[powershell] RE: [PowerShell] RE: Server 2008 R2

[Kennedy, Jim]

Applocker might be the better choice here if have enterprise licensing.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Lemmiksoo, Todd
Sent: Wednesday, May 4, 2016 2:01 PM
To: 'powersh...@lists.myitforum.com'
Subject: [powershell] RE: [PowerShell] RE: Server 2008 R2

Not sure how fast ransomeware encrypts files as it circles through a share 
either. The last time we were hit we were still restoring files 1 week later.

Todd Lemmiksoo
225-237-1836

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Wednesday, May 4, 2016 12:39 PM
To: 'powersh...@lists.myitforum.com'
Subject: [powershell] RE: [PowerShell] RE: Server 2008 R2

What about disable the account, and hit the logged in computer and issue 
shutdown -s -f -t 00 with psexec. You would have to find the logged on 
computer, I have a logon script that records that…could grep that I suppose.

But that said, can you do this fast enough? I am just asking, dunno how fast it 
happens once it starts.


From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Lemmiksoo, Todd
Sent: Wednesday, May 4, 2016 1:24 PM
To: 'powersh...@lists.myitforum.com'
Subject: [powershell] RE: [PowerShell] RE: Server 2008 R2

I really appreciate all of the suggestions u’ll have provided. Thank you.
Not sure that I can get it working as we still have “Everyone” in the 
permissions on our file server. Last year management was not interested in 
allocating time to fix that.

Todd Lemmiksoo
225-237-1836

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Wednesday, May 4, 2016 12:06 PM
To: powersh...@lists.myitforum.com<mailto:powersh...@lists.myitforum.com>
Subject: RE: [powershell] RE: Server 2008 R2

Group membership is included in the users Kerberos TGT, so they will still have 
that when they hit the share.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Devin Rich
Sent: Wednesday, May 4, 2016 12:58 PM
To: powersh...@lists.myitforum.com<mailto:powersh...@lists.myitforum.com>
Subject: Re: [powershell] RE: Server 2008 R2

An alternative idea. If you determine that a user account is running 
ransomware, make your script immediately take note of all groups that the user 
is in and then remove them from all groups.

Every share where that user is a part of a group that has access will stop 
accepting read or write requests (assuming no "everyone" access). Any share 
where that user has explicit permissions won't be affected however. In our 
company, almost no one has any personal preferences set, so this would work 
just fine for us. Might not work at all for you.

Thanks,

Devin Rich
Systems Administrator

On Wed, May 4, 2016 at 10:25 AM, Wolf, Daniel 
<da.w...@neopost.com<mailto:da.w...@neopost.com>> wrote:
Unfortunately the way authentication works, disabling an account only works 
once the Kerberos ticket is refreshed, which will likely be hours. The account 
must be disabled and the computer rebooted/signed off for it to prevent access.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>] 
On Behalf Of Lemmiksoo, Todd
Sent: Wednesday, May 4, 2016 10:40 AM
To: 'powersh...@lists.myitforum.com<mailto:powersh...@lists.myitforum.com>' 
<powersh...@lists.myitforum.com<mailto:powersh...@lists.myitforum.com>>
Subject: [powershell] RE: Server 2008 R2

What my I am trying to do is lock the users AD account if they have been 
infected with ransomeware and are encrypting files on our Windows Server 2008R2 
file server. I have setup FSRM to monitor a ”Honeypot share and file” for 
changes. The idea being to lock the user account so the ransomeware cannot 
encrypt files on the file server.

Todd Lemmiksoo
225-237-1836

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Wednesday, May 4, 2016 10:19 AM
To: powersh...@lists.myitforum.com<mailto:powersh...@lists.myitforum.com>
Subject: [powershell] RE: Server 2008 R2

Down-level operating system environments often don’t have the same WMI/CIM 
plumbing as newer operating system environments.

Prior to the SmbShare module, I would use the “net share” command in PowerShell 
and wrap it so it looked like native PowerShell.

You can also use the Wscript.Network object – it works just as well in 
PowerShell as it does in VBScript.

I don’t know exactly what you are trying to do, so I can only give this general 
advice.

From: listsadmin@lists.myitforum.com<mailt

[powershell] RE: [PowerShell] RE: Server 2008 R2

[Kennedy, Jim]

What about disable the account, and hit the logged in computer and issue 
shutdown -s -f -t 00 with psexec. You would have to find the logged on 
computer, I have a logon script that records that…could grep that I suppose.

But that said, can you do this fast enough? I am just asking, dunno how fast it 
happens once it starts.


From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Lemmiksoo, Todd
Sent: Wednesday, May 4, 2016 1:24 PM
To: 'powersh...@lists.myitforum.com'
Subject: [powershell] RE: [PowerShell] RE: Server 2008 R2

I really appreciate all of the suggestions u’ll have provided. Thank you.
Not sure that I can get it working as we still have “Everyone” in the 
permissions on our file server. Last year management was not interested in 
allocating time to fix that.

Todd Lemmiksoo
225-237-1836

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Wednesday, May 4, 2016 12:06 PM
To: powersh...@lists.myitforum.com<mailto:powersh...@lists.myitforum.com>
Subject: RE: [powershell] RE: Server 2008 R2

Group membership is included in the users Kerberos TGT, so they will still have 
that when they hit the share.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Devin Rich
Sent: Wednesday, May 4, 2016 12:58 PM
To: powersh...@lists.myitforum.com<mailto:powersh...@lists.myitforum.com>
Subject: Re: [powershell] RE: Server 2008 R2

An alternative idea. If you determine that a user account is running 
ransomware, make your script immediately take note of all groups that the user 
is in and then remove them from all groups.

Every share where that user is a part of a group that has access will stop 
accepting read or write requests (assuming no "everyone" access). Any share 
where that user has explicit permissions won't be affected however. In our 
company, almost no one has any personal preferences set, so this would work 
just fine for us. Might not work at all for you.

Thanks,

Devin Rich
Systems Administrator

On Wed, May 4, 2016 at 10:25 AM, Wolf, Daniel 
<da.w...@neopost.com<mailto:da.w...@neopost.com>> wrote:
Unfortunately the way authentication works, disabling an account only works 
once the Kerberos ticket is refreshed, which will likely be hours. The account 
must be disabled and the computer rebooted/signed off for it to prevent access.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>] 
On Behalf Of Lemmiksoo, Todd
Sent: Wednesday, May 4, 2016 10:40 AM
To: 'powersh...@lists.myitforum.com<mailto:powersh...@lists.myitforum.com>' 
<powersh...@lists.myitforum.com<mailto:powersh...@lists.myitforum.com>>
Subject: [powershell] RE: Server 2008 R2

What my I am trying to do is lock the users AD account if they have been 
infected with ransomeware and are encrypting files on our Windows Server 2008R2 
file server. I have setup FSRM to monitor a ”Honeypot share and file” for 
changes. The idea being to lock the user account so the ransomeware cannot 
encrypt files on the file server.

Todd Lemmiksoo
225-237-1836

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Wednesday, May 4, 2016 10:19 AM
To: powersh...@lists.myitforum.com<mailto:powersh...@lists.myitforum.com>
Subject: [powershell] RE: Server 2008 R2

Down-level operating system environments often don’t have the same WMI/CIM 
plumbing as newer operating system environments.

Prior to the SmbShare module, I would use the “net share” command in PowerShell 
and wrap it so it looked like native PowerShell.

You can also use the Wscript.Network object – it works just as well in 
PowerShell as it does in VBScript.

I don’t know exactly what you are trying to do, so I can only give this general 
advice.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Lemmiksoo, Todd
Sent: Wednesday, May 4, 2016 10:20 AM

To: 'powersh...@lists.myitforum.com<mailto:powersh...@lists.myitforum.com>'
Subject: [powershell] RE: Server 2008 R2

I copied the modules\smbshare folder to the 2008R2 server and now get “Invalid 
namespace” error.

[cid:image001.png@01D1A60A.582CA660]
Will try the WMI command.
Still get the invalid namespace error.

Todd Lemmiksoo
225-237-1836

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kelley, Matthew
Sent: Wednesday, May 4, 2016 8:53 AM
To: powersh...@lists.myitforum.com<mailto:powersh...@lists.myitforum.com>
Subject: [powershell] RE: Server 2008 R2

I wou

RE: [powershell] RE: Server 2008 R2

[Kennedy, Jim]

Group membership is included in the users Kerberos TGT, so they will still have 
that when they hit the share.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Devin Rich
Sent: Wednesday, May 4, 2016 12:58 PM
To: powersh...@lists.myitforum.com
Subject: Re: [powershell] RE: Server 2008 R2

An alternative idea. If you determine that a user account is running 
ransomware, make your script immediately take note of all groups that the user 
is in and then remove them from all groups.

Every share where that user is a part of a group that has access will stop 
accepting read or write requests (assuming no "everyone" access). Any share 
where that user has explicit permissions won't be affected however. In our 
company, almost no one has any personal preferences set, so this would work 
just fine for us. Might not work at all for you.

Thanks,

Devin Rich
Systems Administrator

On Wed, May 4, 2016 at 10:25 AM, Wolf, Daniel 
> wrote:
Unfortunately the way authentication works, disabling an account only works 
once the Kerberos ticket is refreshed, which will likely be hours. The account 
must be disabled and the computer rebooted/signed off for it to prevent access.

From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] 
On Behalf Of Lemmiksoo, Todd
Sent: Wednesday, May 4, 2016 10:40 AM
To: 'powersh...@lists.myitforum.com' 
>
Subject: [powershell] RE: Server 2008 R2

What my I am trying to do is lock the users AD account if they have been 
infected with ransomeware and are encrypting files on our Windows Server 2008R2 
file server. I have setup FSRM to monitor a ”Honeypot share and file” for 
changes. The idea being to lock the user account so the ransomeware cannot 
encrypt files on the file server.

Todd Lemmiksoo
225-237-1836

From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Wednesday, May 4, 2016 10:19 AM
To: powersh...@lists.myitforum.com
Subject: [powershell] RE: Server 2008 R2

Down-level operating system environments often don’t have the same WMI/CIM 
plumbing as newer operating system environments.

Prior to the SmbShare module, I would use the “net share” command in PowerShell 
and wrap it so it looked like native PowerShell.

You can also use the Wscript.Network object – it works just as well in 
PowerShell as it does in VBScript.

I don’t know exactly what you are trying to do, so I can only give this general 
advice.

From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Lemmiksoo, Todd
Sent: Wednesday, May 4, 2016 10:20 AM

To: 'powersh...@lists.myitforum.com'
Subject: [powershell] RE: Server 2008 R2

I copied the modules\smbshare folder to the 2008R2 server and now get “Invalid 
namespace” error.

[cid:image001.png@01D1A605.AB5D49C0]
Will try the WMI command.
Still get the invalid namespace error.

Todd Lemmiksoo
225-237-1836

From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kelley, Matthew
Sent: Wednesday, May 4, 2016 8:53 AM
To: powersh...@lists.myitforum.com
Subject: [powershell] RE: Server 2008 R2

I would try to copy the folder over and see if it works, or just read through 
the script and see if you can pull out the part you need.

C:\Windows\System32\WindowsPowerShell\v1.0\Modules\SmbShare

I opened up the cmdlet definition. It is querying this WMI namespace/class:

gwmi -Namespace "ROOT/Microsoft/Windows/SMB" -Class msft_smbshare | select *

Maybe  you can just use that somehow to get what you need?

