Best posts made by dbeato

You can do an RD Gateway that would be the best.

@BRRABill said in Moving from Physical AD/Data Server to Office365:

I guess the question is ... do we just scrap our AD, and use our Office365 accounts to log in. Do we really need anything more than that?

Yeah scrap it and no need anything else... unless you want to have Intune as your MDM and manage policies to your computers.

@PhlipElder said in Moving from Physical AD/Data Server to Office365:

tattooed to Azure AD. One cannot join a local AD anymore (IIRC).

But they will be all working remote, not need to be tied to AD anymore.

@scottalanmiller But you gotta provide the option of an RMM Or agent correct? Because yes you can do scripting but you still need something to deliver it and not doing it manually. While GP can be used without AD, I would say that using GPOs manually is way more PITA than GPO on an AD. That is a discussion for another topic.

@Dashrender said in Moving from Physical AD/Data Server to Office365:

@PhlipElder said in Moving from Physical AD/Data Server to Office365:

Catch #1: User will not be able to remote into that PC using RDP. Third party yes, but not RDP.

Are you sure? Have you tried this?

Catch #2: The PC is tattooed to Azure AD. One cannot join a local AD anymore (IIRC).

Are you sure? I have had machines that are in AD first and then AAD joined and never had an issue. Now I've never AAD joined first, then added to AD, no clue what would happen there, though I see no reason why it wouldn't work.

As Scott mentioned - there are many options for managing machines today Salt or Intune are examples.

Yeah, that he is right. If you join to AAD Join first you cannot join AD after that. So if they need both I do the hybrid join on some customers (big ones)

https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-manual

@Pete-S said in Is it possibe to remove local admin on Windows Server?:

ve the local admin account on Windows Server that belongs to a domain? Or prevent logins.
Or is always possible to login as local admin (if you know the name/passwd)?

I wouldn't disable the local admin of a server, it would come handy if you need to restore stuff or remove and add from the domain. LAPS works but beware

@Grey said in Is it possibe to remove local admin on Windows Server?:

@pmoncho said in Is it possibe to remove local admin on Windows Server?:

@dbeato said in Is it possibe to remove local admin on Windows Server?:

@Pete-S said in Is it possibe to remove local admin on Windows Server?:

ve the local admin account on Windows Server that belongs to a domain? Or prevent logins.
Or is always possible to login as local admin (if you know the name/passwd)?

I wouldn't disable the local admin of a server, it would come handy if you need to restore stuff or remove and add from the domain. LAPS works but beware

I agree with @dbeato. When sh$% hits the fan with the server, no networking or no cached credentials, you will long for a local admin account.

I do disable the Administrator account after creating my own local admin with 20+ char strong password. Less worries on both the security and DR front.

Yes, but if you have physical or kvm access, even virtual, you can use linux ntpass to turn on the admin account and reset the password. This would be the last resort if you really lost the admin access, which is rare.

Not since UEFI... At least it doesn't work with Windows 10 and subsequent kernels.

@dbeato supposedly this is a workaround
https://social.technet.microsoft.com/Forums/en-US/a93b2214-48da-4dbd-89cd-a6b5ef77369f/resetting-device-profiles-without-retiring-device?forum=microsoftintuneprod

While helping a customer add their email account to Gmail to be able to send emails we got the error as below:

Background on how to Setup External account to send
https://support.google.com/mail/answer/22370?hl=en

Error
"TLS Negotiation Failed. The certificated doesn't match the host., code: 0"

Resolution
The email server had the correct SSL Certificate but still was having an issue. In this case this was an Exim server and it had a correct SSL Certificate. For the heck of it ran the SSL Checker on https://www.sslshopper.com/ and it came all good with the whole SSL Chain.

However when I ran the scan with https://www.checktls.com/TestReceiver and found an issue with the SSL Chain.

Once I fixed the SSL Certificate (By adding the Intermediate and Root Chain) it worked. The Dovecot SSL on the same server had the chain so that was easy.

Found also this https://gucia.pl/2020/04/tls-negotiation-failed-the-certificate-doesnt-match-the-host-solved/

I have used the HA PRoxy stats on port 9000
https://www.haproxy.com/blog/exploring-the-haproxy-stats-page/

@brianinca said in Integrate Rocketchat with Jitsi:

@dbeato if you set this option:

Then you SHOULD get a slideout video window when you select video call from the menu:

So that would be nice to keep it in the context of RocketChat, it just doesn't fly. /jitsi <name> is more than our safety guys can handle, apparently!

