Goal - Find all GPO's that have "SomeGroupName" in Delegation Tab.

(Very limited powershell scripting ability)
Just starting to find the proper cmdlet's to solve my problem.

Based on what I have found so far, the logic would be something like:

1. Ask what group to find
2. Use Get-GPO to get all GPO's (an array I presume)
3. Loop through GPO array and use Get-GPPermission to list trustees
4. Filter Trustees in each GPO for "SomeGroupName" and save to 2nd array
5. write out results from 2nd array.

If anyone has better logic or a cmdlet that does this already, I am all ears.

@hobbit666 said in What Are You Doing Right Now:

When securing SSH with Public/Private Keys, do i need to generate "Keys" for every person that will login?
Or can we "Share" a common key.

I'm locking down some Linux Servers over the next few weeks, they are all internal servers and not accessed remotely via the internet. I'm the main person that will log in via SSH mainly to run updates and change the odd config file, but i want to check if i need to give other users SSH access.

You may want to create a post about this. It could make for a good conversation about SSH key usage in different situations.

Plus, I have pondered the same type of question.

@notverypunny said in Bandwidth Issues:

@Dashrender said in Bandwidth Issues:

Fortigate 101E (Tech was onsite yesterday and tested direct with their DEMARC, same results)

Do you have a bunch of services turned on? Based on the spec sheet it looks like basic throughput is fine with your 1Gbps connection. Once you turn on services, throughput seems to drop drastically.

@travisdh1 said in Random Thread - Anything Goes:

@pmoncho said in Random Thread - Anything Goes:

@travisdh1

@travisdh1 said in Random Thread - Anything Goes:

@pmoncho said in Random Thread - Anything Goes:

@travisdh1 said in Random Thread - Anything Goes:

@scottalanmiller said in Random Thread - Anything Goes:

@wirestyle22 said in Random Thread - Anything Goes:

@scottalanmiller white people also go to perkins to die. thats why you see an ambulance outside of them all of the time

OMG Perkins was awesome. I miss Perkins.

We eat at the one in The Breakers at Cedar Point during the family vacation we started doing together every other memorial day.

Also, I love roller coasters, so Cedar Point is my favorite amusement park I've been to.

I'm a coaster fan also. Forced my wife daughter to go on ALL rides with me. She is becoming a coaster nut like I am. Went there twice in 2019.

The second time was Halloweekend and boy do they do it up right. I here it gets better every year so I cannot wait till Halloweekend 2020. Already bought a Gold pass for two visits this year.

I can tell you that going the week of Memorial Day, there are very few people at the park. It's the first full week that they're open. I highly recommend getting there the first couple of weeks. After the schools let out for summer break, lines get stupid long.

Good point. Fast Pass is nice too. I could just rotate between the Millennium Force, Valraven and GateKeeper all day long and I would be happy. My favorite is the Gatekeeper. The one coaster that gives you a sense of flying, especially if you lean your head forward so you cannot see your feet.

I still haven't convinced anyone to ride the front seat of that with me

Bummer. I definitely would. Maybe someday we will b there at the same time.

@travisdh1

@travisdh1 said in Random Thread - Anything Goes:

@pmoncho said in Random Thread - Anything Goes:

@travisdh1 said in Random Thread - Anything Goes:

@scottalanmiller said in Random Thread - Anything Goes:

@wirestyle22 said in Random Thread - Anything Goes:

@scottalanmiller white people also go to perkins to die. thats why you see an ambulance outside of them all of the time

OMG Perkins was awesome. I miss Perkins.

We eat at the one in The Breakers at Cedar Point during the family vacation we started doing together every other memorial day.

Also, I love roller coasters, so Cedar Point is my favorite amusement park I've been to.

I'm a coaster fan also. Forced my wife daughter to go on ALL rides with me. She is becoming a coaster nut like I am. Went there twice in 2019.

The second time was Halloweekend and boy do they do it up right. I here it gets better every year so I cannot wait till Halloweekend 2020. Already bought a Gold pass for two visits this year.

I can tell you that going the week of Memorial Day, there are very few people at the park. It's the first full week that they're open. I highly recommend getting there the first couple of weeks. After the schools let out for summer break, lines get stupid long.

Good point. Fast Pass is nice too. I could just rotate between the Millennium Force, Valraven and GateKeeper all day long and I would be happy. My favorite is the Gatekeeper. The one coaster that gives you a sense of flying, especially if you lean your head forward so you cannot see your feet.

@travisdh1 said in Random Thread - Anything Goes:

@scottalanmiller said in Random Thread - Anything Goes:

@wirestyle22 said in Random Thread - Anything Goes:

@scottalanmiller white people also go to perkins to die. thats why you see an ambulance outside of them all of the time

OMG Perkins was awesome. I miss Perkins.