From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Lemmiksoo, Todd
Sent: Wednesday, May 04, 2016 9:38 AM
To: powersh...@lists.myitforum.com
Subject: [powershell] Server 2008 R2

I am trying to run a script the has “Get-SmbShare” in it. Is this command not 
available on Server 2008 R2.
I have upgraded the PowerShell version on the server to ver 5.

Todd Lemmiksoo
System Engineer
225-237-1836

General Health System IS
8490 Picardy Ave Suite 500B
Baton Rouge, LA  70809

Confidentiality Notice: This email and its attachments may contain privileged 
and confidential information and/or protected health information (PHI) intended 
solely for the use of the recipient(s) named above. If you are not the 
recipient, or the employee or agent responsible for delivering this message to 
the intended recipient, you are hereby 

RE: [NTSysADM] RE: Password expiring debate on patch management

[Kennedy, Jim]

competitor are up for same contracts
  4.  Old admin remotes into company to look at emails and presentation 
materials
  5.  Competitor starts taking business from company by usurping sales pitches 
in very specific ways
  6.  I get hired 2+ years after old admin in question
  7.  I review remote logs to establish behavioral patterns
  8.  I see odd logon behavior and trace repetitive IPs
  9.  I trace IPs to competitor as well as old admin specifically



I am Jacks complete lack of surprise when management doesnt change their 
password and uses the same passwords for many things.






--
Espi





On Mon, Apr 25, 2016 at 4:27 PM, Kennedy, Jim 
<kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote:



"Even six months is far better than never"



Why?





From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>] on 
behalf of Dave Lum [l...@ochin.org<mailto:l...@ochin.org>]
Sent: Monday, April 25, 2016 6:58 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] Password expiring debate on patch management

Anyone see the debate on the Patch management list, driven by this: 
https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry



I don’t even know how it’s a debate other than the desired frequency (no 
one-size-fits-all on that IMO). Even six months is far better than never. With 
expiring passwords you at bare minimum mitigate employee’s that leave.



David Lum

Systems Administrator III
P: 503.943.2500
E: l...@ochin.org<mailto:l...@ochin.org>
A: 1881 SW Naito Parkway, Portland, OR 97201

[Facebook Link]<https://www.facebook.com/OCHINinc>[Twitter 
Link]<https://twitter.com/ochininc>[Linkedin 
Link]<http://www.linkedin.com/company/ochin> 
www.ochin.org<https://www.ochin.org/>
[OCHIN email]











Attention: Information contained in this message and or attachments is intended 
only for the recipient(s) named above and may contain confidential and or 
privileged material that is protected under State or Federal law. If you are 
not the intended recipient, any disclosure, copying, distribution or action 
taken on it is prohibited. If you believe you have received this email in 
error, please contact the sender with a copy to 
complia...@ochin.org<mailto:complia...@ochin.org>, delete this email and 
destroy all copies.


Attention: Information contained in this message and or attachments is intended 
only for the recipient(s) named above and may contain confidential and or 
privileged material that is protected under State or Federal law. If you are 
not the intended recipient, any disclosure, copying, distribution or action 
taken on it is prohibited. If you believe you have received this email in 
error, please contact the sender with a copy to 
complia...@ochin.org<mailto:complia...@ochin.org>, delete this email and 
destroy all copies.


Attention: Information contained in this message and or attachments is intended 
only for the recipient(s) named above and may contain confidential and or 
privileged material that is protected under State or Federal law. If you are 
not the intended recipient, any disclosure, copying, distribution or action 
taken on it is prohibited. If you believe you have received this email in 
error, please contact the sender with a copy to complia...@ochin.org, delete 
this email and destroy all copies.

RE: [NTSysADM] Vipre

[Kennedy, Jim]

Interesting, I have been a longtime Email Archiver user first with you and 
continuing on with GFI.  We go back to 2007 or 8.  So far that product has 
survived the transition very well.   Good updates and good support.

Maybe that team survived the transition.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Alexander Eckelberry
Sent: Wednesday, April 27, 2016 12:20 PM
To: ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Vipre


As the former CEO of Sunbelt Software (now ThreatTrack Security) and the person 
originally responsible for VIPRE and all of the other Sunbelt Software products 
(with Stu Sjouwerman having started the distribution side of Sunbelt), I can 
only apologize for what has happened to the product. I have had many friends 
(and family members) with similar stories.  It is painful.



I left 4 years ago. The original team and malware lab at ThreatTrack is 
essentially gone.



VIPRE is now reportedly using the BitDefender engine.



Most of the original VIPRE team is now at Malwarebytes.  A few people are at 
KnowBe4 (Stu's new company).



I am now on the board of Malwarebytes and personally use and recommend their 
product, which is moving to a full enterprise endpoint solution. I'm also on 
the board of Knowbe4.



Both Knowbe4 and Malwarebytes have the original spirit of Sunbelt, of which we 
were so proud of.



Perhaps one day I'll tell the full story.



So yeah, I'm bummed to hear this as well.





Alex Eckelberry


From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Mike Sullivan
Sent: Friday, April 22, 2016 2:37 PM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Vipre

We switched from VIPRE to Bitdefender about 1.5 years ago. Much better 
experience!

On Tue, Apr 19, 2016 at 10:38 AM, Mark Gottschalk 
> wrote:
Trend Micro Officescan.  Device control, web reputation, behavior monitoring, 
new ransomware process blocking as well as document protection against 
unauthorized encryption, etc.   Been happy for quite a few years.

-- Mark





From:Gavin Wilby 
>
To:
"'ntsys...@lists.myitforum.com'" 
>
Date:04/19/2016 01:16 AM
Subject:RE: [NTSysADM] Vipre
Sent by:
>




I used to, but I have seen this allow a few things through that it really 
shouldn’t have done.

We are back on SEPM here, works just fine. The device and access control is an 
added bonus too.

Gavin Wilby
IT Support Engineer


-Original Message-
From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: 18 April 2016 18:29
To: ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Vipre

I've been recommending Kaspersky for a couple of years now.

-Original Message-
From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kurt Buff
Sent: Monday, April 18, 2016 10:20 AM
To: ntsysadm
Subject: Re: [NTSysADM] Vipre
That's sad.

We migrated from them to ESET a few months ago. ESET functions fine, but man in 
their console not intuitive - way more complex and difficult to navigate than 
VIPRE.

Kurt

On Mon, Apr 18, 2016 at 8:45 AM, Webster 
> wrote:
> Man Vipre support sure has gone downhill. Wishing I had not bought a
> lifetime license. Product keep crashing my Outlook. I followed their
> support article, uninstall everything, deleted all the Outlook files
> from my profile, reinstalled Outlook, reinstalled Vipre and boom
> crash. I contact support and they tell me to do all that again. I tell
> them no way, I have 6 main Office 365 email accounts and I am not going 
> through all that again.
>
>
>
> Sheez
>
>
>
>
>
> Webster

SMP Partners Limited, SMP Trustees Limited and SMP Fund Services Limited are 
licensed by the Isle of Man Financial Services Authority. SMP Accounting & Tax 
Limited is a member of the ICAEW Practice Assurance Scheme.

SMP Partners Limited registered in the Isle of Man, Company Registration No: 
000908V
Directors: M.W. Denton, M.J. Derbyshire, S.E McGowan, O. Peck, J.J. Scott, S.J. 
Turner

SMP Trustees Limited registered in the Isle of Man, Company Registration No: 
068396C
Directors: A.C. Baggesen, J.M. Cubbon, M.W. Denton, K.M. Goldie, O Peck, J. 
Watterson

SMP Fund Services Limited registered in the Isle of Man, Company Registration 
No: 120288C
Directors: V. Campbell, R.K. Corkill, M.W. Denton, D.A. Manser, 

RE: [NTSysADM] RE: Password expiring debate on patch management

[Kennedy, Jim]

nies that do business with their former employers? Never 
>>> happens right?). Maybe my PC at the HVAC place get compromised and 
>>> since Target never disabled my account and I use the same password 
>>> at %newjob% as I did %oldjob%, a simple hop over VPN now leverages 
>>> the access I had at Target…
>>>
>>>
>>>
>>> Except what actually happened with Target was more *harder* than 
>>> what I described above.
>>>
>>>
>>>
>>> IMO any place that doesn’t require a password expiration of any kind 
>>> is likely (exceptions to this, sure) the same place that doesn’t 
>>> have a process for disabling all the access former employees have.
>>>
>>>
>>>
>>> Dave
>>>
>>>
>>>
>>> From: listsadmin@lists.myitforum.com 
>>> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Micheal 
>>> Espinola Jr
>>> Sent: Tuesday, April 26, 2016 6:31 PM
>>> To: ntsys...@lists.myitforum.com
>>> Subject: Re: [NTSysADM] RE: Password expiring debate on patch 
>>> management
>>>
>>>
>>>
>>> Old admin knows many management passwords Old admin goes to work for 
>>> competitor Company and competitor are up for same contracts Old 
>>> admin remotes into company to look at emails and presentation 
>>> materials Competitor starts taking business from company by usurping 
>>> sales pitches in very specific ways I get hired 2+ years after old 
>>> admin in question I review remote logs to establish behavioral 
>>> patterns I see odd logon behavior and trace repetitive IPs I trace 
>>> IPs to competitor as well as old admin specifically
>>>
>>>
>>>
>>> I am Jacks complete lack of surprise when management doesnt change 
>>> their password and uses the same passwords for many things.
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Espi
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Apr 25, 2016 at 4:27 PM, Kennedy, Jim 
>>> <kennedy...@elyriaschools.org> wrote:
>>>
>>>
>>>
>>> "Even six months is far better than never"
>>>
>>>
>>>
>>> Why?
>>>
>>>
>>>
>>> 
>>>
>>> From: listsadmin@lists.myitforum.com 
>>> [listsadmin@lists.myitforum.com] on behalf of Dave Lum 
>>> [l...@ochin.org]
>>> Sent: Monday, April 25, 2016 6:58 PM
>>> To: ntsys...@lists.myitforum.com
>>> Subject: [NTSysADM] Password expiring debate on patch management
>>>
>>> Anyone see the debate on the Patch management list, driven by this:
>>> https://www.cesg.gov.uk/articles/problems-forcing-regular-password-e
>>> xpiry
>>>
>>>
>>>
>>> I don’t even know how it’s a debate other than the desired frequency 
>>> (no one-size-fits-all on that IMO). Even six months is far better than 
>>> never.
>>> With expiring passwords you at bare minimum mitigate employee’s that leave.
>>>
>>>
>>>
>>> David Lum
>>>
>>> Systems Administrator III
>>> P: 503.943.2500
>>> E: l...@ochin.org
>>> A: 1881 SW Naito Parkway, Portland, OR 97201
>>>
>>>
>>>  www.ochin.org 
>>> 
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Attention: Information contained in this message and or attachments 
>>> is intended only for the recipient(s) named above and may contain 
>>> confidential and or privileged material that is protected under 
>>> State or Federal law. If you are not the intended recipient, any 
>>> disclosure, copying, distribution or action taken on it is 
>>> prohibited. If you believe you have received this email in error, 
>>> please contact the sender with a copy to complia...@ochin.org, delete this 
>>> email and destroy all copies.
>>>
>>>
>>>
>>> Attention: Information contained in this message and or attachments 
>>> is intended only for the recipient(s) named above and may contain 
>>> confidential and or privileged material that is protected under 
>>> State or Federal law. If you are not the intended recipient, any 
>>> disclosure, copying, distribution or action taken on it is 
>>> prohibited. If you believe you have received this email in error, 
>>> please contact the sender with a copy to complia...@ochin.org, delete this 
>>> email and destroy all copies.
>>
>>
>

RE: [NTSysADM] Password expiring debate on patch management

[Kennedy, Jim]

FYI it’s moderated..so there is a tiny delay before your posts show up.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Richard Stovall
Sent: Tuesday, April 26, 2016 9:06 PM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Password expiring debate on patch management

That was a little bit too easy.