I set it as you but I couldn't get any video chat as you show. I will test it out.

Based on the documentation it does not work in the local rocketchat app
https://rocket.chat/docs/user-guides/voice-and-video-conferencing/

@WLS-ITGuy said in Office 365 Licensing sanity check:

Look at Tech Soup. Great tool for Non-Profits. When we were figuring out what we needed for our move to O365 they were very helpful in assisting us with the right licensing and not getting things we didn't need.

One thing about Tech Soup, they don't sell the Azure AD premium licenses.

You can also use Nmap
https://nmap.org/book/man-port-scanning-basics.html
I use Angry IP Scanner for that but a lot of tools use NMAP
https://angryip.org/

@notverypunny said in OpenManage Enterprise Gotcha:

@dbeato said in OpenManage Enterprise Gotcha:

@notverypunny said in OpenManage Enterprise Gotcha:

OpenManage Enterprise

That's why we put it on a VM.

Yep, it's a vm.... but the VM and the iDRAC were set to share the same NIC on the host (whoever did the initial hardware setup didn't want to / couldn't use the iDRAC's dedicated NIC)

Weird, We use dedicated iDRAC all the time.

Had to fix this today to get users locked out of their profile with network user profiles with an RDS Server.

Updated a PowershellScript to match my use:

$UPDSharePath="\\server\PublicShare\Profiles"
$username="username
 
#Get's User SID
$strSID = (New-Object System.Security.Principal.NTAccount($username)).Translate([System.Security.Principal.SecurityIdentifier]).value
 
#Creates UPD path String
$diskname=$UPDSharePath+"\UVHD-"+$strsid+".vhdx"
 
#Finds the disk and dismounts it
Get-DiskImage $diskname | Dismount-DiskImage

If the user can't connect still moving forward then recreate the user profile (Without renaming the User Profile Disk.

Go in the registry to the following key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Then find the SID of your user and rename the key to .old then have the user login again.

@Texkonc said in Exchange Database and User Login Report Marriage:

@dbeato said in Exchange Database and User Login Report Marriage:

I will get you something tomorrow, dealing with something important this week.

If it works, Beer is on me!
Second thought, I will let SAM pay....

Lol Ship it

Now Back to the task, this was a mess whatever those two scripts you had did not take into account that this are not computers, this are users so the LastLogonDate is not a User Attribute and so forth. See below my script

#Import AD  and  Exchange Module (The Server Must have AD PowerShell Exchange PowerSHell  Modules)
Import-Module ActiveDirectory
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
#OU Iformation (if needed) ( I am not using it on my example)
$OU="dc=domain,dc=com"
#Get Today's Date
$today = Get-Date
#Date Format for File Name
$date = Get-Date -Format "MMddyyyy"
#Define a work folder for the report
$WorkFolder="C:\Scripts"
#Define the number of days to search for users that have not logged in
$Days=$today.AddDays(-90)
#Search for users
Get-ADUser -Filter {LastLogonDate -lt $Days -And Enabled -eq $TRUE }} | Select SAMAccountname | ConvertTo-Csv -NoTypeInformation | % { $_ -replace '"', ""}  | out-file "$WorkFolder\$date-Users.csv" -fo -en ascii
#Get all the Users from AD
$users= @(Get-Content $WorkFolder\$date-Users.csv)
#Loop for all the users to Report of All Mailboxes That are Inactive
foreach ($user in $users) {
Get-Mailbox -Identity $user | Select DisplayName,Database,WindowsEmailAddress,@{n="Size(MB)";e={[int]$(Get-MailboxStatistics $_.Alias).TotalItemSize.Value.ToMB()}} | Sort-Object "Size(MB)" -Descending | Export-Csv -Path $WorkFolder\MailboxStatistics-$date.csv -NoTypeInformation -Append
}

This will only give you the Reports of the Users That are Enabled and Have not logged in in the last 90 days. Now, give it a try and check it. If that is not what you are looking for then something else can be reviewed.

@srdennis You need to set the action to Create and then set the settings as below:

Under actions this is what I have

We are using Teams and Slack so it has been working fine. Too many chat applications that are free and available...