I'll never understand why people use their work email for all kinds of personal things such as house insurance or bank information.
Because firstname.lastname@company.com is much more professional looking than ponyfucker6969@aol.com
At my work, it is even more prevalent because we block personal email from the work network.
Yeah, this is why I advocate for allowing access to webmail providers at work. Yeah yeah I know, data leakage and all that but maybe YOU can deal with the executive that set up a Facebook account for her daughter using her own work email address, and then later wants you to block Facebook emails at the spam filter because they started to annoy her. (She eventually tried calling Facebook support, which is a thing, I guess?)
I'll never understand why people use their work email for all kinds of personal things such as house insurance or bank information.
Because firstname.lastname@company.com is much more professional looking than ponyfucker6969@aol.com
At my work, it is even more prevalent because we block personal email from the work network.
Yeah, this is why I advocate for allowing access to webmail providers at work. Yeah yeah I know, data leakage and all that but maybe YOU can deal with the executive that set up a Facebook account for her daughter using her own work email address, and then later wants you to block Facebook emails at the spam filter because they started to annoy her. (She eventually tried calling Facebook support, which is a thing, I guess?)
I agree except it's a different game when you're dealing with patient health information.
We explicitly don't block email on our guest network, so if you want to get your personal email you can, but you can't access hospital systems from the guest network so it eliminates the possibility that someone will send PHI over personal email due to ignorance.
I'll never understand why people use their work email for all kinds of personal things such as house insurance or bank information.
Because firstname.lastname@company.com is much more professional looking than ponyfucker6969@aol.com
At my work, it is even more prevalent because we block personal email from the work network.
Yeah, this is why I advocate for allowing access to webmail providers at work. Yeah yeah I know, data leakage and all that but maybe YOU can deal with the executive that set up a Facebook account for her daughter using her own work email address, and then later wants you to block Facebook emails at the spam filter because they started to annoy her. (She eventually tried calling Facebook support, which is a thing, I guess?)
I agree except it's a different game when you're dealing with patient health information.
We explicitly don't block email on our guest network, so if you want to get your personal email you can, but you can't access hospital systems from the guest network so it eliminates the possibility that someone will send PHI over personal email due to ignorance.
Oh, totally, that’s a different kind of environment than ours. As of right now, we don’t allow employees on our contractor WiFi (my boss is nervous about filtering it for some reason even though all of the WiFi SSIDs are filtered now anyway). But all of that is a different game now that people have access to a cell phone to receive personal email on.
it still disconnects on logout, which is still way less than ideal, but at least it doesn't disconnect when it locks anymore.
But now Dell has more updates. Doesn't seem to be one of those things where Windows and Dell keep installing their own version of the driver (though I remember dealing with that a few years ago), but we'll see.
Bleh! I should just install Pop!OS and let god sort'em out.
By default, when first connecting to a network, PSK wifi profiles should be created as an "All User Profile". And if it is an all user wifi profile, it should stay connected even after logout. It's possible the wifi profile was instead saved only for the current user which would make it disconnect when logged out. Open a command prompt and run "netsh wlan show profiles" to check.
If you are using user account auth, then disconnecting when the account logs out is normal. In that case if you want pre-logon connectivity, you'd need to use machine certificate authentication so the computer can log into the wifi itself, not the user.
My EAP-TLS WiFi network is pushed out by Group Policy as a computer setting, which means it gets applied to the machine, not the user
:cool:
git gud my dudes
How do they get the initial policy?
Initial laptop imaging & provisioning is done over wired Ethernet.
Late edit: on a subnet specifically carved out for that purpose
at the moment, initial laptop provisioning still has to be done on-premises at our HQ. that probably isn't going to change even though our IT staff is mostly working from home (we make occasional visits to HQ when necessary... like when we need to provision a batch of laptops)
Feral on
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
Seems like some big DNS issues worldwide right now... days after a major vulnerability in Windows DNS was found... mmm...
I hope to Christ the major DNS providers aren't using Windows for their DNS servers.
Major DNS providers probably not but they all get their records propagated from somewhere, and having Windows DNS is a thing at every company other than mine, so...
Cloudflare Network and Resolver Issues
Identified - The issue has been identified and a fix is being implemented.
Jul 17, 21:46 UTC
Investigating - Cloudflare is investigating issues with Cloudflare Resolver and our edge network in certain locations.
Customers using Cloudflare services in certain regions are impacted as requests might fail and/or errors may be displayed.