(Thanks!)

On Tue, Apr 26, 2016 at 8:49 PM, Susan Bradley 
> wrote:
http://www.patchmanagement.org/

Go there and sign up.


On 4/26/2016 5:31 PM, Richard Stovall wrote:


How does one subscribe to the fabled patch management list?



On Tue, Apr 26, 2016 at 7:59 PM, Andrew S. Baker 
 
>> wrote:

From the article:

/*>>For instance, we recommend using system monitoring tools that
present users with information about the last login attempt, so
they can see if they’re responsible for failed login attempts. <<
*/
Do they really believe that if users are inconvenienced by
password changes every 30 or 60 or 90 days, that they'll actually
bother to match up their activities with information that
indicates last login of the system?

The fact that they could not point to an improved security posture
by their new stance indicates its weakness.  Let's see if they
feel the same way about it in 5 or 6 months.

The fact is, we are at a good point in computing history to go
with changing passwords, since so many online services are doing
it.  Back when people only had an eternal bankcard pin and a
changing corporate password, it would be easy to see how the
changing password would be a huge annoyance.

Today?  Let's see how many users feel that identity theft is a
worthwhile trade-off for password changing convenience, after they
experience the former.

If user convenience is the paramount consideration for information
security, then it's hard to see what other authentication and
authorization options will be deemed acceptable.
-- Two-factor?  Inconvenient.
-- Digital certificates? Inconvenient.

Reducing the scope of exposure is the primary purpose of changing
passwords.

*/>>The new password may have been used elsewhere, and attackers
can exploit this too.<< /*

A. Pure Speculation.
B. There's nothing to prevent the current password from being used
somewhere else, too.  Frankly, if the next password a user selects
is used somewhere else, then there is an equal chance that they
will use their current password on the next service that they sign
up for. They are just employing poor password hygiene and they are
not only going to do so if the corporate password changes.


*/>>The new password is also more likely to be written down, which
represents another vulnerability. <>New passwords are also more likely to be forgotten, and this
carries the productivity costs of users being locked out of their
accounts, and service desks having to reset passwords._

***Providing Expert Technology Consulting Services for the SMB
market…*

* GPG: *1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A



On Mon, Apr 25, 2016 at 6:56 PM, Dave Lum 

>> wrote:

Anyone see the debate on the Patch management list, driven by
this:

https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry

I don’t even know how it’s a debate other than the desired
frequency (no one-size-fits-all on that IMO). Even six months
is far better than never. With expiring passwords you at bare
minimum mitigate employee’s that leave.

*David Lum*

*/Systems Administrator III/**
**P:**503.943.2500 
**
**E:**l...@ochin.org 
>**
**A:**1881 SW Naito Parkway, Portland, OR 97201***


Facebook Link Twitter Link
Linkedin Link

www.ochin.org

OCHIN email

Attention: Information contained in this message and or
attachments is intended only for the recipient(s) named above
and may contain confidential and or privileged material that
is protected under State or Federal law. If you are not the
intended recipient, any disclosure, copying, distribution or
action taken on it is prohibited. If you believe you have
received this email in error, please contact the sender with a
copy to complia...@ochin.org 

RE: [NTSysADM] RE: Password expiring debate on patch management

[Kennedy, Jim]

My view is what it protects you against is the dual use of a password and the 
other org giving up the hash.  So Bob uses the same password at my org as he 
used at Ashley Madison.  They cough of the hash, the bad guys start to reverse 
it. It becomes a race, will they reverse it before Bob's PW expires in my org.  
More than 12 characters I would probably win, less than that probably not.

And of course the bad guys have to make the connection that Bob at Ashley is 
Bob at my org. And that is where I start to feel it just isn't worth it.

I guess what gets lost in this debate is what you bring up.  How solid are your 
other controls, as you mention admin rights, applocker, patching, very solid 
web filtering, EMET and active intrusion detection.  I strongly believe that we 
are in a really good place on the important items.  We actually have agents on 
every box in the org phoning to a 24/7 monitored NOC watching for things in 
amazing detail.

It's all relative to your overall posture I guess.

I answered you on your 2FA comment in more detail.   Short version passwords 
are broke, they are not very mitigatable.


From: listsadmin@lists.myitforum.com [listsadmin@lists.myitforum.com] on behalf 
of Kurt Buff [kurt.b...@gmail.com]
Sent: Monday, April 25, 2016 8:54 PM
To: ntsysadm
Subject: Re: [NTSysADM] RE: Password expiring debate on patch management

At the very least exfiltration - with long enough passwords, it helps mitigate 
that.

Of course, you should have other measures in place, such as no administrative 
access for users, whitelisting of software, etc.

As I stated on the other list, not requiring passwords to expire isn't an 
argument against passwords (complex/long or not), it's an argument for 2fa, 
which might, or might not, be feasible for a given situation.

Kurt

On Mon, Apr 25, 2016 at 4:27 PM, Kennedy, Jim 
<kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote:

"Even six months is far better than never"

Why?


From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>] on 
behalf of Dave Lum [l...@ochin.org<mailto:l...@ochin.org>]
Sent: Monday, April 25, 2016 6:58 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] Password expiring debate on patch management

Anyone see the debate on the Patch management list, driven by this: 
https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry

I don’t even know how it’s a debate other than the desired frequency (no 
one-size-fits-all on that IMO). Even six months is far better than never. With 
expiring passwords you at bare minimum mitigate employee’s that leave.

David Lum
Systems Administrator III
P: 503.943.2500
E: l...@ochin.org<mailto:l...@ochin.org>
A: 1881 SW Naito Parkway, Portland, OR 97201

[Facebook Link]<https://www.facebook.com/OCHINinc>[Twitter 
Link]<https://twitter.com/ochininc>[Linkedin 
Link]<http://www.linkedin.com/company/ochin> 
www.ochin.org<https://www.ochin.org/>
[OCHIN email]





Attention: Information contained in this message and or attachments is intended 
only for the recipient(s) named above and may contain confidential and or 
privileged material that is protected under State or Federal law. If you are 
not the intended recipient, any disclosure, copying, distribution or action 
taken on it is prohibited. If you believe you have received this email in 
error, please contact the sender with a copy to 
complia...@ochin.org<mailto:complia...@ochin.org>, delete this email and 
destroy all copies.

[NTSysADM] RE: Password expiring debate on patch management

[Kennedy, Jim]

"Even six months is far better than never"

Why?


From: listsadmin@lists.myitforum.com [listsadmin@lists.myitforum.com] on behalf 
of Dave Lum [l...@ochin.org]
Sent: Monday, April 25, 2016 6:58 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] Password expiring debate on patch management

Anyone see the debate on the Patch management list, driven by this: 
https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry

I don’t even know how it’s a debate other than the desired frequency (no 
one-size-fits-all on that IMO). Even six months is far better than never. With 
expiring passwords you at bare minimum mitigate employee’s that leave.

David Lum
Systems Administrator III
P: 503.943.2500
E: l...@ochin.org
A: 1881 SW Naito Parkway, Portland, OR 97201

[Facebook Link][Twitter 
Link][Linkedin 
Link] 
www.ochin.org
[OCHIN email]





Attention: Information contained in this message and or attachments is intended 
only for the recipient(s) named above and may contain confidential and or 
privileged material that is protected under State or Federal law. If you are 
not the intended recipient, any disclosure, copying, distribution or action 
taken on it is prohibited. If you believe you have received this email in 
error, please contact the sender with a copy to complia...@ochin.org, delete 
this email and destroy all copies.

RE: [NTSysADM] VMware Training In-Classroom

[Kennedy, Jim]

I have used New Horizons long ago, same good experience.  Recently I have used 
Global Knowledge with good luck.  I use their satellite system, you call into 
the class and screen share.  Saves money and works just as well, imho.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Thursday, April 14, 2016 1:16 PM
To: ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] VMware Training In-Classroom

My class was with New Horizons as well.
VMWare material as well.
Very informative instructor and 6 months of ‘what’s this’ and ‘what does this 
do’ really helps when you get back to work.


From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: Thursday, April 14, 2016 1:03 PM
To: ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] VMware Training In-Classroom

I took the vSphere admin class through New Horizons last fall and was very 
pleased.  I don’t know if they all do but they were using materials straight 
from VMware so the real difference would likely be the instructor.  My class 
was actually a live web session but that seems to be pretty much the norm 
lately.  I was very pleased with the class and the instructor.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Charles F Sullivan
Sent: Thursday, April 14, 2016 11:24 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] VMware Training In-Classroom

I guess this seems like the best possible time to start a conversation, given 
the deafening silence before Jonathan’s wakeup call……

Has anyone had experience with formal VMware training? My management wants me 
to become more involved in the day-to-day operations of our VMware environment 
and I’ve been asked to find something suitable to increase my skills. I haven’t 
spent a huge amount of time in classrooms during my IT career, but I’ve done it 
enough to know that the quality of training is all over the spectrum, and I 
would really hate to come out not knowing much more than I do now.

If not VMware training specifically, I would be interested in hearing which 
training companies to avoid, as I think someone who has tried several of them 
may have a good general perspective.

Thanks.

Charlie Sullivan
Sr. Windows Systems Administrator


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

[NTSysADM] OT Derbycon CFP

[Kennedy, Jim]

https://www.derbycon.com


Derbycon CFP is open. They really are focusing on Blue Team talks, so go for 
it.  If I can do it successfully and be a hit, you certainly can.  And let me 
know you did and I will put the word in for you. Hotel blocks and tickets are 
open.  If you get shut out for a ticket ping me off list and I will get you 
hooked up and do not delay on a hotel room.  Everything will sell out.

[NTSysADM] RE: Win 10 version check.

[Kennedy, Jim]

Got it, that was easy.  Tyvm sir.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of James Rankin
Sent: Tuesday, April 5, 2016 10:54 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: Win 10 version check.

It’s mainly edition-based, but the key is

The process to configure a PC for Current Branch for Business is simple. The 
Defer upgrades setting needs to be configured, either manually (through the 
Settings app), by using Group Policy, or by using mobile device management 
(MDM).

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: 05 April 2016 15:49
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] Win 10 version check.

Google is failing me, how do I check a box to see if CB or CBB is installed?

[NTSysADM] Win 10 version check.

[Kennedy, Jim]

Google is failing me, how do I check a box to see if CB or CBB is installed?

[NTSysADM] RE: Help a AD Sites Noob out. SOLVED

[Kennedy, Jim]

So using the catch all this went very well. If you plan ahead a little your 
biggest group of servers and desktops can be left in your catch all site.

Things I learned:

Go slow, that was unquestionably what went wrong the first time I did it.

DNS will need some help, it just doesn’t clean up quick enough on its own. I 
needed to delete a few SRV entries after moving DC’s to their new sites. They 
created their new entries just fine.