We eat at the one in The Breakers at Cedar Point during the family vacation we started doing together every other memorial day.

Also, I love roller coasters, so Cedar Point is my favorite amusement park I've been to.

I'm a coaster fan also. Forced my wife daughter to go on ALL rides with me. She is becoming a coaster nut like I am. Went there twice in 2019.

The second time was Halloweekend and boy do they do it up right. I here it gets better every year so I cannot wait till Halloweekend 2020. Already bought a Gold pass for two visits this year.

@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

@pmoncho said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

Still in the same boat. It only applies the setting when linked to the OU of the user and have a user or group specified in the security filtering, but it applies it to all systems, not just the RDS server.

Question, if you want to target users why is your item-level target a computer name. Why not a Security Group with specific users?

As a side note, normally, if I use loopback processing for specific settings, I put those servers in their own OU so as not to effect all servers.

I want to apply it only to users logging into a specific computer. In this case, it is RD00.

I would scrap the item level targeting and just put the RD00 in a new sub-OU of your servers OU and link the GPO their. Then you have no worries about it hitting other systems. Other than this, I don't have a clue what would be stopping it.

@hobbit666 said in What Are You Doing Right Now:

@hobbit666 said in What Are You Doing Right Now:

Keeping an eye on the roads for work. Lots of closed roads due to flooding.

Should be ok if it doesn't rain much until the morning

My god Facebook doesn't make this easy. Looking at a group that's updates on road closures and accident etc but when I'm looking few posts are from 12hrs ago, the next 1hr ago then 15hrs ago, then 5 mins ago then back to 3hrs ago.......come on Facebook I need upto date info

Much like twitter. All depends on the time of "replies" is my guess.

@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

Still in the same boat. It only applies the setting when linked to the OU of the user and have a user or group specified in the security filtering, but it applies it to all systems, not just the RDS server.

Question, if you want to target users why is your item-level target a computer name. Why not a Security Group with specific users?

As a side note, normally, if I use loopback processing for specific settings, I put those servers in their own OU so as not to effect all servers.

@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

@dbeato said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

I ran into an issue with Adobe Reader preventing users on my RDS server from printing PDFs that is solved by disabling protected mode.

I created a GPO with a User configuration GPP update for the corresponding DWORD value. The only way I have gotten it to work, is if I apply the GPO to the OU that contains the AD user object and have the Security filtering set to a group of users or a single user. I have tried item-level targeting to only apply to the RDS server, but it applies to any system that the user logs into.

I also tried the opposite- Linking the GPO to the server OU and setting the Security Filtering to only the computer account for the RDS server and item-level targeting to a specific group of AD users. This didn't do anything.

How can I set it to update HKCU only for users on the RDS server?

You can do a item level target based on the RDS server instead as well.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789189(v%3Dws.11)

Tried this already (sans loopback) but didn't work.

You mentioned that you have a server OU. Do you have your RDS servers in their own OU?

Is loopback mode setup for replace or merge? (if merge, then another GPO somewhere else could be creating issues.)

You setup a test. If RDS servers are in own OU, loopback in replace mode, then just set one policy (other than loopback) and check the registry for the one user to see if the change had been made

Interesting. I have had one 2012R2 and two 2019 DC's for a year now and have not had this issue at all. Will definitely keep an eye out for it now.

Since others here have seen it, what immediate resolution have others used to temporarily fix it?

@JaredBusch said in 3rd party spam filter solution pricing:

Site currently has ~30 users

So the 50 user minimum is out.

Did some research. Barracuda ESS (email security service) allows 30 user count (unlimited Aliases). Service + ATP is roughly $1.4 a user with 3 year service.

@Dashrender said in 3rd party spam filter solution pricing:

@pmoncho said in 3rd party spam filter solution pricing:

@JaredBusch said in 3rd party spam filter solution pricing:

I need some generic pricing for spam filtering solutions. Assuming an on-premises exchange server.

I used to use Postini at $1/user/month, but they are long gone.

What other solutions do you all know about and at what price point?

I use Barracuda Email Security Service.

I don't have the exact pricing at the moment but it was like $1.2-$1.5 per user. If you do the three years you get roughly a 15% discount. I added the ATP on top so all attachments are pre-scanned.

The only issue is, I believe they have a 50 user minimum. I do like that they include encrypted email in the pricing.

Edit: - Encrypted email works like Zix mail.

That price seems impossible if it includes Zix. The last time I priced Zix it was $4/u/m just for Zix and nothing else - of course, bundles can do anything they want.

It works like Zix. Barracuda stores the email and then sends out email to recipient who creates an account on barracuda to read the email. That was all I meant.

It won't have many of the features but for basic encrypted email, it has worked perfectly for us.

