The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
Please vote in the Forum Structure Poll. Polling will close at 2PM EST on January 21, 2025.
We have a few different approval workflow tools and password rotation tools we use. Most are homegrown based on scripts to add/remove access groups and/or rotate passwords. I know we use CyberArk for some stuff, but no feedback on how good/bad it is.
You could do a standard 2-factor auth and just give one person the fob and give the other person the PIN/password. You could also do a standard account and just split the password so each person only knows half of it. It sounds like you need some sort of tamper-resistant auditing/logging and notification for the key creation more than you do a 2-man authentication scheme.
Just remember that half the people you meet are below average intelligence.
It really does seem like it was a hamfisted attempt.
Someone heard encryption, and there was a deadline to do something and that's what they came up with.
TBH, just having two people auth to something, then encrypt/decrypt in general should be enough. Which is, what I assume, is happening.
+1
FFOnce Upon a TimeIn OaklandRegistered Userregular
Me: Hi, I'd like to change the template email sent from IT to the supervisors of new hires to this new template that help my department set new hires up quicker (changes also include fixed grammar, undoing of acronyms and abbreviations, etc)
ServiceDesk Manager: Yes, this looks great I'll have our four L1's do this.
My Manager: Yes, thank you for this.
So far today I've seen 3 bastardized, half-copy/pasted versions of the template I sent along to the service desk manager.
...
Huh...
0
TL DRNot at all confident in his reflexive opinions of thingsRegistered Userregular
My biggest client is now on a hybrid AD/O365 setup
kill me
side note: I'm told that account info imported from an on-premises Exchange server is subject to automatic deletion if the link between 365 and Exchange is ever broken, effectively sticking us with a setup that was only necessary for migration purposes
kill meeee
update:
kill meeeeeeee
0
AthenorBattle Hardened OptimistThe Skies of HiigaraRegistered Userregular
My biggest client is now on a hybrid AD/O365 setup
kill me
side note: I'm told that account info imported from an on-premises Exchange server is subject to automatic deletion if the link between 365 and Exchange is ever broken, effectively sticking us with a setup that was only necessary for migration purposes
kill meeee
update:
kill meeeeeeee
Learn how to manipulate DirSync.
He/Him | "We who believe in freedom cannot rest." - Dr. Johnetta Cole, 7/22/2024
0
AthenorBattle Hardened OptimistThe Skies of HiigaraRegistered Userregular
So after talking through the problem with my BA and another admin here, I think I've figured out what I want from a product:
1) The actual encryption/decryption is done with a server product of some kind that handles encryption/decryption duties. This is so the end users never actually touch the encrypted files and do not have direct access to the store location of the encryption.
2) Users should use a web interface (internal only, maybe even VPN or IP secured) to send commands to the server. The server will require either a USB Keyfob or a one-time authentication token system as one of their factors, and a username/password as the other. Ideally we can set this up to require 2 fobs / passwords to increase security.
3) The big advantage of this system would be that it is no longer tied to a single physical location, which will meet some of our business requirements about allowing check printing to be done in other places (but still securely). The product should have an audit record on it, for obvious reasons.
I definitely don't think I'll find an off the shelf solution for this. BUT. We are going to reach out to other universities and see what they do, to see if we are over-engineering it or if we are just doing things right.
He/Him | "We who believe in freedom cannot rest." - Dr. Johnetta Cole, 7/22/2024
0
RandomHajileNot actually a SnatcherThe New KremlinRegistered Userregular
I have a feeling that you're going to find that most people are using a waaaaaaaaaaaaay less secure process than you are looking at. Not saying you shouldn't still pursue it, of course.
My biggest client is now on a hybrid AD/O365 setup
kill me
side note: I'm told that account info imported from an on-premises Exchange server is subject to automatic deletion if the link between 365 and Exchange is ever broken, effectively sticking us with a setup that was only necessary for migration purposes
kill meeee
update:
kill meeeeeeee
Learn how to manipulate DirSync.
Oh, I'm familiar. If there's a way to kick off the processing on Microsoft's end, I'd be all ears. Right now everything works ok, unless you need to make any changes to a user account after it's added. Then even if you run DirSync on the DC, updates to the existing account can take all day to be reflected in O365.