Clients will take a bit to figure out they are in a new site. They actually 
store their current site in the registry.  
HKLM\software\microsoft\windows\currentversion\group 
policy\State\Machine\Site-Name

Windows 10 does not like changes to its Site at all. Just taking a DC out of 
the site if it was using it can make it go wonky. Temp profiles, long logon’s.  
 It takes a few reboots for it to calm down.

DCDiag, repadmin /kcc  repadmin /syncall and Echo “%logonserver%” are your 
friends.

Restarting FRS after moving DC’s between sites is a good idea.


From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Monday, March 21, 2016 4:21 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: Help a AD Sites Noob out.

This looks like a killer migration strategy Bonnie.  10.0.0.0/8 on my current 
primary site.  Then carve out a site and subnet at a time. And next week is 
spring break, I can test on a building that isn’t even in use.

“ When overlapping IP subnets exist in Active Directory, the IP subnet with the 
smallest matching subnet mask is used.”

https://technet.microsoft.com/en-us/magazine/2009.06.subnets.aspx



From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Miller Bonnie L.
Sent: Friday, March 18, 2016 10:14 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: Help a AD Sites Noob out.

We used to have to control a lot with ADS with a hub-and-spoke topology as 
well, and what you can do depends on whether your infrastructure can actually 
communicate fully with all of the available DCs, or if clients in some sites 
can’t actually talk to others due to filtering.  This looks pretty good at 
explaining some of it:
http://blogs.msmvps.com/acefekay/2013/02/24/ad-site-design-and-auto-site-link-bridging-or-bridge-all-site-links-basl/

So, if your client machines can’t actually talk to all DCs, they you’ll need to 
create your own site links and not use the bridging.  If your clients CAN 
actually talk to all of the DCs, then you may be looking at some other 
underlying problem with AD replication, DNS, or even just timing of doing it 
all too quickly for the clients (including servers like Exchange) to get the 
updated information they need.  Exchange in particular uses the Microsoft 
Exchange Active Directory Topology Service to find DCs, so could just need a 
restart to get updated once the new site information is online—Someone else 
(MBS?) might have better info on that process.

If I was recreating sites right now, I would create the site, create the links, 
and move the DC object.  Then, wait for AD & DNS to fully replicate (and verify 
replication is working and srv records are showing up correctly) out before 
reassigning subnets, so that you know clients will be able to get their DC 
locator information from DNS correctly.  Of course at this point, just one site 
to start with, and watch for Auth services like Exchange as you go =)

-Bonnie

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Friday, March 18, 2016 6:40 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: Help a AD Sites Noob out.

Had all of them in the same Default IP site link.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Coleman, Hunter
Sent: Friday, March 18, 2016 9:36 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: Help a AD Sites Noob out.

Did you create the site links?

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Friday, March 18, 2016 7:11 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] Help a AD Sites Noob out.

Never paid much attention to sites, but now I am going to.  I have 12 buildings 
with dedicated gig fiber back to one of them were the data center is housed.  
Not a lot of traffic, 10 to 15 percent tops. So never worked with sites to 
control replication or logon traffic.  But now I have a piece of software that 
is doing a fair number of GC lookups and it would seem that my desktops have 
decided over the years to all talk to one DC. There are DC’s in each of the 
five buildings, the 7 smaller ones do not have one.

There are currently two all-encompassing subnets, in one site with all

[NTSysADM] RE: Help a AD Sites Noob out.

[Kennedy, Jim]

This looks like a killer migration strategy Bonnie.  10.0.0.0/8 on my current 
primary site.  Then carve out a site and subnet at a time. And next week is 
spring break, I can test on a building that isn’t even in use.

“ When overlapping IP subnets exist in Active Directory, the IP subnet with the 
smallest matching subnet mask is used.”

https://technet.microsoft.com/en-us/magazine/2009.06.subnets.aspx



From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Miller Bonnie L.
Sent: Friday, March 18, 2016 10:14 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: Help a AD Sites Noob out.

We used to have to control a lot with ADS with a hub-and-spoke topology as 
well, and what you can do depends on whether your infrastructure can actually 
communicate fully with all of the available DCs, or if clients in some sites 
can’t actually talk to others due to filtering.  This looks pretty good at 
explaining some of it:
http://blogs.msmvps.com/acefekay/2013/02/24/ad-site-design-and-auto-site-link-bridging-or-bridge-all-site-links-basl/

So, if your client machines can’t actually talk to all DCs, they you’ll need to 
create your own site links and not use the bridging.  If your clients CAN 
actually talk to all of the DCs, then you may be looking at some other 
underlying problem with AD replication, DNS, or even just timing of doing it 
all too quickly for the clients (including servers like Exchange) to get the 
updated information they need.  Exchange in particular uses the Microsoft 
Exchange Active Directory Topology Service to find DCs, so could just need a 
restart to get updated once the new site information is online—Someone else 
(MBS?) might have better info on that process.

If I was recreating sites right now, I would create the site, create the links, 
and move the DC object.  Then, wait for AD & DNS to fully replicate (and verify 
replication is working and srv records are showing up correctly) out before 
reassigning subnets, so that you know clients will be able to get their DC 
locator information from DNS correctly.  Of course at this point, just one site 
to start with, and watch for Auth services like Exchange as you go =)

-Bonnie

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Friday, March 18, 2016 6:40 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: Help a AD Sites Noob out.

Had all of them in the same Default IP site link.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Coleman, Hunter
Sent: Friday, March 18, 2016 9:36 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: Help a AD Sites Noob out.

Did you create the site links?

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Friday, March 18, 2016 7:11 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] Help a AD Sites Noob out.

Never paid much attention to sites, but now I am going to.  I have 12 buildings 
with dedicated gig fiber back to one of them were the data center is housed.  
Not a lot of traffic, 10 to 15 percent tops. So never worked with sites to 
control replication or logon traffic.  But now I have a piece of software that 
is doing a fair number of GC lookups and it would seem that my desktops have 
decided over the years to all talk to one DC. There are DC’s in each of the 
five buildings, the 7 smaller ones do not have one.

There are currently two all-encompassing subnets, in one site with all the DC’s 
in that site.

So yesterday I decided to make sites. Put in all the subnets for all the 
buildings, and created 5 sites each with at least one DC, and put the 
appropriate subnet’s in those sites.

It went ugly really fast. Authentication broke enterprise wide, Exchange 
couldn’t auth and stopped working.  For the most part if it involved auth it 
broke.

Nuke the sites and subnets and moved it all back to two /16’s in one site and 
in about 30 minutes all was well.

What did I do wrong?

[NTSysADM] RE: Help a AD Sites Noob out.

[Kennedy, Jim]

No, no firewalls between the buildings and lans/subnets.  One big giant happy 
family.

During this I could ping the DC’s, I could RDP to them…..

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Christopher Bodnar
Sent: Friday, March 18, 2016 11:02 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: Help a AD Sites Noob out.

I can believe that your replication broke, but for authentication to have 
totally broken seems odd. If a client can’t find a DC to authenticate to in 
it’s local site, it should keep going outside of it’s site until it can contact 
a DC. As long as all the SRV records are in DNS and it has connectivity to all 
those DCs, authentication should not have broken. Are there firewall rules in 
place that limit a client to its local site?



From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Friday, March 18, 2016 9:11 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] Help a AD Sites Noob out.

Never paid much attention to sites, but now I am going to.  I have 12 buildings 
with dedicated gig fiber back to one of them were the data center is housed.  
Not a lot of traffic, 10 to 15 percent tops. So never worked with sites to 
control replication or logon traffic.  But now I have a piece of software that 
is doing a fair number of GC lookups and it would seem that my desktops have 
decided over the years to all talk to one DC. There are DC’s in each of the 
five buildings, the 7 smaller ones do not have one.

There are currently two all-encompassing subnets, in one site with all the DC’s 
in that site.

So yesterday I decided to make sites. Put in all the subnets for all the 
buildings, and created 5 sites each with at least one DC, and put the 
appropriate subnet’s in those sites.

It went ugly really fast. Authentication broke enterprise wide, Exchange 
couldn’t auth and stopped working.  For the most part if it involved auth it 
broke.

Nuke the sites and subnets and moved it all back to two /16’s in one site and 
in about 30 minutes all was well.

What did I do wrong?

- This message, and any attachments to 
it, may contain information that is privileged, confidential, and exempt from 
disclosure under applicable law. If the reader of this message is not the 
intended recipient, you are notified that any use, dissemination, distribution, 
copying, or communication of this message is strictly prohibited. If you have 
received this message in error, please notify the sender immediately by return 
e-mail and delete the message and any attachments. Thank you.

RE: [NTSysADM] RE: Help a AD Sites Noob out.

[Kennedy, Jim]

I am thinking along the same lines.  This isn’t rocket science.  I fat fingered 
something or panicked before it replicated. Going to hit it again Sunday, and 
go step by step as Bonnie described and verify everything including dns 
records/srv’s and replication.


From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Charles F Sullivan
Sent: Friday, March 18, 2016 12:20 PM
To: ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] RE: Help a AD Sites Noob out.

Are you certain that you got the subnets correct? No duplicates or anything 
like that? You made sure to not miss any?

I am in the same boat, where we have always had just one site. But we most 
likely will be putting a couple of DCs at AWS, so a few months ago I tested out 
breaking things into 2 sites and it went well.

Looking at my notes:

-  Had to deal with firewalls at both ends and disable the Windows FW, 
which had been enabled on the DCs at AWS. Sounds like it’s not a factor for you.

-  Made sure all DCs were global catalogs and DNS servers. (Not 
required for every single DC, but consider these services at each site.)

-  Set replication interval appropriately. I think the default is still 
a large time increment.

Doesn’t seem like much help, but maybe it will turn on a lightbulb in your head.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>] 
On Behalf Of Kennedy, Jim
Sent: Friday, March 18, 2016 11:04 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: Help a AD Sites Noob out.

No, no firewalls between the buildings and lans/subnets.  One big giant happy 
family.

During this I could ping the DC’s, I could RDP to them…..

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Christopher Bodnar
Sent: Friday, March 18, 2016 11:02 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: Help a AD Sites Noob out.

I can believe that your replication broke, but for authentication to have 
totally broken seems odd. If a client can’t find a DC to authenticate to in 
it’s local site, it should keep going outside of it’s site until it can contact 
a DC. As long as all the SRV records are in DNS and it has connectivity to all 
those DCs, authentication should not have broken. Are there firewall rules in 
place that limit a client to its local site?



From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Friday, March 18, 2016 9:11 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] Help a AD Sites Noob out.

Never paid much attention to sites, but now I am going to.  I have 12 buildings 
with dedicated gig fiber back to one of them were the data center is housed.  
Not a lot of traffic, 10 to 15 percent tops. So never worked with sites to 
control replication or logon traffic.  But now I have a piece of software that 
is doing a fair number of GC lookups and it would seem that my desktops have 
decided over the years to all talk to one DC. There are DC’s in each of the 
five buildings, the 7 smaller ones do not have one.

There are currently two all-encompassing subnets, in one site with all the DC’s 
in that site.

So yesterday I decided to make sites. Put in all the subnets for all the 
buildings, and created 5 sites each with at least one DC, and put the 
appropriate subnet’s in those sites.

It went ugly really fast. Authentication broke enterprise wide, Exchange 
couldn’t auth and stopped working.  For the most part if it involved auth it 
broke.

Nuke the sites and subnets and moved it all back to two /16’s in one site and 
in about 30 minutes all was well.

What did I do wrong?