@JaredBusch said in 3rd party spam filter solution pricing:

I need some generic pricing for spam filtering solutions. Assuming an on-premises exchange server.

I used to use Postini at $1/user/month, but they are long gone.

What other solutions do you all know about and at what price point?

I use Barracuda Email Security Service.

I don't have the exact pricing at the moment but it was like $1.2-$1.5 per user. If you do the three years you get roughly a 15% discount. I added the ATP on top so all attachments are pre-scanned.

The only issue is, I believe they have a 50 user minimum. I do like that they include encrypted email in the pricing.

Edit: - Encrypted email works like Zix mail.

@G-I-Jones said in New VM keeps turning off:

@black3dynamite said in New VM keeps turning off:

UEFI or BIOS VM?
If UEFI, is secure boot enabled?

UEFI, Secure Boot is Disabled

You may want to go into (on the guest) System Properties -> Advanced Tab -> Startup and Recovery -> Uncheck "Automatically Restart"

That way if you get BSOD, you can see it on the screen.

Then look for the memory dump like @EddieJennings stated. Then use program @DustinB3403 mentioned to figure out WTH is going on.

If you don't know if it is the whole host, whip up a linux machine real quick and let it run. If the Exchange server halts, see if you can still access the linux machine. Just an option.

@DustinB3403 said in What Are You Doing Right Now:

@DustinB3403 said in What Are You Doing Right Now:

Dealing with a website that was deployed on CentOS 7 and compatibility issues. Good thing it's not "live" yet so I might just force it to be re-deployed on a current OS, like CentOS 8 or Fedora Server.

Yay I won that argument easily!!

Excellent. IT don't get those often.

@dave247 said in Looking to create a 20TB RAID5 volume with SSD drives in an R720:

@DustinB3403 said in Looking to create a 20TB RAID5 volume with SSD drives in an R720:

In terms of hardware vendors Xbyte is great and I would absolutely look at them for your chassis and or storage.

If you can't afford the enterprise storage you could look at the business class Samsung SSDs which'll likely come in under the dell branded drives etc.

Yeah I always look at xbyte if I can, I just don't know 100% if it really matters what drive I buy for what server - and what I mean by that is on xbyte if I select my server model (R720) for hard drives, there seems to be a limited selection and not very many high capacity SSDs. However, if I just search xbyte for "4TB or 3.4TB SSD", I come up with a lot of results.

You may want to shoot an email or call your Xbyte contact. I noticed that you can get different drives when ordering a R720 server vs their "Parts and Accessories" section.

If you only need 5000-15000 IOP's per drive and write less than 3.8 TB per day, then the 3.84TB RI 12GB SAS PM1633a should be more than enough for 5+ years.

With regards to switching to LDAPS, anyone out there with Nextcloud, Bookstack, Zimbra, other linux apps that use LDAP for logins from a Windows domain?

Just wondering what others have planned?

@JaredBusch said in Adding LDAP role to domain controller:

@dbeato said in Adding LDAP role to domain controller:

@pmoncho said in Adding LDAP role to domain controller:

@dave247 said in Adding LDAP role to domain controller:

@pmoncho said in Adding LDAP role to domain controller:

@dbeato said in Adding LDAP role to domain controller:

@Fredtx said in Adding LDAP role to domain controller:

@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?

The LDAP connection between the SSL VPN and your AD Server is the one affected.

In this instance, The SSL-VPN (with AD connection) would need LDAPS setup which, at minimum, would require a internal Windows CA to be setup correct?

Yes, that is correct. We have one set up which was easy enough but there is still some overhead there.. probably easier to just buy a public cert

Currently we are on a .local domain and I believe we would need a cert for the DC itself, thus I don't believe I am able to get a public cert. Please correct me if I am wrong of if there is a way around this.

I am not looking forward to creating my own internal CA but I will if needed.

You are correct. internal CA should not be complicated.

And I believe someone posted about that here a couple years ago.

Thanks. I will do some searching.

@dave247 said in Adding LDAP role to domain controller:

@pmoncho said in Adding LDAP role to domain controller:

@dbeato said in Adding LDAP role to domain controller:

@Fredtx said in Adding LDAP role to domain controller:

@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?

The LDAP connection between the SSL VPN and your AD Server is the one affected.

In this instance, The SSL-VPN (with AD connection) would need LDAPS setup which, at minimum, would require a internal Windows CA to be setup correct?

Yes, that is correct. We have one set up which was easy enough but there is still some overhead there.. probably easier to just buy a public cert

Currently we are on a .local domain and I believe we would need a cert for the DC itself, thus I don't believe I am able to get a public cert. Please correct me if I am wrong of if there is a way around this.

I am not looking forward to creating my own internal CA but I will if needed.