"Okay I've fixed the issue, unfortunately the way Microsoft works, it sometimes takes up to 72 hours for the changes to be accepted for security reasons" ?
oh wait, up to, but that means the one time it takes 30 seconds that means 30 seconds every time and you're the bad guy for being short. Nevermind. Just tell them it'll take 72 hours flat out.
oh wait, up to, but that means the one time it takes 30 seconds that means 30 seconds every time and you're the bad guy for being short. Nevermind. Just tell them it'll take 72 hours flat out.
This is the tactic I take when explaining DNS propagation to customers. It's always 48 hours. Oh, it happened sooner for you? Oh man, you're so lucky. So lucky! It's not at all because you're using our DNS servers for resolution, no! It's because you're so fucking lucky! Well, I'll still say 48 hours for everyone else, just to be safe...
My first day back at work since before Christmas today. I've been here for 80 minutes and I'm already ready to go home for about 14 different reasons.
The best one is an iPad pro on my desk, left there by our CEO, with a written sticky note to set it up for him. I know none of the following things: his iTunes password, his AD password, nor the 4 digit pin code he has put on the device, so literally can't do anything with it until when/if the ceo shows up today.
My first day back at work since before Christmas today. I've been here for 80 minutes and I'm already ready to go home for about 14 different reasons.
The best one is an iPad pro on my desk, left there by our CEO, with a written sticky note to set it up for him. I know none of the following things: his iTunes password, his AD password, nor the 4 digit pin code he has put on the device, so literally can't do anything with it until when/if the ceo shows up today.
1234
"He's sulking in his tent like Achilles! It's the Iliad?...from Homer?! READ A BOOK!!" -Handy
0
KakodaimonosCode fondlerHelping the 1% get richerRegistered Userregular
Just keep trying. And if auto erase after 10 failed attempts is turned on, well it makes the setup easier.
See, it's not associated with our systems yet, so the auto erase isn't turned on, and in apple's wisdom they just lock out the device for half an hour after 10 missed codes. only way to get past it is to restore the OS to factory through iTunes.
My eyes are bleeding!!! In preparation for leaving next Wednesday, I'm tasked with writing policy and procedure manuals for every system that I manage (e.g., Backup Exec, WSUS, SolarWinds, security systems).
I thought I had escaped doing anymore Patch Tuesdays. Turns out that I have one left... the day before my last day. I don't think I'm getting out of that one. On the other hand, it would be good practice for my boss to test out my new manuals... eh? eh?
While I agree that being insensitive is an issue, so is being oversensitive.
See, it's not associated with our systems yet, so the auto erase isn't turned on, and in apple's wisdom they just lock out the device for half an hour after 10 missed codes. only way to get past it is to restore the OS to factory through iTunes.
Wonderful stuff, this Apple garbage.
I recently had the same scenario arise with a board member who left, but didn't erase her iPad. Just follow these instructions: https://support.apple.com/en-ph/HT204306. Use the section labeled Erase your device with recovery mode.
While I agree that being insensitive is an issue, so is being oversensitive.
See, it's not associated with our systems yet, so the auto erase isn't turned on, and in apple's wisdom they just lock out the device for half an hour after 10 missed codes. only way to get past it is to restore the OS to factory through iTunes.
Wonderful stuff, this Apple garbage.
I recently had the same scenario arise with a board member who left, but didn't erase her iPad. Just follow these instructions: https://support.apple.com/en-ph/HT204306. Use the section labeled Erase your device with recovery mode.
oh I've done this 100 times on devices, so I know it well. Here is where the issue is: There is an iCloud account associated with it. If you wipe it, activation lock kicks in and you can't actually do anything with the device without the iCloud password of whatever account was signed in last. Like, you're prompted for the password before it will finish the first boot. and I don't have that password. If I had that password, I wouldn't have this thing sitting on my desk.
This is all the consumer side stuff, fwiw. if you have a proper MDM this isn't an issue. We do not have a proper MDM, so it is.