- This message, and any attachments to 
it, may contain information that is privileged, confidential, and exempt from 
disclosure under applicable law. If the reader of this message is not the 
intended recipient, you are notified that any use, dissemination, distribution, 
copying, or communication of this message is strictly prohibited. If you have 
received this message in error, please notify the sender immediately by return 
e-mail and delete the message and any attachments. Thank you.

[NTSysADM] Help a AD Sites Noob out.

[Kennedy, Jim]

Never paid much attention to sites, but now I am going to.  I have 12 buildings 
with dedicated gig fiber back to one of them were the data center is housed.  
Not a lot of traffic, 10 to 15 percent tops. So never worked with sites to 
control replication or logon traffic.  But now I have a piece of software that 
is doing a fair number of GC lookups and it would seem that my desktops have 
decided over the years to all talk to one DC. There are DC’s in each of the 
five buildings, the 7 smaller ones do not have one.

There are currently two all-encompassing subnets, in one site with all the DC’s 
in that site.

So yesterday I decided to make sites. Put in all the subnets for all the 
buildings, and created 5 sites each with at least one DC, and put the 
appropriate subnet’s in those sites.

It went ugly really fast. Authentication broke enterprise wide, Exchange 
couldn’t auth and stopped working.  For the most part if it involved auth it 
broke.

Nuke the sites and subnets and moved it all back to two /16’s in one site and 
in about 30 minutes all was well.

What did I do wrong?

[NTSysADM] RE: Help a AD Sites Noob out.

[Kennedy, Jim]

Round trip is zero. On Netflix Friday’s it might get up to 1ms.

Auth was broke even within buildings.

I will grab the logs and tests if it goes bad again.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Brian Desmond
Sent: Friday, March 18, 2016 1:31 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: Help a AD Sites Noob out.

What is the latency on these links?

That seems strange, as others have said, that AuthN broke because of this. I’ll 
be curious to see some of the nltest output and/or error logs.

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Friday, March 18, 2016 8:11 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] Help a AD Sites Noob out.

Never paid much attention to sites, but now I am going to.  I have 12 buildings 
with dedicated gig fiber back to one of them were the data center is housed.  
Not a lot of traffic, 10 to 15 percent tops. So never worked with sites to 
control replication or logon traffic.  But now I have a piece of software that 
is doing a fair number of GC lookups and it would seem that my desktops have 
decided over the years to all talk to one DC. There are DC’s in each of the 
five buildings, the 7 smaller ones do not have one.

There are currently two all-encompassing subnets, in one site with all the DC’s 
in that site.

So yesterday I decided to make sites. Put in all the subnets for all the 
buildings, and created 5 sites each with at least one DC, and put the 
appropriate subnet’s in those sites.

It went ugly really fast. Authentication broke enterprise wide, Exchange 
couldn’t auth and stopped working.  For the most part if it involved auth it 
broke.

Nuke the sites and subnets and moved it all back to two /16’s in one site and 
in about 30 minutes all was well.

What did I do wrong?

[NTSysADM] RE: Help a AD Sites Noob out.

[Kennedy, Jim]

Had all of them in the same Default IP site link.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Coleman, Hunter
Sent: Friday, March 18, 2016 9:36 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: Help a AD Sites Noob out.

Did you create the site links?

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Friday, March 18, 2016 7:11 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] Help a AD Sites Noob out.

Never paid much attention to sites, but now I am going to.  I have 12 buildings 
with dedicated gig fiber back to one of them were the data center is housed.  
Not a lot of traffic, 10 to 15 percent tops. So never worked with sites to 
control replication or logon traffic.  But now I have a piece of software that 
is doing a fair number of GC lookups and it would seem that my desktops have 
decided over the years to all talk to one DC. There are DC’s in each of the 
five buildings, the 7 smaller ones do not have one.

There are currently two all-encompassing subnets, in one site with all the DC’s 
in that site.

So yesterday I decided to make sites. Put in all the subnets for all the 
buildings, and created 5 sites each with at least one DC, and put the 
appropriate subnet’s in those sites.

It went ugly really fast. Authentication broke enterprise wide, Exchange 
couldn’t auth and stopped working.  For the most part if it involved auth it 
broke.

Nuke the sites and subnets and moved it all back to two /16’s in one site and 
in about 30 minutes all was well.

What did I do wrong?

RE: [NTSysADM] RE: Help a AD Sites Noob out.

[Kennedy, Jim]

What you describe is exactly my issue, the desktops are slowly all migrating to 
one DC in the main data center.  With the high speed links between the 
buildings and the server switch plugged right into the core router with a 10GB 
link it makes sense..it is the fastest hop.

My only goal/need here is to spread out the DC load.

I think I will postpone Sundays redo, and ponder and research this some more.

Much appreciated gang.


From: listsadmin@lists.myitforum.com [listsadmin@lists.myitforum.com] on behalf 
of Charles F Sullivan [charles.sulliva...@bc.edu]
Sent: Friday, March 18, 2016 4:51 PM
To: ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] RE: Help a AD Sites Noob out.

I thought of this immediately at first, but figured it wouldn’t apply to your 
situation. I’m not so sure after re-reading…..

We have a DC, mainly for DR purposes, that is in a satellite data center less 
than a mile away with high speed connections to our main data center here. When 
we first set it up several years ago, most of the AD traffic on the main campus 
ended up going to that DC, apparently just because it’s physically on the main 
campus. We prevented this by changing the weight and priority for the SRV 
records on just that DC.

If you’re not familiar with the process, it’s a simple Registry edit:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
REG_DWORD: LdapSrvPriority | REG_DWORD: LdapSrvWeight
We set the priority as “low” as it can go (65535) and the weight as well (0).

This did not stop every bit of client AD traffic, but it gets a very small 
amount compared to the other DCs.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>] 
On Behalf Of Brian Desmond
Sent: Friday, March 18, 2016 3:11 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: Help a AD Sites Noob out.

So my suggestion here is to not setup any sites. Having all those buildings in 
one big site is probably the most ideal setup here if you have no utilization 
issues and no latency.

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Friday, March 18, 2016 12:40 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: Help a AD Sites Noob out.

Round trip is zero. On Netflix Friday’s it might get up to 1ms.

Auth was broke even within buildings.

I will grab the logs and tests if it goes bad again.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Brian Desmond
Sent: Friday, March 18, 2016 1:31 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: Help a AD Sites Noob out.

What is the latency on these links?

That seems strange, as others have said, that AuthN broke because of this. I’ll 
be curious to see some of the nltest output and/or error logs.

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Friday, March 18, 2016 8:11 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] Help a AD Sites Noob out.

Never paid much attention to sites, but now I am going to.  I have 12 buildings 
with dedicated gig fiber back to one of them were the data center is housed.  
Not a lot of traffic, 10 to 15 percent tops. So never worked with sites to 
control replication or logon traffic.  But now I have a piece of software that 
is doing a fair number of GC lookups and it would seem that my desktops have 
decided over the years to all talk to one DC. There are DC’s in each of the 
five buildings, the 7 smaller ones do not have one.

There are currently two all-encompassing subnets, in one site with all the DC’s 
in that site.

So yesterday I decided to make sites. Put in all the subnets for all the 
buildings, and created 5 sites each with at least one DC, and put the 
appropriate subnet’s in those sites.

It went ugly really fast. Authentication broke enterprise wide, Exchange 
couldn’t auth and stopped working.  For the most part if it involved auth it 
broke.

Nuke the sites and subnets and moved it all back to two /16’s in one site and 
in about 30 minutes all was well.

What did I do wrong?

RE: [NTSysADM] Memory fun

[Kennedy, Jim]

Sorry, premature send.

http://blogs.technet.com/b/clinth/archive/2013/10/16/tracking-page-file-reads-and-writes.aspx


From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Thursday, February 25, 2016 3:26 PM
To: ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Memory fun

Fire up MS's Sysinternals proc monitor and see what is writing to the page 
files.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Jesse Rink
Sent: Thursday, February 25, 2016 3:23 PM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Memory fun




That's all great.  but I think you missed the point that SQL isn't using up all 
the memory on the server.  Of the 16GB of memory on the server, nearly half of 
that or more is readily available and not being used by SQL.  It's not like SQL 
is starved for memory, or using up all available memory...  And the other thing 
being, the other servers which all have the same SQL services and basically the 
same databases (along with identical hardware), do not exhibit the same issue 
with the Page File Usage I mentioned below...



Jesse Rink

Source One Technology, Inc.

HP Partner

262 993 2231



** Please visit our blog!  http://www.sourceonetechnology.com/blog/


From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
<listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>> on 
behalf of Frank Ress 
<frank.r...@gastechnology.org<mailto:frank.r...@gastechnology.org>>
Sent: Thursday, February 25, 2016 12:51 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: RE: [NTSysADM] Memory fun


By default, SQL Server will tend to take as much memory as it needs, and it 
won't return any of it until a SQL restart (usually a server restart, of 
course).  So you could find your OS starved for memory if SQL wants a lot - and 
one poorly-tuned query could make SQL want a LOT!



You should configure the database to limit itself to some max (and probably 
min) memory amount.  Leave at least 4-5 GB for Windows (and other processes), 
so on a 20G box, tell SQL to use at most 15 or 16G.  My SQL servers don't do 
anything but database, so I generally give them at least 25% of the available 
memory from the get-go.  So, for 20G, max of 15 or 16, a min of 4 or 5.



Great.  How do you do that?  The syntax basics are pretty consistent from 
release to release.  I don't profess to know the details by rote.  Here's a 
chunk of T-SQL that I've used for SQL 2008 and 2008R2 servers.  Sorry, minimal 
comments.  But a little Google-fu will get you the background on anything 
that's not obvious, and you can check SQL BOL (Books on Line) for 
version-specific syntax changes while you're at it.



Note that there are example max memory commands for a 32G and a 20G server.  
(The '--' is a comment in T-SQL.)



HTH



Frank



sp_configure 'show advanced options', 1 --You can't do the rest of these 
commands without enabling this...

reconfigure

GO



SELECT * FROM sys.dm_os_process_memory

GO



--Depending on server memory, use one or the other of the following commands, 
or roll your own for other memory sizes



sp_configure 'max server memory', 26624  --26624/1024 = 26 GB, for 32GB memory

reconfigure

GO



sp_configure 'max server memory', 16384  --16384/1024 = 16 GB, for 20GB memory

reconfigure

GO



sp_configure 'min server memory', 4096

reconfigure

GO



sp_readerrorlog



DBCC memorystatus



From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Sean Martin
Sent: Thursday, February 25, 2016 12:10 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: Re: [NTSysADM] Memory fun



I'm not proficient with SQL by any means, but it may be worth checking how SQL 
is configured to leverage physical memory. Perhaps it's capped at the amount of 
physical memory it can use?



- Sean



On Thu, Feb 25, 2016 at 6:39 AM, Jesse Rink 
<jr...@sourceonetechnology.com<mailto:jr...@sourceonetechnology.com>> wrote:

This might be a fun one to discuss...   I'm not even sure this is problematic 
or no big deal at all.  I'm leaning towards no big deal.I bring it up 
because the behavior is unlike any other server I have (though that doesn't 
necessarily mean it's wrong/bad).



I have a physical server running Windows 2012 R2 with 24GB of physical memory.  
Paging file is set to be managed by the OS and is currently 4.58GB in size.  
The server is not heavily used.



