.

    This was actually their recommended strategy.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Options
    bowenbowen How you doin'? Registered User regular
    I guess this is "business as usual" for HIS companies.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Options
    AiouaAioua Ora Occidens Ora OptimaRegistered User regular
    bowen wrote: »
    I guess this is "business as usual" for HIS companies.

    The people running the show are still butthurt from having to switch to computers in the first place. Thank god that was before my time.

    life's a game that you're bound to lose / like using a hammer to pound in screws
    fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
    that's right we're on a fucked up cruise / God is dead but at least we have booze
    bad things happen, no one knows why / the sun burns out and everyone dies
  • Options
    bowenbowen How you doin'? Registered User regular
    Aioua wrote: »
    bowen wrote: »
    I guess this is "business as usual" for HIS companies.

    The people running the show are still butthurt from having to switch to computers in the first place. Thank god that was before my time.

    Doctors are verrrrrrrry reluctant to computerization because the metrics are really detrimental to their job.

    The doctors here are pushing hard back against ICD10 because they can't use "Diabetes Unspecified" anymore like they have in the past.

    No amount of "It'll help you care better for your patients, no seriously, it helps you watch patient populations and see what's working, why, and for which subgroups so much easier" is comforting or convincing to them.

    I guess medicaid wanting to take 5% of their paycheck for fucking it up is a huge downside, but, I can't see a problem either way.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Options
    Le_GoatLe_Goat Frechified Goat Person BostonRegistered User regular
    I've put together a New Employee Orientation Packet which specifically states (in bold, red letters) to not save anything of any importance on your C: drive, but rather save it to the personalized folder on our server that has been created for you and mapped to your computer as the U: drive for your convenience. It also states that IT will not be held responsible for any data loss on the C: drive, as it is not backed up by our systems.

    I'm fully aware that none of them read that packet (the one that I've spent years revising with nice pictures and extremely helpful information), but they can never ever say that they were not informed of this when their HDD dies and I can't do anything about it.

    And then there is the ever-so-humorous suggestion of "Well, why don't you back up my desktop, then?" Sadly, I'm not allowed to giggle in front of them.

    While I agree that being insensitive is an issue, so is being oversensitive.
  • Options
    bowenbowen How you doin'? Registered User regular
    I am.

    It is the best.

    I am allowed to openly mock them because if they don't let me, I refer them to my boss, who then berates them for being stupid.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Options
    KakodaimonosKakodaimonos Code fondler Helping the 1% get richerRegistered User regular
    Hell, I've seen an entire risk management system written in an Excel spreadsheet that was out in a shared directory that anyone could get to. No protection or access control. And this was the system that the trading floor managers used to set the daily trading limits for the traders.

    Though this was the same place that somehow managed to hold on to a physical delivery future when it expired. And did the expiration process twice and ended up with close to 500 million in risk exposure overnight.

  • Options
    Mei HikariMei Hikari Registered User regular
    I like berating users as much as anyone here, but once you've got documents redirection setup, there's really no reason not redirect desktops too.

  • Options
    CogCog What'd you expect? Registered User regular
    edited October 2013
    Strange question:

    Can you add a WSUS server from an untrusted domain (hereforth domain B) to the management console on your native domain (hereforth domain A)? I can configure it as a downstream server just fine, but I can't actually add it to the console and I'm seeing security audit failures on the domain B server of my domain A account failing, because they have no trust and don't know about each other.

    Can anyone think of a way around that?

    EDIT: I mean, I can't even pull any 'run as' tom foolery cause there's no trust.

    Cog on
  • Options
    bowenbowen How you doin'? Registered User regular
    Mei Hikari wrote: »
    I like berating users as much as anyone here, but once you've got documents redirection setup, there's really no reason not redirect desktops too.

    People put silly shit on their desktop and assume it'll work on any PC, is why.

    "Why doesn't this application shortcut work on (computer they never use)?"

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Options
    CogCog What'd you expect? Registered User regular
    Meh. Answered my own question. A resounding no.
    The WSUS 3.0 administration console can be used to manage any WSUS server that has a trust relationship with the administration console computer.