Data Centers impacted include: SJC, DFW, SEA, LAX, ORD, IAD, EWR, ATL, LHR, AMS, FRA, CDG
Jul 17, 21:37 UTC
It's all back up now. Cloudflare's statement was it was bad routes on a backbone router and definitely not an attack. Google may still have just been hammered enough to cause issues while 1.1.1.1 was fucked.
Asking checksum programs one and all, let me give you a file to compute a sum across AND just a hash and tell me if they match, in a single invocation.
No one ever gives a full checksum file and you know the file name is going to have 8 different minor versions in it which is a pain in the ass to copy on my own.
Dell... stop... two servers in a row they have shipped without rail kits. This one was delayed by a month as they waited for a cable management unit. Finally arrived, pull it out of the box, no rails, also no cable management unit...
Because if you're going to attempt to squeeze that big black monster into your slot you will need to be able to take at least 12 inches or else you're going to have a bad time...
Dell... stop... two servers in a row they have shipped without rail kits. This one was delayed by a month as they waited for a cable management unit. Finally arrived, pull it out of the box, no rails, also no cable management unit...
Just set it on top of the old server. It'll be fine
Because if you're going to attempt to squeeze that big black monster into your slot you will need to be able to take at least 12 inches or else you're going to have a bad time...
Dell... stop... two servers in a row they have shipped without rail kits. This one was delayed by a month as they waited for a cable management unit. Finally arrived, pull it out of the box, no rails, also no cable management unit...
My servers had two sets of rail kits come in different boxes, maybe someone misplaced them?
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
AthenorBattle Hardened OptimistThe Skies of HiigaraRegistered Userregular
Anyone here manage a wiki or document management system?
Now that our rollout of monitoring is successful (or at least strong enough that we can build on it ), the next project in my crosshairs is Confluence. We're expanding it department wide, and using it to replace our help desk's KB system.
My first thoughts are turning to organization, but I'll probably ask our librarians about that.
but more than that, I'm curious about security models. Right now we're making 3 AD groups per space/collection -- Viewer, Member, and Owner. These then get tied into the space's permissions. Which is fine, I guess. I'm just wondering if there are other considerations I should think about.
Ideally we'd institute a model where you have to login to see most data, and some data would be even more locked down if it was sensitive or specific to a team. Then we'd have public/anonymous access to other pages, perhaps published from the team pages to "system" pages. Not sure.
Our immediate goal is to publish a service catalog and listing of applications / software the university offers. This is needed for the new school year, especially to help with online learning.
Then there's also the considerations of our web team. We have a custom web portal and a bunch of documentation out there, but management has to go through the web team. I want to make sure they are integrated and onboard as much as possible. And again, that gets down to security and content curation.
I guess I'm mainly just looking for other examples/best practices in this sphere.
Has anybody successfully set up password hash synchronization between MS365 and on-premises AD?
I've been beating my head against this on and off for weeks now and I can't get it to work.
I'm actually in the middle of doing it, but we are a subcontractor and the serviceaccount has not the right permissions so currently waiting on several approvals and some domain admin to grant the permissions to the account.
Has anybody successfully set up password hash synchronization between MS365 and on-premises AD?
I've been beating my head against this on and off for weeks now and I can't get it to work.
Is "Password hash synchronization" and "Password writeback" turned on in your on-prem AAD Connect under "Customize synchronization options -> Optional Features"?
Is "Password Hash Synchronization" selected in "Change user sign-in -> User Sign In"?
Is AAD Connect otherwise successfully synchronizing on-prem user objects to Azure?
Does your AD service account used for the sync have "Read All Properties", "Write All Properties", and "Reset Password" permissions applied to "Descendant User Objects" at the root of your domain in ADUC?
Does your AD service account used for the sync have "Replicating Directory Changes", and "Replicating Directory Changes All" applied to "This Object Only" at the root of your domain in ADUC?
If you use the Troubleshooting Tool in your on-prem AAD Connect, what are the results of the tests it runs?
Has anybody successfully set up password hash synchronization between MS365 and on-premises AD?
I've been beating my head against this on and off for weeks now and I can't get it to work.
Is "Password hash synchronization" and "Password writeback" turned on in your on-prem AAD Connect under "Customize synchronization options -> Optional Features"?
Is "Password Hash Synchronization" selected in "Change user sign-in -> User Sign In"?
Is AAD Connect otherwise successfully synchronizing on-prem user objects to Azure?
If you use the Troubleshooting Tool in your on-prem AAD Connect, what are the results of the tests it runs?