What's strange is, the server's paging file usage is constantly upwards of 90% 
-- which is unlike any other servers I manage, including servers that are 
running on the -same- hardware spec, -same applications-, etc.   The server in 
question with the 90%+ paging file usage is a bit of an anomal

RE: [NTSysADM] Memory fun

[Kennedy, Jim]

Fire up MS's Sysinternals proc monitor and see what is writing to the page 
files.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Jesse Rink
Sent: Thursday, February 25, 2016 3:23 PM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Memory fun




That's all great.  but I think you missed the point that SQL isn't using up all 
the memory on the server.  Of the 16GB of memory on the server, nearly half of 
that or more is readily available and not being used by SQL.  It's not like SQL 
is starved for memory, or using up all available memory...  And the other thing 
being, the other servers which all have the same SQL services and basically the 
same databases (along with identical hardware), do not exhibit the same issue 
with the Page File Usage I mentioned below...



Jesse Rink

Source One Technology, Inc.

HP Partner

262 993 2231



** Please visit our blog!  http://www.sourceonetechnology.com/blog/


From: listsadmin@lists.myitforum.com 
> on 
behalf of Frank Ress 
>
Sent: Thursday, February 25, 2016 12:51 PM
To: ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Memory fun


By default, SQL Server will tend to take as much memory as it needs, and it 
won't return any of it until a SQL restart (usually a server restart, of 
course).  So you could find your OS starved for memory if SQL wants a lot - and 
one poorly-tuned query could make SQL want a LOT!



You should configure the database to limit itself to some max (and probably 
min) memory amount.  Leave at least 4-5 GB for Windows (and other processes), 
so on a 20G box, tell SQL to use at most 15 or 16G.  My SQL servers don't do 
anything but database, so I generally give them at least 25% of the available 
memory from the get-go.  So, for 20G, max of 15 or 16, a min of 4 or 5.



Great.  How do you do that?  The syntax basics are pretty consistent from 
release to release.  I don't profess to know the details by rote.  Here's a 
chunk of T-SQL that I've used for SQL 2008 and 2008R2 servers.  Sorry, minimal 
comments.  But a little Google-fu will get you the background on anything 
that's not obvious, and you can check SQL BOL (Books on Line) for 
version-specific syntax changes while you're at it.



Note that there are example max memory commands for a 32G and a 20G server.  
(The '--' is a comment in T-SQL.)



HTH



Frank



sp_configure 'show advanced options', 1 --You can't do the rest of these 
commands without enabling this...

reconfigure

GO



SELECT * FROM sys.dm_os_process_memory

GO



--Depending on server memory, use one or the other of the following commands, 
or roll your own for other memory sizes



sp_configure 'max server memory', 26624  --26624/1024 = 26 GB, for 32GB memory

reconfigure

GO



sp_configure 'max server memory', 16384  --16384/1024 = 16 GB, for 20GB memory

reconfigure

GO



sp_configure 'min server memory', 4096

reconfigure

GO



sp_readerrorlog



DBCC memorystatus



From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Sean Martin
Sent: Thursday, February 25, 2016 12:10 PM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Memory fun



I'm not proficient with SQL by any means, but it may be worth checking how SQL 
is configured to leverage physical memory. Perhaps it's capped at the amount of 
physical memory it can use?



- Sean



On Thu, Feb 25, 2016 at 6:39 AM, Jesse Rink 
> wrote:

This might be a fun one to discuss...   I'm not even sure this is problematic 
or no big deal at all.  I'm leaning towards no big deal.I bring it up 
because the behavior is unlike any other server I have (though that doesn't 
necessarily mean it's wrong/bad).



I have a physical server running Windows 2012 R2 with 24GB of physical memory.  
Paging file is set to be managed by the OS and is currently 4.58GB in size.  
The server is not heavily used.



What's strange is, the server's paging file usage is constantly upwards of 90% 
-- which is unlike any other servers I manage, including servers that are 
running on the -same- hardware spec, -same applications-, etc.   The server in 
question with the 90%+ paging file usage is a bit of an anomaly.



Few things to note...

1. The server's Committed Bytes is always hovering around 12GB or so... which 
is way below the Commit Limit (I think is 28GB or so, (physical memory + 
virtual memory)).   So that seems to be completely normal.



2.  The server's Page Faults/sec and Pages/sec are nearly identical with other 
servers I have that are serving up the same roles/functions and with the 

[NTSysADM] Print server logon events

[Kennedy, Jim]

2008 R2 print server, sharing one printer amongst about 750 people. I am seeing 
20 to 25 logon events a second on this server. That seems excessive, is that 
normal behavior for a print server...to re auth the connection that often?

RE: [NTSysADM] Remote users with no admin privs - TeamViewer not good enough

[Kennedy, Jim]

Sounds like this:

http://andyparkes.co.uk/blog/index.php/2013/03/25/working-with-uac-and-remote-assistance/


-Original Message-
From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Kurt Buff
Sent: Tuesday, February 23, 2016 4:14 PM
To: ntsysadm
Subject: [NTSysADM] Remote users with no admin privs - TeamViewer not good 
enough

All,

I'm testing with a remote user - I've not allowed admin privs from his machine, 
and we're working on configuring it remotely.

I tried to help in install, via TeamViewer, a printer driver, and it asked for 
admin credentials.

TV would not show me the screen, nor allow me to enter my credentials.

I had to send him the local admin password, which worked, and then we could 
proceed.

Is anyone aware of an app that allows the support tech to interact with these 
prompts?

We've implemented LAPS, but I can't reset the password for the local 
administrator account because we're using DirectAccess, and don't have manage 
out capabilities (and believe me, I've tried to set that up and failed, but 
we're using UAG/DA 2010, and it's no piece of cake - perhaps 2012R2 DA is 
better).

Kurt

RE: [NTSysADM] SOLVED: My ignorance is showing again...

[Kennedy, Jim]

Years ago Ohio had 3.2 beer.  That was what you could buy at 18, then 21 for 
the’ high test’.  I lived in Detroit, we did road trips to Toledo all the time 
to get beer.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Kurt Buff
Sent: Friday, February 19, 2016 10:02 AM
To: ntsysadm
Subject: Re: [NTSysADM] SOLVED: My ignorance is showing again...

The big commercial brands are exactly that.
But many of the smaller brands are as good or better then their European 
counterparts.
Another good brewery is Ommegang, whichi is, IIRC, in New Jersey. I 
particularly like Three Philosophers. They also do a round of seasonals named 
after Game of Thrones,
Kurt

On Fri, Feb 19, 2016 at 5:27 AM, Webster 
> wrote:
Yep. My German and Dutch friends call American beer, flavored water.

From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] 
On Behalf Of J- P
Sent: Friday, February 19, 2016 7:19 AM
To: ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] SOLVED: My ignorance is showing again...

11.8% avb , now thats a beer ☺

> Date: Thu, 18 Feb 2016 13:56:30 -0800
> Subject: Re: [NTSysADM] SOLVED: My ignorance is showing again...
> From: kurt.b...@gmail.com
> To: ntsys...@lists.myitforum.com
>
> Thanks!
>
> But just one beer, not six, and it won't be available until November:
> https://www.boulevard.com/BoulevardBeers/bourbon-barrel-quad/
>
> Kurt
>
> On Thu, Feb 18, 2016 at 12:16 PM, Webster 
> > wrote:
> > Time for a beer or six.
> >
> >
> > Webster
> >
> > -Original Message-
> > From: listsadmin@lists.myitforum.com 
> > [mailto:listsadmin@lists.myitforum.com] On Behalf Of Kurt Buff
> > Sent: Thursday, February 18, 2016 2:09 PM
> > To: ntsysadm 
> > >
> > Subject: [NTSysADM] SOLVED: My ignorance is showing again...
> >
> > Well, holy mackerel!
> >
> > I found it!
> >
> > I used 
> > "usdmzdc01p.dmz.example.com\kurt-dmz", 
> > and the password change took!
> >
> > Couldn't use the bare domain, had to specify the DC.
> >
> > It's only noon, and I've solved a real problem.
> >
> > Kurt
> >
> > On Thu, Feb 18, 2016 at 11:55 AM, Miller Bonnie L.
> > > wrote:
> >> Yep, that is what I meant both domain\username and 
> >> usern...@domain.name.
> >>
> >> -Original Message-
> >> From: listsadmin@lists.myitforum.com
> >> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Kurt Buff
> >> Sent: Thursday, February 18, 2016 10:41 AM
> >> To: ntsysadm 
> >> >
> >> Subject: Re: [NTSysADM] My ignorance is showing again...
> >>
> >> Not sure what you mean - but let me show what I've tried:
> >>
> >> The DMZ forest is dmz.example.com, while 
> >> production is example.com (don't yell, I didn't set up 
> >> the DMZ forest). I press ALT+CTRL+DEL on my machine in the production 
> >> forest, and select "Change a password"
> >> (I'm running Win8.1), then type in the ID and old password and new 
> >> password in the relevant fields.
> >>
> >> For the ID, I've tried 
> >> kurt-...@dmz.example.com, 
> >> kurt-dmz@dmz.example, 
> >> dmz.example.com\kurt-dmz and dmz.example\kurt-dmz, 
> >> and get the same error message in all cases.
> >>
> >> I've also tried using the name of the DC - 
> >> kurt-...@usmszdc01p.dmz.example.com
> >>  - and get the same error message.
> >>
> >> Kurt
> >>
> >> On Thu, Feb 18, 2016 at 7:53 AM, Miller Bonnie L.
> >> > wrote:
> >>> Do you get the same results with netbios vs UPN logon?
> >>>
> >>> -Bonnie
> >>>
> >>> -Original Message-
> >>> From: 
> >>> listsadmin@lists.myitforum.com
> >>> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Kurt Buff
> >>> Sent: Wednesday, February 17, 2016 1:41 PM
> >>> To: ntsysadm 
> >>> >
> >>> Subject: [NTSysADM] My ignorance is showing again...
> >>>
> >>> We have two separate, untrusted forests - DMZ and production.
> >>>
> >>> Production is at DFL/FFL 2008.
> >>> DMZ is at DFL/FFL 2012R2
> >>>
> >>> I changed a password for an account in the DMZ forest, setting it to 
> >>> require change at next logon.
> >>>
> >>> User cannot 

RE: [NTSysADM] SOLVED: My ignorance is showing again...

[Kennedy, Jim]

Congrats!  Take the afternoon off.

-Original Message-
From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Kurt Buff
Sent: Thursday, February 18, 2016 3:08 PM
To: ntsysadm
Subject: [NTSysADM] SOLVED: My ignorance is showing again...

Well, holy mackerel!

I found it!

I used "usdmzdc01p.dmz.example.com\kurt-dmz", and the password change took!

Couldn't use the bare domain, had to specify the DC.

It's only noon, and I've solved a real problem.