    That means I have to remote to every goddamn server to manage them.

    whiner1.jpg

  • Options
    Le_GoatLe_Goat Frechified Goat Person BostonRegistered User regular
    Mei Hikari wrote: »
    I like berating users as much as anyone here, but once you've got documents redirection setup, there's really no reason not redirect desktops too.
    I'm a bit hesitant to allow users to have that option. The majority of the security/malware issues that come up deal with users saving shit to their desktop.

    However, I've been trying to think of a way to save users' IE favorites on the file server for easy restore, as that's one thing that everyone seems to miss the most if their HDD dies. So big thanks for that idea!

    While I agree that being insensitive is an issue, so is being oversensitive.
  • Options
    CogCog What'd you expect? Registered User regular
    Mei Hikari wrote: »
    I like berating users as much as anyone here, but once you've got documents redirection setup, there's really no reason not redirect desktops too.

    There is, actually. Users find out this is the case and cram their desktops full of 18 gigs of shit that's probably already on their network shares, start saving PSTs there...

    I don't like setting the precedent of "just dump everything important on your desktop".

  • Options
    Mei HikariMei Hikari Registered User regular
    bowen wrote: »
    Mei Hikari wrote: »
    I like berating users as much as anyone here, but once you've got documents redirection setup, there's really no reason not redirect desktops too.

    People put silly shit on their desktop and assume it'll work on any PC, is why.

    "Why doesn't this application shortcut work on (computer they never use)?"
    Oh yea, I wish I could filter out shortcuts. I get around this by redirecting each desktop to its own folder. It works fine.

  • Options
    Mei HikariMei Hikari Registered User regular
    Le_Goat wrote: »
    Mei Hikari wrote: »
    I like berating users as much as anyone here, but once you've got documents redirection setup, there's really no reason not redirect desktops too.
    I'm a bit hesitant to allow users to have that option. The majority of the security/malware issues that come up deal with users saving shit to their desktop.

    However, I've been trying to think of a way to save users' IE favorites on the file server for easy restore, as that's one thing that everyone seems to miss the most if their HDD dies. So big thanks for that idea!
    Honestly, it's easier to scan stuff centrally on a file server. And users are gonna run malware from their appdata folder long before it reaches their desktop.

    You can redirect the favorites folder btw.

  • Options
    Mei HikariMei Hikari Registered User regular
    Cog wrote: »
    Mei Hikari wrote: »
    I like berating users as much as anyone here, but once you've got documents redirection setup, there's really no reason not redirect desktops too.

    There is, actually. Users find out this is the case and cram their desktops full of 18 gigs of shit that's probably already on their network shares, start saving PSTs there...

    I don't like setting the precedent of "just dump everything important on your desktop".

    Ok, sure. Users can copy dumb shit on network shares too. I have some clients that do that kind of terrible shit all the time, and that's why I told them either upgrade to server 2012 or implement quotas. Guess which they always pick.

  • Options
    halkunhalkun Registered User regular
    Speaking of backups I have a story!

    Agent's assistant is trying to migrate her Agents' data from one system to another. The "backup took forever" and was trying to do a data recovery on the new machine. It was failing at the 25% mark. I remote into the old system and there are so many icons on the desktop they go off the screen. Like, this dude has literally lost documents because they went off the edge. I make the icons tiny so I can at least put some stuff in a folder. Then I look for the backup on the shared drive. It's 56 gig. Looking at his system, a whopping fifty-one gig of that are baby pictures that's he's downloaded from his iPhone.

    I told the assistant that she needed to tell her agent to get an external Hard drive and get those pictures off his system and make another backup. If he didn't, the new backup system that was released yesterday will give him a nasty surprise as it explicitly excludes all movie and picture files except for .tiff (for scans)

    "He says hard drives are too expensive, We tried to back it up to his flash drive but it didn't work..." she said

    plugged it in, 512MB

    *headdesk*

  • Options
    Mr_RoseMr_Rose 83 Blue Ridge Protects the Holy Registered User regular
    The pictures were of his baby, right? You can get in a lot of trouble for having 50+ gigs of pictures of someone else's babies….