========================================================================
= =
= Password Hash Synchronization General Diagnostics =
= =
========================================================================
AAD Tenant - contoso.onmicrosoft.com
Password Hash Synchronization cloud configuration is enabled
AD Connector - contoso.com
Password Hash Synchronization is enabled
Latest Password Hash Synchronization heartbeat is detected at: 07/28/2020 18:22:49 UTC
Directory Partitions:
=====================
Directory Partition - contoso.com
Last successful attempt to synchronize passwords from this directory partition started at: 7/28/2020 6:48:49 PM UTC and ended at: 7/28/2020 6:48:49 PM UTC
Only Use Preferred Domain Controllers: False
Checking connectivity to the domain...
Domain "contoso.com" is reachable
Did you find Password Hash Sync General Diagnostics helpful? [y/n]: y
Does your AD service account used for the sync have "Read All Properties", "Write All Properties", and "Reset Password" permissions applied to "Descendant User Objects" at the root of your domain in ADUC?
Does your AD service account used for the sync have "Replicating Directory Changes", and "Replicating Directory Changes All" applied to "This Object Only" at the root of your domain in ADUC?
Strange. That troubleshooter seems to indicate your password sync is working as expected. It should have spit out an error if your service account permissions were incorrect. You might try running the "one object is not syncing passwords" troubleshooter as there are some additional tests for object connector space rules in there.
Just remember that half the people you meet are below average intelligence.
Strange. That troubleshooter seems to indicate your password sync is working as expected. It should have spit out an error if your service account permissions were incorrect. You might try running the "one object is not syncing passwords" troubleshooter as there are some additional tests for object connector space rules in there.
Well, that gets me somewhere. I think.
===========================================================================
= =
= Password Hash Synchronization Single Object Diagnostics =
= =
===========================================================================
List of AD Connectors:
----------------------
contoso.com
Password Hash Synchronization is enabled for AD Connector - contoso.com
Please enter AD connector space object Distinguished Name: CN=Azure Test,OU=Contoso Users,DC=contoso,DC=com
The object is available in the AD connector space - contoso.com
The object is a connector, it has a link to the metaverse
The object is synced to the AAD connector space
Password Hash Synchronization rule is found for AD connector space object
Name Direction LinkType EnablePasswordSync
---- --------- -------- ------------------
In from AD - User AccountEnabled Inbound Join True
There is no Password Hash Synchronization rule for target AAD connector space object
Please check synchronization rules or see: https://go.microsoft.com/fwlink/?linkid=847233
Did you find Password Hash Sync Single Object Diagnostics helpful? [y/n]:
It's frustrating when someone outside of IT starts rattling off things they have no concept of to "solve"
"We can bond the lines and then we can get 5g from that."
Last week "mails we send through application X gets marked as spam, they didn't get marked as spam before you migrated to another spamfilter so the issue is with the spamfilter." "Header says SPF-fail. Your application is not authorized to send mail as our organisation." "They didn't get marked before." "Pretty sure that the old spamfilter also tagged SPF fails".
CIO: "There's a former customer who owes us on their final bill, and they're sending abusive emails to our collections team. Can we forward their emails to a special inbox?"
Me: "Sure. I can do that easily."
CIO: "Cool. Can you also forward the emails to the Collections manager?"
Me: "Yeah no prob"
... two days later ...
The Collections manager hit "reply all" one of the abusive emails that were auto-forwarded to him, and his email signature on his phone includes his direct cell phone numbers.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
Posts
This is a clickable link to my Steam Profile.
I agree except it's a different game when you're dealing with patient health information.
We explicitly don't block email on our guest network, so if you want to get your personal email you can, but you can't access hospital systems from the guest network so it eliminates the possibility that someone will send PHI over personal email due to ignorance.
I've run into some of those and had to ask the people if it's a real address cause I'm about to block it... they say yes and I'm just like "oh...
This is a clickable link to my Steam Profile.
I hope to Christ the major DNS providers aren't using Windows for their DNS servers.
the "no true scotch man" fallacy.
Initial laptop imaging & provisioning is done over wired Ethernet.
Late edit: on a subnet specifically carved out for that purpose
at the moment, initial laptop provisioning still has to be done on-premises at our HQ. that probably isn't going to change even though our IT staff is mostly working from home (we make occasional visits to HQ when necessary... like when we need to provision a batch of laptops)
the "no true scotch man" fallacy.
I very much doubt it, but god knows that there are multiple points between me and the root servers.
Major DNS providers probably not but they all get their records propagated from somewhere, and having Windows DNS is a thing at every company other than mine, so...
Not sure if that's true.
the "no true scotch man" fallacy.
I am a genius
If you click through to the replies the author spends some time answering questions.
No one ever gives a full checksum file and you know the file name is going to have 8 different minor versions in it which is a pain in the ass to copy on my own.
