Best posts made by flaxking

So this thread was supposed to be like a talk-show?

There's so many industries with niche LoB applications that are ripe for a shake-up by modern competitors. The issue is getting the business knowledge in order to make a competing product.

This document shows that when Office 365 ProPlus is acquired via Volume Licencing, it has to be on hardware dedicated to the organization when on a third party server (exception for Azure)
http://download.microsoft.com/download/3/d/4/3d42bdc2-6725-4b29-b75a-a5b04179958b/licensing_office365_proplus_in_volume_licensing.pdf

Does anyone know if non-VL Office 365 ProPlus is exempt from such restrictions?

C'mon guys, I might as well just join Reddit if everyone is going to be so touchy.

@siringo said in Change Local Admin Pwd?:

Hey thanks for all the help everyone, it is greatly appreciated.

I've decided to go with LAPS as this is part of an overall 'let's tighten up security' project I've got going and my thoughts were, you can't go wrong if you go with the Vendor's recommendation.

I'm distributing the LAPS client software via Startup GPO which is working well ATM. Half way through the setup, but have stopped coz the weekend started.

I'll take a look at Salt as I need to broaden my horizons.

Thanks again folks.

Fyi, to deploy to clients you just need to copy the dll and register it with regsvr32. But good thing you're not trying to deploy it with GP's software installation features.

Thanks @scottalanmiller there was even an example in that document that fit our situation perfectly.

@IRJ said in Remote management of employees personal cell phones ...:

@flaxking said in Remote management of employees personal cell phones ...:

@IRJ said in Remote management of employees personal cell phones ...:

You can certainly do this with Intune and office 365. Basically you'd be able to wipe all corporate data as long as it's kept in office 365.

With Office 365 MDM, you can't disable the ability to do a full remote wipe. You do have more control over that with GSuite. Does Intune give you more control?

I'm pretty sure you can do what I described, but I'm not 100% sure.

https://support.office.com/en-us/article/Choose-between-MDM-for-Office-365-and-Microsoft-Intune-c93d9ab9-efb2-4349-9b93-30c30562ee22

It's not a question of what you can do, it's a question of what can the IT department be prevented from doing. The difference between wiping company data and wiping the whole phone just being different buttons does not reassure me.

@Emad-R said in Remote management of employees personal cell phones ...:

@flaxking said in Remote management of employees personal cell phones ...:

@IRJ said in Remote management of employees personal cell phones ...:

@flaxking said in Remote management of employees personal cell phones ...:

@IRJ said in Remote management of employees personal cell phones ...:

You can certainly do this with Intune and office 365. Basically you'd be able to wipe all corporate data as long as it's kept in office 365.

With Office 365 MDM, you can't disable the ability to do a full remote wipe. You do have more control over that with GSuite. Does Intune give you more control?

I'm pretty sure you can do what I described, but I'm not 100% sure.

https://support.office.com/en-us/article/Choose-between-MDM-for-Office-365-and-Microsoft-Intune-c93d9ab9-efb2-4349-9b93-30c30562ee22

It's not a question of what you can do, it's a question of what can the IT department be prevented from doing. The difference between wiping company data and wiping the whole phone just being different buttons does not reassure me.

But it is always this case with us, the difference of taking snaphot or deleing the whole VM is just button, that is why we have all those stress related issues

If companies were interested in investing in proper pipelines for our work, it would make our lives much less stressful.

@Dashrender said in Remote management of employees personal cell phones ...:

@flaxking said in Remote management of employees personal cell phones ...:

@IRJ said in Remote management of employees personal cell phones ...:

@flaxking said in Remote management of employees personal cell phones ...:

@IRJ said in Remote management of employees personal cell phones ...:

@flaxking said in Remote management of employees personal cell phones ...:

@IRJ said in Remote management of employees personal cell phones ...:

@flaxking said in Remote management of employees personal cell phones ...:

@IRJ said in Remote management of employees personal cell phones ...:

You can certainly do this with Intune and office 365. Basically you'd be able to wipe all corporate data as long as it's kept in office 365.

With Office 365 MDM, you can't disable the ability to do a full remote wipe. You do have more control over that with GSuite. Does Intune give you more control?

I'm pretty sure you can do what I described, but I'm not 100% sure.

https://support.office.com/en-us/article/Choose-between-MDM-for-Office-365-and-Microsoft-Intune-c93d9ab9-efb2-4349-9b93-30c30562ee22

It's not a question of what you can do, it's a question of what can the IT department be prevented from doing. The difference between wiping company data and wiping the whole phone just being different buttons does not reassure me.

This is how you do it - from MS link I posted earlier

"Enable your users to more securely access corporate information using the Office mobile and line-of business apps they know, while ensuring security of data by helping to restrict actions like copy, cut, paste, and save as, to only those apps managed by Intune."