Kurt

On Thu, Feb 18, 2016 at 11:55 AM, Miller Bonnie L.
 wrote:
> Yep, that is what I meant both domain\username and usern...@domain.name.
>
> -Original Message-
> From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Thursday, February 18, 2016 10:41 AM
> To: ntsysadm 
> Subject: Re: [NTSysADM] My ignorance is showing again...
>
> Not sure what you mean - but let me show what I've tried:
>
> The DMZ forest is dmz.example.com, while production is example.com (don't 
> yell, I didn't set up the DMZ forest). I press ALT+CTRL+DEL on my machine in 
> the production forest, and select "Change a password"
> (I'm running Win8.1), then type in the ID and old password and new password 
> in the relevant fields.
>
> For the ID, I've tried kurt-...@dmz.example.com, kurt-dmz@dmz.example, 
> dmz.example.com\kurt-dmz and dmz.example\kurt-dmz, and get the same error 
> message in all cases.
>
> I've also tried using the name of the DC - 
> kurt-...@usmszdc01p.dmz.example.com - and get the same error message.
>
> Kurt
>
> On Thu, Feb 18, 2016 at 7:53 AM, Miller Bonnie L.
>  wrote:
>> Do you get the same results with netbios vs UPN logon?
>>
>> -Bonnie
>>
>> -Original Message-
>> From: listsadmin@lists.myitforum.com
>> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Kurt Buff
>> Sent: Wednesday, February 17, 2016 1:41 PM
>> To: ntsysadm 
>> Subject: [NTSysADM] My ignorance is showing again...
>>
>> We have two separate, untrusted forests - DMZ and production.
>>
>> Production is at DFL/FFL 2008.
>> DMZ is at DFL/FFL 2012R2
>>
>> I changed a password for an account in the DMZ forest, setting it to require 
>> change at next logon.
>>
>> User cannot RDP from machine in production forest to machine in DMZ forest 
>> because the password must be changed first.
>>
>> User cannot change password on machine in production forest for
>> account in DMZ forest using ALT+CTRL+DEL, because he's getting the
>> message:
>>
>>   "configuration information could not be read from the domain 
>> controller,
>>  either because the machine is unavailable, or access has been denied."
>>
>> I know I can unset the requirement to change the password at next logon, but 
>> that seems silly, because then I can't enforce having him change it without 
>> standing over his shoulder while he does it.
>>
>> How the heck can I do this? I've tried with my own user accounts, and have 
>> confirmed the problem.
>>
>> Kurt
>>
>>
>
>

[NTSysADM] RE: UDP 443

[Kennedy, Jim]

Lots of google stuff. Android, chrome..

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Monday, February 8, 2016 3:34 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] UDP 443

What would use UDP port 443?

David McSpadden
System Administrator
Indiana Members Credit Union
P: 317.554.8190
[Description: Description: imcu email icon]  [Description: 
Description: facebook email icon]    
[Description: Description: twitter email icon] 


[Description: Description: email logo]
[http://www.amuletsolutions.com/images/mcp.gif]


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

[NTSysADM] RE: DC's and certs.

[Kennedy, Jim]

Thanks Brian.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Brian Desmond
Sent: Friday, February 5, 2016 11:05 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: DC's and certs.

That’s what I would expect in terms of behavior. :)

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Thursday, February 4, 2016 1:41 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: DC's and certs.

The plot thickens, does the below make sense to everyone else?

It appears that GoDaddy certs are not ‘automatically’ added to Windows trusted 
root stores during the usual root updates.  They are only added if you go to a 
site that use it?  IE checks it against MS’s list and then adds it to the store 
at that point.  I found a bunch of my member servers that did not have the 
godaddy certs installed.

Visited a<http://www.binarydefense.com> website that I knew used Godaddy with 
IE and bam the cert instantly showed up in the local computer cert store.

Did I mention I really hate certs.


From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Tuesday, February 2, 2016 1:56 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: DC's and certs.

Same WSUS group, but root certs don’t come via WSUS I don’t believe. They are 
direct now.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Damien Solodow
Sent: Tuesday, February 2, 2016 1:51 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: DC's and certs.

The DCs in a different group in WSUS or something similar?

DAMIEN SOLODOW
Senior Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Tuesday, February 2, 2016 1:47 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: DC's and certs.

It is lack of root cert updates for sure.  I can see tem hitting the update 
site for MS for these in the web filter log. And the revocation site also.

https://sls.update.microsoft.com
http://crl.microsoft.com

GPO’s are virtually identical but I rechecked them.  Only diff is settings for 
auditing log on events.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Brian Desmond
Sent: Monday, February 1, 2016 5:43 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: DC's and certs.

> either that or the “root certificate updates” aren’t applied to the DCs.

I'd guess this.

SChannel tracing might be helpful otherwise - 
https://support.microsoft.com/en-us/kb/260729

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Damien Solodow
Sent: Monday, February 1, 2016 3:20 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: DC's and certs.

Doubtful if they’re using GoDaddy. ;)

I’d wager you have a difference in GPO around certificates for your DCs; either 
that or the “root certificate updates” aren’t applied to the DCs.

DAMIEN SOLODOW
Senior Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Monday, February 1, 2016 4:16 PM
To: 'ntsys...@lists.myitforum.com' 
<ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>>
Subject: [NTSysADM] DC's and certs.

So I am working with a vendor on a new product they are developing.. It 
installs a single exe as a service and runs as system.  That service makes an 
SSL connection to their servers. That is all I can say about the software at 
this point. Desktops and member servers make the SSL call no problem. But DC’s 
fail and reject the cert on the vendor’s server. It is a GoDaddy G2 cert.  I 
dl’d the chain from GoDaddy, installed it into the local machine store on the 
DC’s and all is well.

The GoDaddy chain is not installed on the member servers.

My question is why the difference between a DC and a Member server?  Do DC’s 
only talk to themselves for cert verification?

PS: You folks are going to be very jelly when you find out what it is and that 
I have it.  ☺

[NTSysADM] RE: DC's and certs.

[Kennedy, Jim]

The plot thickens, does the below make sense to everyone else?

It appears that GoDaddy certs are not ‘automatically’ added to Windows trusted 
root stores during the usual root updates.  They are only added if you go to a 
site that use it?  IE checks it against MS’s list and then adds it to the store 
at that point.  I found a bunch of my member servers that did not have the 
godaddy certs installed.

Visited a<http://www.binarydefense.com> website that I knew used Godaddy with 
IE and bam the cert instantly showed up in the local computer cert store.

Did I mention I really hate certs.


From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Tuesday, February 2, 2016 1:56 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: DC's and certs.

Same WSUS group, but root certs don’t come via WSUS I don’t believe. They are 
direct now.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Damien Solodow
Sent: Tuesday, February 2, 2016 1:51 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: DC's and certs.

The DCs in a different group in WSUS or something similar?

DAMIEN SOLODOW
Senior Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Tuesday, February 2, 2016 1:47 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: DC's and certs.

It is lack of root cert updates for sure.  I can see tem hitting the update 
site for MS for these in the web filter log. And the revocation site also.

https://sls.update.microsoft.com
http://crl.microsoft.com

GPO’s are virtually identical but I rechecked them.  Only diff is settings for 
auditing log on events.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Brian Desmond
Sent: Monday, February 1, 2016 5:43 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: DC's and certs.

> either that or the “root certificate updates” aren’t applied to the DCs.

I'd guess this.

SChannel tracing might be helpful otherwise - 
https://support.microsoft.com/en-us/kb/260729

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Damien Solodow
Sent: Monday, February 1, 2016 3:20 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: DC's and certs.

Doubtful if they’re using GoDaddy. ;)

I’d wager you have a difference in GPO around certificates for your DCs; either 
that or the “root certificate updates” aren’t applied to the DCs.

DAMIEN SOLODOW
Senior Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Monday, February 1, 2016 4:16 PM
To: 'ntsys...@lists.myitforum.com' 
<ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>>
Subject: [NTSysADM] DC's and certs.

So I am working with a vendor on a new product they are developing.. It 
installs a single exe as a service and runs as system.  That service makes an 
SSL connection to their servers. That is all I can say about the software at 
this point. Desktops and member servers make the SSL call no problem. But DC’s 
fail and reject the cert on the vendor’s server. It is a GoDaddy G2 cert.  I 
dl’d the chain from GoDaddy, installed it into the local machine store on the 
DC’s and all is well.

The GoDaddy chain is not installed on the member servers.

My question is why the difference between a DC and a Member server?  Do DC’s 
only talk to themselves for cert verification?

PS: You folks are going to be very jelly when you find out what it is and that 
I have it.  ☺

[NTSysADM] RE: DC's and certs.

[Kennedy, Jim]

It is lack of root cert updates for sure.  I can see tem hitting the update 
site for MS for these in the web filter log. And the revocation site also.

https://sls.update.microsoft.com
http://crl.microsoft.com

GPO’s are virtually identical but I rechecked them.  Only diff is settings for 
auditing log on events.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Brian Desmond
Sent: Monday, February 1, 2016 5:43 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: DC's and certs.

> either that or the “root certificate updates” aren’t applied to the DCs.

I'd guess this.

SChannel tracing might be helpful otherwise - 
https://support.microsoft.com/en-us/kb/260729

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Damien Solodow
Sent: Monday, February 1, 2016 3:20 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: DC's and certs.

Doubtful if they’re using GoDaddy. ;)

I’d wager you have a difference in GPO around certificates for your DCs; either 
that or the “root certificate updates” aren’t applied to the DCs.

DAMIEN SOLODOW
Senior Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Monday, February 1, 2016 4:16 PM
To: 'ntsys...@lists.myitforum.com' 
<ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>>
Subject: [NTSysADM] DC's and certs.

So I am working with a vendor on a new product they are developing.. It 
installs a single exe as a service and runs as system.  That service makes an 
SSL connection to their servers. That is all I can say about the software at 
this point. Desktops and member servers make the SSL call no problem. But DC’s 
fail and reject the cert on the vendor’s server. It is a GoDaddy G2 cert.  I 
dl’d the chain from GoDaddy, installed it into the local machine store on the 
DC’s and all is well.

The GoDaddy chain is not installed on the member servers.

My question is why the difference between a DC and a Member server?  Do DC’s 
only talk to themselves for cert verification?

PS: You folks are going to be very jelly when you find out what it is and that 
I have it.  ☺

[NTSysADM] RE: DC's and certs.

[Kennedy, Jim]

Same WSUS group, but root certs don’t come via WSUS I don’t believe. They are 
direct now.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Damien Solodow
Sent: Tuesday, February 2, 2016 1:51 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: DC's and certs.

The DCs in a different group in WSUS or something similar?

DAMIEN SOLODOW
Senior Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Tuesday, February 2, 2016 1:47 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: DC's and certs.

It is lack of root cert updates for sure.  I can see tem hitting the update 
site for MS for these in the web filter log. And the revocation site also.

https://sls.update.microsoft.com
http://crl.microsoft.com

GPO’s are virtually identical but I rechecked them.  Only diff is settings for 
auditing log on events.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Brian Desmond
Sent: Monday, February 1, 2016 5:43 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: DC's and certs.

> either that or the “root certificate updates” aren’t applied to the DCs.

I'd guess this.

SChannel tracing might be helpful otherwise - 
https://support.microsoft.com/en-us/kb/260729

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Damien Solodow
Sent: Monday, February 1, 2016 3:20 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: DC's and certs.

Doubtful if they’re using GoDaddy. ;)

I’d wager you have a difference in GPO around certificates for your DCs; either 
that or the “root certificate updates” aren’t applied to the DCs.

DAMIEN SOLODOW
Senior Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Monday, February 1, 2016 4:16 PM
To: 'ntsys...@lists.myitforum.com' 
<ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>>
Subject: [NTSysADM] DC's and certs.

So I am working with a vendor on a new product they are developing.. It 
installs a single exe as a service and runs as system.  That service makes an 
SSL connection to their servers. That is all I can say about the software at 
this point. Desktops and member servers make the SSL call no problem. But DC’s 
fail and reject the cert on the vendor’s server. It is a GoDaddy G2 cert.  I 
dl’d the chain from GoDaddy, installed it into the local machine store on the 
DC’s and all is well.