See, it's not associated with our systems yet, so the auto erase isn't turned on, and in apple's wisdom they just lock out the device for half an hour after 10 missed codes. only way to get past it is to restore the OS to factory through iTunes.
Wonderful stuff, this Apple garbage.
I recently had the same scenario arise with a board member who left, but didn't erase her iPad. Just follow these instructions: https://support.apple.com/en-ph/HT204306. Use the section labeled Erase your device with recovery mode.
oh I've done this 100 times on devices, so I know it well. Here is where the issue is: There is an iCloud account associated with it. If you wipe it, activation lock kicks in and you can't actually do anything with the device without the iCloud password of whatever account was signed in last. Like, you're prompted for the password before it will finish the first boot. and I don't have that password. If I had that password, I wouldn't have this thing sitting on my desk.
This is all the consumer side stuff, fwiw. if you have a proper MDM this isn't an issue. We do not have a proper MDM, so it is.
But you can actually wipe it without associating it with an account, so it will be factory default with absolutely no account associated with it at all. The big thing is to install iTunes on a machine without any account associated with iTunes. Then you hook up the iPad to that machine and make sure to not associate it with an iCloud account during the setup process.
While I agree that being insensitive is an issue, so is being oversensitive.
the bigger issue for me would be the trackpad. I don't mind them some of the time. But when I'm sitting at a desk with 2-3 giant screens, I cannot go without a proper mouse. Trackpads are too imprecise.
the bigger issue for me would be the trackpad. I don't mind them some of the time. But when I'm sitting at a desk with 2-3 giant screens, I cannot go without a proper mouse. Trackpads are too imprecise.
yeah, using trackpads even when a mouse would be impractical hurts me inside.
0
AthenorBattle Hardened OptimistThe Skies of HiigaraRegistered Userregular
My coworker still uses a trackball. HATES mice. His Logitech one is very, very yellowed, like a well aged Super Nintendo at this point.
He/Him | "We who believe in freedom cannot rest." - Dr. Johnetta Cole, 7/22/2024
Trackpads are evil things only to be used when absolutely necessary. Trackballs, however, are magic for work. It really cuts down on any wrist pain that I get from using the mouse. I usually try to avoid using the mouse whenever I can because it's a pain in the ass when I can easily just use keyboard shortcuts. However, I cannot use a trackball when gaming. I require absolute precision when gaming and my thumb is inferior to my wrist for that.
While I agree that being insensitive is an issue, so is being oversensitive.
I used to be able to use trackballs, back in the 80s.
+1
AthenorBattle Hardened OptimistThe Skies of HiigaraRegistered Userregular
Ah, that wonderful feeling of asking a coworker for some information, only to have him forward you an email he sent to you 2 months ago with said information. I feel like a dolt.
He/Him | "We who believe in freedom cannot rest." - Dr. Johnetta Cole, 7/22/2024
Trackpads are evil things only to be used when absolutely necessary. Trackballs, however, are magic for work. It really cuts down on any wrist pain that I get from using the mouse. I usually try to avoid using the mouse whenever I can because it's a pain in the ass when I can easily just use keyboard shortcuts. However, I cannot use a trackball when gaming. I require absolute precision when gaming and my thumb is inferior to my wrist for that.
Seidkona on
Mostly just huntin' monsters.
XBL:Phenyhelm - 3DS:Phenyhelm
+1
Mr_Rose83 Blue Ridge Protects the HolyRegistered Userregular
Who here knows anything about Powershell? Specifically, how to merge multiple csv outputs?
I have a kludged together one-line script that outputs message traces for each user in an array of email addresses and ideally I would like to have one csv file at the end instead of one per user.
How I do?
I like the idea of trackballs, and I'll bet if I gave myself a couple weeks of using one exclusively, I'd get used to it, but my mind just breaks every time I use one. I have a couple co-workers who do use them and whenever i need to sit at their machines I kind of have a hard time.
But man, I simply cannot fathom using a trackpad for 8 hours a day. That'd probably kill me.
Who here knows anything about Powershell? Specifically, how to merge multiple csv outputs?
I have a kludged together one-line script that outputs message traces for each user in an array of email addresses and ideally I would like to have one csv file at the end instead of one per user.