If you restrict actions like copy, cut, paste, saving, screenshots, etc then you keep the data inside Office Mobile. Then you just remove the Office Mobile app remotely.

Are you able to enable remote removal of the app with just this feature?

You actually dont even have to do that. If they cannot login they cannot get to any of the data.

Assuming an encrypted cache, this sounds like a viable option. We have 100 Intune licences, so I can insist on being one of the users managed by Intune rather than Office365 MDM. But based on my recent experiences, I'm not too keen to have email or Teams on my phone.

what experience is that?

Nothing to do with the application, just to do with being always working. I did a 108 hour week followed by a 90 hour, followed by a 70 hour. I've now removed all work communication from my phone in order to try to get some peace when I can.

@wrx7m said in PowerShell - Add-ADGroupMember Script - Improvements?:

@flaxking said in PowerShell - Add-ADGroupMember Script - Improvements?:

When HR does the hand-off to you what information do they give you? Most likely the new staff member's role

Usually the role can be the abstraction layer on top these groups (one-offs aside). So you could create role-based groups with the appropriate groups nested within.

That is true. At least, to some extent. It would definitely cut down on the number of options. Most are grouped by role or service specific, so I could combine them (nested) under respective groups.

I worked at one company where HR always named a specific user the wanted the new user to have the same permissions as. So it was a user copy operation instead. That would be like a template method.

That's like calling vCenter a hypervisor

@JaredBusch said in Is not bringing PCs in Domain is a sin?:

@dbeato said in Is not bringing PCs in Domain is a sin?:

@coliver Yup, and it is all based on registry settings so it shouldn't be dependent of Microsoft only.

Umm... Microsoft is the only system with a "registry"

Other operating systems have other means of doing things.

I think @dbeato means that GPOs mostly just configures registry settings, so Group Policy is not required for managing Windows systems.

I haven't done much of it with Windows 10, but back with Windows 7, if the peripheral was not officially Windows 7 compatible it could be a real PITA to install.

@Dashrender said in Printers - IP or WSD:

@zachary715 said in Printers - IP or WSD:

No sorry I missed the print server part. I did away with that thing when I first took over. Our printer fleet of about 25 is small enough to manage without it so I'm just going straight to the device.

Again, it's essentially the DNS name which is either BRN for wired or BRW for wireless followed by mac address. It's what populates automatically in the DNS server when connected and then I just create the reservation where I want it. Print management is a breeze these days.

Allllllrighty then.

something for me to consider.

I wonder if I can deploy non server based printers in GPO to direct printers. The main issue becomes deploying drivers then.

How did you handle that?

Back when I did that, I did have a 'print server' to host the drivers, but the GPO pushed out direct to IP printer installs, just referencing the server to get the drivers.

@dbeato said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

@flaxking said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

You have to enable loopback processing for the server and then it will process user configuration linked to it

Where would I do this? In the same GPO that I am setting the GPP?

In the same GPO.
https://support.microsoft.com/en-us/help/231287/loopback-processing-of-group-policy
https://www.jorgebernhardt.com/how-to-enable-group-policy-loopback-processing/

It doesn't have to be same GPO. Once it is set for a computer, it then 'loops back' around and processes all the user settings in the GPOs that are linked/inherited

Probably either

"smtp:$($GivenName).$($Surname)@$($Domain)"

Or

('smtp:' + $GivenName + '.' + $Surname + '@' + $Domain)

Powershell is object oriented, which is super important to realize when working with it, and that is what usually gives people the problem with it, if they do not have previous experience with objects. It makes a big learning curve increase.

On you 'Write-Host' test on your Set-ADUser command, you see "System.Collections.DictionaryEntry" because that is telling you what object is there. You're creating dictionary objects, so it's not going to automatically write out the contents of the dictionary.

I've been on a couple different remote teams in my career, each with a different expectation for collaboration.

A continuous chat group can be helpful depending on the culture. Sometimes all it takes is for your manager to be in the chat and then it's a dead chat.

Weekly v.s. daily stand-ups: I definitely prefer daily. A week can be a long time.

What I think is most effective for building a virtual team together is having different people pairing off to help another or to tackle a task together while on a voice call/screen sharing. Chat doesn't always cut it when you're working, and you might have a very different experience with a co-worker when you're on a voice call than when communicating through chat or email.

Now that most email clients are pretty good at not just displaying the FROM field, it's probably not as important, but I still believe it is my duty to do everything I can to combat against the spoofing of my domain name.

Yes, email providers will send you reports when they get emails from your domain.

You do not necessarily have to ever go from quarantine to reject, some mail providers, like O365, treat them the same. But you would want to wait for reports to come in to see if there might be stuff that might be failing the the business would want to go through.