    ...because dragons are AWESOME! That's why.
    Nintendo Network ID: AzraelRose
    DropBox invite link - get 500MB extra free.
  • Options
    lwt1973lwt1973 King of Thieves SyndicationRegistered User regular
    Stupid user opened up a stupid .zip file because it had payroll in the subject. I used to block all .zips but was told by my boss to unblock it several years back. Stupid user got infected with Cryptolocker and now I'm restoring the file server from backup.

    My hate is burning right now. Burning I say.

    "He's sulking in his tent like Achilles! It's the Iliad?...from Homer?! READ A BOOK!!" -Handy
  • Options
    bowenbowen How you doin'? Registered User regular
    lwt1973 wrote: »
    Stupid user opened up a stupid .zip file because it had payroll in the subject. I used to block all .zips but was told by my boss to unblock it several years back. Stupid user got infected with Cryptolocker and now I'm restoring the file server from backup.

    My hate is burning right now. Burning I say.

    Did stupid user check who it was from first? If not, that's reason enough for stupid user to lose a lot of email privileges.Like 1 MB mailbox.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Options
    lwt1973lwt1973 King of Thieves SyndicationRegistered User regular
    bowen wrote: »
    lwt1973 wrote: »
    Stupid user opened up a stupid .zip file because it had payroll in the subject. I used to block all .zips but was told by my boss to unblock it several years back. Stupid user got infected with Cryptolocker and now I'm restoring the file server from backup.

    My hate is burning right now. Burning I say.

    Did stupid user check who it was from first? If not, that's reason enough for stupid user to lose a lot of email privileges.Like 1 MB mailbox.

    Nope. Stupid user saw payroll and thought, it had to do with my check.

    AND after she opened the attachment she forwarded the email without the attachment to her boss and asked if this was legit. Boss said no and she never mentioned she opened the attachment.

    "He's sulking in his tent like Achilles! It's the Iliad?...from Homer?! READ A BOOK!!" -Handy
  • Options
    bowenbowen How you doin'? Registered User regular
    Yup, that's totally reason enough for 1 MB email inbox. I've found the best thing to do was disable attachments in emails in general.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Options
    Le_GoatLe_Goat Frechified Goat Person BostonRegistered User regular
    lwt1973 wrote: »
    bowen wrote: »
    lwt1973 wrote: »
    Stupid user opened up a stupid .zip file because it had payroll in the subject. I used to block all .zips but was told by my boss to unblock it several years back. Stupid user got infected with Cryptolocker and now I'm restoring the file server from backup.

    My hate is burning right now. Burning I say.

    Did stupid user check who it was from first? If not, that's reason enough for stupid user to lose a lot of email privileges.Like 1 MB mailbox.

    Nope. Stupid user saw payroll and thought, it had to do with my check.

    AND after she opened the attachment she forwarded the email without the attachment to her boss and asked if this was legit. Boss said no and she never mentioned she opened the attachment.
    The worst part is that after all of these years, this happens too frequently, not to mention a complete lack of accountability.

    While I agree that being insensitive is an issue, so is being oversensitive.
  • Options
    TL DRTL DR Not at all confident in his reflexive opinions of thingsRegistered User regular
    lwt1973 wrote: »
    Stupid user opened up a stupid .zip file because it had payroll in the subject. I used to block all .zips but was told by my boss to unblock it several years back. Stupid user got infected with Cryptolocker and now I'm restoring the file server from backup.

    My hate is burning right now. Burning I say.

    Was this something that could have been prevented by more granular permissions configuration?

    We had a client that managed to get something nasty on their workstation, and their network share was pretty much full access for domain users. Someone with admin rights to their terminal server (guy was installing an update to their accounting software) clicked what he thought was an excel spreadsheet but was actually a malware installer that brought the system down before anyone thought to notify IT. whoops.jpg

  • Options
    Mei HikariMei Hikari Registered User regular
    I've heard horror stories from colleagues who had forgotten to restrict ntfs permissions on the backup nas. It seems cryptolocker is more than happy to encrypt your storage craft backups.

  • Options
    TL DRTL DR Not at all confident in his reflexive opinions of thingsRegistered User regular
    Mei Hikari wrote: »
    I've heard horror stories from colleagues who had forgotten to restrict ntfs permissions on the backup nas. It seems cryptolocker is more than happy to encrypt your storage craft backups.

    I...