How I do?
Er this depends.
Can you sanitize the script and post it? I should be able to set you up.
life's a game that you're bound to lose / like using a hammer to pound in screws
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
0
Mr_Rose83 Blue Ridge Protects the HolyRegistered Userregular
Who here knows anything about Powershell? Specifically, how to merge multiple csv outputs?
I have a kludged together one-line script that outputs message traces for each user in an array of email addresses and ideally I would like to have one csv file at the end instead of one per user.
How I do?
Er this depends.
Can you sanitize the script and post it? I should be able to set you up.
Who here knows anything about Powershell? Specifically, how to merge multiple csv outputs?
I have a kludged together one-line script that outputs message traces for each user in an array of email addresses and ideally I would like to have one csv file at the end instead of one per user.
How I do?
Er this depends.
Can you sanitize the script and post it? I should be able to set you up.
I don't have access to a server to test but you should be able to do the filtering with Get-MessageTrace, you might need to tweak the formatting for the senderaddress parameter, the documentation references a specific exchange datatype for the input so I'm not sure, but then talks like it takes strings. My first guess would be this:
edit: also that semicolon in line 3 of my first script is a vanilla bug, it's not in what I wrote :rotate:
aioua on
life's a game that you're bound to lose / like using a hammer to pound in screws
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
0
Mr_Rose83 Blue Ridge Protects the HolyRegistered Userregular
That looks great, thanks! I'll try out that second one tomorrow and let you know how it goes.
AthenorBattle Hardened OptimistThe Skies of HiigaraRegistered Userregular
I feel dirty putting together a word doc describing the confguration of a server & app... but honestly, just a basic listing of services, features, programs, devices, and installation quirks seems the best way to record this. I know we have this new-fangled Content Management Database product we need to start using, and theoretically we should be able to auto-collect this stuff...
He/Him | "We who believe in freedom cannot rest." - Dr. Johnetta Cole, 7/22/2024
Posts
Hopefully your company is willing to put out the money for something like that lol.
Someone heard encryption, and there was a deadline to do something and that's what they came up with.
TBH, just having two people auth to something, then encrypt/decrypt in general should be enough. Which is, what I assume, is happening.
ServiceDesk Manager: Yes, this looks great I'll have our four L1's do this.
My Manager: Yes, thank you for this.
So far today I've seen 3 bastardized, half-copy/pasted versions of the template I sent along to the service desk manager.
...
update:
kill meeeeeeee
Learn how to manipulate DirSync.
1) The actual encryption/decryption is done with a server product of some kind that handles encryption/decryption duties. This is so the end users never actually touch the encrypted files and do not have direct access to the store location of the encryption.
2) Users should use a web interface (internal only, maybe even VPN or IP secured) to send commands to the server. The server will require either a USB Keyfob or a one-time authentication token system as one of their factors, and a username/password as the other. Ideally we can set this up to require 2 fobs / passwords to increase security.
3) The big advantage of this system would be that it is no longer tied to a single physical location, which will meet some of our business requirements about allowing check printing to be done in other places (but still securely). The product should have an audit record on it, for obvious reasons.
I definitely don't think I'll find an off the shelf solution for this. BUT. We are going to reach out to other universities and see what they do, to see if we are over-engineering it or if we are just doing things right.
This is a clickable link to my Steam Profile.
You're better off with something like google authenticator for that.
Oh, I'm familiar. If there's a way to kick off the processing on Microsoft's end, I'd be all ears. Right now everything works ok, unless you need to make any changes to a user account after it's added. Then even if you run DirSync on the DC, updates to the existing account can take all day to be reflected in O365.
This is the tactic I take when explaining DNS propagation to customers. It's always 48 hours. Oh, it happened sooner for you? Oh man, you're so lucky. So lucky! It's not at all because you're using our DNS servers for resolution, no! It's because you're so fucking lucky! Well, I'll still say 48 hours for everyone else, just to be safe...
The best one is an iPad pro on my desk, left there by our CEO, with a written sticky note to set it up for him. I know none of the following things: his iTunes password, his AD password, nor the 4 digit pin code he has put on the device, so literally can't do anything with it until when/if the ceo shows up today.