Just set it on top of the old server. It'll be fine
My servers had two sets of rail kits come in different boxes, maybe someone misplaced them?
*under oath to always find a way to blame a user in the end
Now that our rollout of monitoring is successful (or at least strong enough that we can build on it ), the next project in my crosshairs is Confluence. We're expanding it department wide, and using it to replace our help desk's KB system.
My first thoughts are turning to organization, but I'll probably ask our librarians about that.
but more than that, I'm curious about security models. Right now we're making 3 AD groups per space/collection -- Viewer, Member, and Owner. These then get tied into the space's permissions. Which is fine, I guess. I'm just wondering if there are other considerations I should think about.
Ideally we'd institute a model where you have to login to see most data, and some data would be even more locked down if it was sensitive or specific to a team. Then we'd have public/anonymous access to other pages, perhaps published from the team pages to "system" pages. Not sure.
Our immediate goal is to publish a service catalog and listing of applications / software the university offers. This is needed for the new school year, especially to help with online learning.
Then there's also the considerations of our web team. We have a custom web portal and a bunch of documentation out there, but management has to go through the web team. I want to make sure they are integrated and onboard as much as possible. And again, that gets down to security and content curation.
I guess I'm mainly just looking for other examples/best practices in this sphere.
I almost asked them to give me 15 minutes with it in the back parking lot, with a baseball bat.
I've been beating my head against this on and off for weeks now and I can't get it to work.
the "no true scotch man" fallacy.
I'm actually in the middle of doing it, but we are a subcontractor and the serviceaccount has not the right permissions so currently waiting on several approvals and some domain admin to grant the permissions to the account.
Is "Password hash synchronization" and "Password writeback" turned on in your on-prem AAD Connect under "Customize synchronization options -> Optional Features"?
Is "Password Hash Synchronization" selected in "Change user sign-in -> User Sign In"?
Is AAD Connect otherwise successfully synchronizing on-prem user objects to Azure?
Does your AD service account used for the sync have "Read All Properties", "Write All Properties", and "Reset Password" permissions applied to "Descendant User Objects" at the root of your domain in ADUC?
Does your AD service account used for the sync have "Replicating Directory Changes", and "Replicating Directory Changes All" applied to "This Object Only" at the root of your domain in ADUC?
If you use the Troubleshooting Tool in your on-prem AAD Connect, what are the results of the tests it runs?
You could try the powershell scripts at https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account to set up the service account permissions as well.
Yes to all of these.
======================================================================== = = = Password Hash Synchronization General Diagnostics = = = ======================================================================== AAD Tenant - contoso.onmicrosoft.com Password Hash Synchronization cloud configuration is enabled AD Connector - contoso.com Password Hash Synchronization is enabled Latest Password Hash Synchronization heartbeat is detected at: 07/28/2020 18:22:49 UTC Directory Partitions: ===================== Directory Partition - contoso.com Last successful attempt to synchronize passwords from this directory partition started at: 7/28/2020 6:48:49 PM UTC and ended at: 7/28/2020 6:48:49 PM UTC Only Use Preferred Domain Controllers: False Checking connectivity to the domain... Domain "contoso.com" is reachable Did you find Password Hash Sync General Diagnostics helpful? [y/n]: yGood call. I should double-check the permissions. Thank you.
the "no true scotch man" fallacy.
Well, that gets me somewhere. I think.
The weird thing is that I do have a Password Hash Synchronization rule that I think should match (called 'Out to AAD - User Join'). The only reference I can find in MS's documentation about an outbound rule is from this screenshot I found at https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-password-hash-synchronization:
That 'Out to AAD - User Join' looks similar to the one I have in the sync rules editor.
Other than that, there's precious little in MS's documentation about troubleshooting sync rules.
the "no true scotch man" fallacy.
"We can bond the lines and then we can get 5g from that."
Last week "mails we send through application X gets marked as spam, they didn't get marked as spam before you migrated to another spamfilter so the issue is with the spamfilter." "Header says SPF-fail. Your application is not authorized to send mail as our organisation." "They didn't get marked before." "Pretty sure that the old spamfilter also tagged SPF fails".
"Your own SPF record explicitly says these emails are fake, so why should I take your word that they're good?".
Me: "Sure. I can do that easily."
CIO: "Cool. Can you also forward the emails to the Collections manager?"
Me: "Yeah no prob"
... two days later ...
The Collections manager hit "reply all" one of the abusive emails that were auto-forwarded to him, and his email signature on his phone includes his direct cell phone numbers.
the "no true scotch man" fallacy.