    D:

  • Options
    lwt1973lwt1973 King of Thieves SyndicationRegistered User regular
    TL DR wrote: »
    lwt1973 wrote: »
    Stupid user opened up a stupid .zip file because it had payroll in the subject. I used to block all .zips but was told by my boss to unblock it several years back. Stupid user got infected with Cryptolocker and now I'm restoring the file server from backup.

    My hate is burning right now. Burning I say.

    Was this something that could have been prevented by more granular permissions configuration?

    We had a client that managed to get something nasty on their workstation, and their network share was pretty much full access for domain users. Someone with admin rights to their terminal server (guy was installing an update to their accounting software) clicked what he thought was an excel spreadsheet but was actually a malware installer that brought the system down before anyone thought to notify IT. whoops.jpg

    A lot of the stuff was behind security so there's that. Most of the stuff that went buh-bye was everyday usage spreadsheets for billing and daily entries. There wasn't a whole lot of weeping and gnashing the teeth from the office, it just took forever to restore and test and double check that everything was clean.

    "He's sulking in his tent like Achilles! It's the Iliad?...from Homer?! READ A BOOK!!" -Handy
  • Options
    DraygoDraygo Registered User regular
    edited October 2013
    Cog wrote: »
    Meh. Answered my own question. A resounding no.
    The WSUS 3.0 administration console can be used to manage any WSUS server that has a trust relationship with the administration console computer.

    That means I have to remote to every goddamn server to manage them.

    So you cant create a one way trust from the managed computer to the managing console server?

    If you are remotely managing these servers is there any particular reason they wont let you create the trust?

    Draygo on
  • Options
    TofystedethTofystedeth Registered User regular
    Le_Goat wrote: »
    I've put together a New Employee Orientation Packet which specifically states (in bold, red letters) to not save anything of any importance on your C: drive, but rather save it to the personalized folder on our server that has been created for you and mapped to your computer as the U: drive for your convenience. It also states that IT will not be held responsible for any data loss on the C: drive, as it is not backed up by our systems.

    I'm fully aware that none of them read that packet (the one that I've spent years revising with nice pictures and extremely helpful information), but they can never ever say that they were not informed of this when their HDD dies and I can't do anything about it.

    And then there is the ever-so-humorous suggestion of "Well, why don't you back up my desktop, then?" Sadly, I'm not allowed to giggle in front of them.

    One of my coworks was once on a local morning show as a guest where people would call in with computer questions for him to answer. The first call he got was a lady asking all these questions about the Y2K bug and would her stuff be safe, and eventually he was able to discern she was asking about her microwave.
    During the commercial break the host told him he shouldn't roll his eyes on television.

    steam_sig.png
  • Options
    lwt1973lwt1973 King of Thieves SyndicationRegistered User regular
    Person who got infected with cryptolocker: "Why can't I get into my kids' school website now?"
    "Because I locked it down. If you want it unblocked talk to your supervisor."
    "No thanks. <click>"

    "He's sulking in his tent like Achilles! It's the Iliad?...from Homer?! READ A BOOK!!" -Handy
  • Options
    CogCog What'd you expect? Registered User regular
    Draygo wrote: »
    Cog wrote: »
    Meh. Answered my own question. A resounding no.
    The WSUS 3.0 administration console can be used to manage any WSUS server that has a trust relationship with the administration console computer.

    That means I have to remote to every goddamn server to manage them.

    So you cant create a one way trust from the managed computer to the managing console server?

    If you are remotely managing these servers is there any particular reason they wont let you create the trust?

    We don't own them, we just manage them.

  • Options
    EchoEcho ski-bap ba-dapModerator mod
    This might be nice for some people in here: http://chocolatey.org/

    Package manager for Windows, to install lots of stuff.

  • Options
    TL DRTL DR Not at all confident in his reflexive opinions of thingsRegistered User regular
    So what do you guys like for MySQL backups? I know jack about this and just had a new client mention that their database is running some sort of hourly backup operation that locks everyone out for several minutes. I'm certain there has to be a better way - my first inclination is ShadowProtect and a vague expectation that you fine folks will say "MySQL? More like PoopSQL; use _____!" which is also fine as a longer-term project.

This discussion has been closed.