1234
Wonderful stuff, this Apple garbage.
I thought I had escaped doing anymore Patch Tuesdays. Turns out that I have one left... the day before my last day. I don't think I'm getting out of that one. On the other hand, it would be good practice for my boss to test out my new manuals... eh? eh?
oh I've done this 100 times on devices, so I know it well. Here is where the issue is: There is an iCloud account associated with it. If you wipe it, activation lock kicks in and you can't actually do anything with the device without the iCloud password of whatever account was signed in last. Like, you're prompted for the password before it will finish the first boot. and I don't have that password. If I had that password, I wouldn't have this thing sitting on my desk.
This is all the consumer side stuff, fwiw. if you have a proper MDM this isn't an issue. We do not have a proper MDM, so it is.
Had to order special adapters for my stupid Samsung screens which don't have VESA mounting abilities, but its been worth it!
I have no issues with it! It is only missing the numpad, really, and I'm not a data entry clerk so I haven't noticed its absence at all.
yeah, using trackpads even when a mouse would be impractical hurts me inside.
XBL:Phenyhelm - 3DS:Phenyhelm
I have a kludged together one-line script that outputs message traces for each user in an array of email addresses and ideally I would like to have one csv file at the end instead of one per user.
How I do?
Nintendo Network ID: AzraelRose
DropBox invite link - get 500MB extra free.
But man, I simply cannot fathom using a trackpad for 8 hours a day. That'd probably kill me.
Er this depends.
Can you sanitize the script and post it? I should be able to set you up.
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
Okay, here you go:
$dateEnd = get-date $dateStart = $dateEnd.AddHours(-48) $userList = "marcus@contoso.com","danny@contoso.com","rosie@contoso.com","matt@contoso.com","sammy@contoso.com" foreach ($user in $userList) { Get-MessageTrace -StartDate $dateStart -EndDate $dateEnd | Select-Object Received, SenderAddress, RecipientAddress, Subject, Status, ToIP, FromIP, Size, MessageID, MessageTraceID | Where {$_.SenderAddress -eq $user} | export-csv C:\temp\$user.csv }Like I said its kind of a mess. Mostly I think I want to export to an array and add each run to that array before outputting the csv of the array but…Nintendo Network ID: AzraelRose
DropBox invite link - get 500MB extra free.
this should do it, working with what was there:
$dateEnd = get-date $dateStart = $dateEnd.AddHours(-48) $userList = @("marcus@contoso.com","danny@contoso.com","rosie@contoso.com","matt@contoso.com","sammy@contoso.com") $output = @() $filename = "whatever" Get-MessageTrace -StartDate $dateStart -EndDate $dateEnd | Select-Object Received, SenderAddress, RecipientAddress, Subject, Status, ToIP, FromIP, Size, MessageID, MessageTraceID | ForEach-Object { if ($userList -contains $_.SenderAddress) { $output += $_ } } $output | Export-Csv -Path "C:\temp\$filename.csv" -NoTypeInformationI don't have access to a server to test but you should be able to do the filtering with Get-MessageTrace, you might need to tweak the formatting for the senderaddress parameter, the documentation references a specific exchange datatype for the input so I'm not sure, but then talks like it takes strings. My first guess would be this:
$dateEnd = get-date $dateStart = $dateEnd.AddHours(-48) $userList = "marcus@contoso.com,danny@contoso.com,rosie@contoso.com,matt@contoso.com,sammy@contoso.com" $filename = "whatever" Get-MessageTrace -StartDate $dateStart -EndDate $dateEnd -SenderAddress $userlist| Select-Object Received, SenderAddress, RecipientAddress, Subject, Status, ToIP, FromIP, Size, MessageID, MessageTraceID | Export-Csv -Path "C:\temp\$filename.csv" -NoTypeInformationedit: also that semicolon in line 3 of my first script is a vanilla bug, it's not in what I wrote :rotate:
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
Nintendo Network ID: AzraelRose
DropBox invite link - get 500MB extra free.
Those are when you're trying to send emails but your computer is on fire right?