The GoDaddy chain is not installed on the member servers.

My question is why the difference between a DC and a Member server?  Do DC’s 
only talk to themselves for cert verification?

PS: You folks are going to be very jelly when you find out what it is and that 
I have it.  ☺

[NTSysADM] DC's and certs.

[Kennedy, Jim]

So I am working with a vendor on a new product they are developing.. It 
installs a single exe as a service and runs as system.  That service makes an 
SSL connection to their servers. That is all I can say about the software at 
this point. Desktops and member servers make the SSL call no problem. But DC’s 
fail and reject the cert on the vendor’s server. It is a GoDaddy G2 cert.  I 
dl’d the chain from GoDaddy, installed it into the local machine store on the 
DC’s and all is well.

The GoDaddy chain is not installed on the member servers.

My question is why the difference between a DC and a Member server?  Do DC’s 
only talk to themselves for cert verification?

PS: You folks are going to be very jelly when you find out what it is and that 
I have it.  ☺

[NTSysADM] RE: Applocker Exe rules

[Kennedy, Jim]

Must be applocker week.

I block c:\users\*\appdata\*

Having a heck of a time whitelisting the below:

%OSDRIVE%\USERS\KENNEDYJIM\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCACHE\IE\LFGGA9WE\GOTOMEETING
 LAUNCHER.EXE

I think the space in the exe is getting me but can't find any references to how 
to handle spaces.

I have tried a bunch of variations on the excpetion tab, a few examples:

%OSDRIVE%\USERS\*\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCACHE\IE\*\GOTOMEETING 
LAUNCHER.EXE
%OSDRIVE%\USERS\*\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCACHE\IE\*\GOTOMEETING*.EXE

Even just the exe which normally works really well

GOTOMEETING LAUNCHER.EXE
GOTOMEETING *.exe
GOTOMEETING*

RE: [NTSysADM] RE: Applocker Exe rules

[Kennedy, Jim]

" are not allowed.
' is allowed but didn't help.
? did not help.
Short file names struck me as a genius idea, but didn't work.

So I went with a publisher exception which covers Mr. Casale's point much 
better. And is WAY easier.  It is what I should have done in the first place, 
and will be doing far more of in the future.  I also opened a work order for 
myself to convert my existing exceptions to publisher exceptions.

Appreciate it gang, very much.


-Original Message-
From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Miller Bonnie L.
Sent: Thursday, January 21, 2016 2:31 PM
To: ntsysadm
Subject: RE: [NTSysADM] RE: Applocker Exe rules

I would also try the ? and maybe short file names, if you haven't turned them 
off?  Please report back if you get something to work.

-Bonnie

-Original Message-
From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Kurt Buff
Sent: Thursday, January 21, 2016 11:13 AM
To: ntsysadm <ntsys...@lists.myitforum.com>
Subject: Re: [NTSysADM] RE: Applocker Exe rules

I haven't played yet with applocker, but can you

put quotes around it, like so:
"%OSDRIVE%\USERS\KENNEDYJIM\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCACHE\IE\LFGGA9WE\GOTOMEETING
LAUNCHER.EXE"

Or, perhaps use the question mark:
%OSDRIVE%\USERS\*\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCACHE\IE\*\GOTOMEETING?LAUNCHER.EXE



Kurt

On Thu, Jan 21, 2016 at 10:34 AM, Kennedy, Jim <kennedy...@elyriaschools.org> 
wrote:
> Must be applocker week.
>
>
>
> I block c:\users\*\appdata\*
>
>
>
> Having a heck of a time whitelisting the below:
>
>
>
> %OSDRIVE%\USERS\KENNEDYJIM\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCACHE\I
> E\LFGGA9WE\GOTOMEETING
> LAUNCHER.EXE
>
>
>
> I think the space in the exe is getting me but can’t find any 
> references to how to handle spaces.
>
>
>
> I have tried a bunch of variations on the excpetion tab, a few examples:
>
>
>
> %OSDRIVE%\USERS\*\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCACHE\IE\*\GOTOM
> EETING
> LAUNCHER.EXE
>
> %OSDRIVE%\USERS\*\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCACHE\IE\*\GOTOM
> EETING*.EXE
>
>
>
> Even just the exe which normally works really well
>
>
>
> GOTOMEETING LAUNCHER.EXE
>
> GOTOMEETING *.exe
>
> GOTOMEETING*
>
>
>
>
>
>
>
>

[NTSysADM] RE: Applocker Exe rules

[Kennedy, Jim]

That will kill downloads and desktop.  But you raise an interesting point, I 
may try that also.

The most common exception I think you will run into are the webinar runtimes, 
Citric, go to meeting and so on.  So they will look like:

%OSDRIVE%\USERS\*\APPDATA\LOCAL\TEMP\*\gotomeeting.exe


Also the google updater. And it creates a new random folder name every so 
often, thus the second *

%OSDRIVE%\USERS\*\APPDATA\LOCAL\TEMP\*\GOOGLEUPDATE.EXE


From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Miller Bonnie L.
Sent: Tuesday, January 19, 2016 4:55 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: Applocker Exe rules

And BTW, I like this option also -added a rule for:

c:\Users\*\Appdata\*

If I have to craft exceptions later that rule might need adjusting, but it's a 
good place to start.  Considering changing it to C:\Users\* also - any reason 
not to, other than exceptions?  If an admin really needs to run something, they 
can put it somewhere else, but it should keep some malware from attempting to 
run.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Tuesday, January 19, 2016 12:18 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: Applocker Exe rules

Melvin's question triggered a thought.

>From a security standpoint Bonnie I respectfully suggest you block 
>c:\users\*\appdata\*

Then whitelist on the exception tab for that rule what needs to be allowed to 
run.  Otherwise you are missing a golden opportunity to kill darn near all the 
virus's and malware out there.  Plus you are playing reverse wack a mole.  
Killing the bad stuff one path at a time.

Consider trying it my way, set it to log. I bet the list to whitelist will be 
pretty short.


Also, going back to your original question I believe you can block
onedrive.exe   all by itself. And kill it universally.  Yea, they can rename 
it. But they can also move it on a path block too.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: Tuesday, January 19, 2016 3:07 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: Applocker Exe rules

Doesn't recursion from the profile directory catch that?  %USERPROFILE% would 
be the level above.  Unless of course you have legitimate things running from 
within the profile directory.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Miller Bonnie L.
Sent: Tuesday, January 19, 2016 2:52 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] Applocker Exe rules

I'm working on policies for our Win10 deployment (Surface Pro 4's have been 
ordered, they only come with 10) and have an applocker question, specifically 
with executable rules.

I can't use standard system variables in the paths, like we have done with 
Software Restriction Policies.  Instead there are some special vars available, 
but I'm not finding anything for user folders/appdata.  Has anyone found a way 
to define the following with any sort of variable?

C:\users\username\appdata\something.exe

Specifically, we have a program (onedrive.exe) that is in the user profile path 
by default, but needs to be blocked for all users, even administrators.  With 
the default rules, the program is blocked for everyone who is a standard user 
but is allowed for admins.

I know I can successfully block programs for admins as I have a similar rule 
already working that points to the groove.exe location in Program files and it 
can't be run, but everything I've tried for this one doesn't seem to work as I 
can't craft a working variable.

Am I stuck with hashing this file and every new version?  I realize there are 
options for not even installing some of the default apps that come with 10-we 
are looking at that as well, but we may want to allow the next gen sync client 
for some people later, if we ever get to one-to-one.

I'm also thinking that we might have a need to use this sort of path to ALLOW 
an executable to run from a user profile path.

Thanks for any and all ideas and suggestions!
-Bonnie

[NTSysADM] RE: Applocker Exe rules

[Kennedy, Jim]

Something isn't right.  If I have a specific deny on something even local 
admin's can't do it.  It works like NTFS in that a deny trumps all. I have a 
specific deny on powershell.  So even my desktop folks with local admin cannot 
run powershell. On my back burner to do list is to figure that out.



From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Miller Bonnie L.
Sent: Tuesday, January 19, 2016 3:20 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: Applocker Exe rules

So the recursion blocks it for most users (that is working), but if someone is 
on with an admin account we also need to block the app in this case.  When 
adding the default rules for exes, it adds an "Allow BUILTIN\Administrators" 
All files", meaning if you're an admin, you otherwise get to run everything and 
anything.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: Tuesday, January 19, 2016 12:07 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: Applocker Exe rules

Doesn't recursion from the profile directory catch that?  %USERPROFILE% would 
be the level above.  Unless of course you have legitimate things running from 
within the profile directory.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Miller Bonnie L.
Sent: Tuesday, January 19, 2016 2:52 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] Applocker Exe rules

I'm working on policies for our Win10 deployment (Surface Pro 4's have been 
ordered, they only come with 10) and have an applocker question, specifically 
with executable rules.

I can't use standard system variables in the paths, like we have done with 
Software Restriction Policies.  Instead there are some special vars available, 
but I'm not finding anything for user folders/appdata.  Has anyone found a way 
to define the following with any sort of variable?

C:\users\username\appdata\something.exe

Specifically, we have a program (onedrive.exe) that is in the user profile path 
by default, but needs to be blocked for all users, even administrators.  With 
the default rules, the program is blocked for everyone who is a standard user 
but is allowed for admins.

I know I can successfully block programs for admins as I have a similar rule 
already working that points to the groove.exe location in Program files and it 
can't be run, but everything I've tried for this one doesn't seem to work as I 
can't craft a working variable.

Am I stuck with hashing this file and every new version?  I realize there are 
options for not even installing some of the default apps that come with 10-we 
are looking at that as well, but we may want to allow the next gen sync client 
for some people later, if we ever get to one-to-one.

I'm also thinking that we might have a need to use this sort of path to ALLOW 
an executable to run from a user profile path.

Thanks for any and all ideas and suggestions!
-Bonnie

[NTSysADM] RE: Applocker Exe rules

[Kennedy, Jim]

Melvin's question triggered a thought.

>From a security standpoint Bonnie I respectfully suggest you block 
>c:\users\*\appdata\*

Then whitelist on the exception tab for that rule what needs to be allowed to 
run.  Otherwise you are missing a golden opportunity to kill darn near all the 
virus's and malware out there.  Plus you are playing reverse wack a mole.  
Killing the bad stuff one path at a time.

Consider trying it my way, set it to log. I bet the list to whitelist will be 
pretty short.


Also, going back to your original question I believe you can block
onedrive.exe   all by itself. And kill it universally.  Yea, they can rename 
it. But they can also move it on a path block too.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: Tuesday, January 19, 2016 3:07 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: Applocker Exe rules

Doesn't recursion from the profile directory catch that?  %USERPROFILE% would 
be the level above.  Unless of course you have legitimate things running from 
within the profile directory.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Miller Bonnie L.
Sent: Tuesday, January 19, 2016 2:52 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] Applocker Exe rules

I'm working on policies for our Win10 deployment (Surface Pro 4's have been 
ordered, they only come with 10) and have an applocker question, specifically 
with executable rules.

I can't use standard system variables in the paths, like we have done with 
Software Restriction Policies.  Instead there are some special vars available, 
but I'm not finding anything for user folders/appdata.  Has anyone found a way 
to define the following with any sort of variable?

C:\users\username\appdata\something.exe

Specifically, we have a program (onedrive.exe) that is in the user profile path 
by default, but needs to be blocked for all users, even administrators.  With 
the default rules, the program is blocked for everyone who is a standard user 
but is allowed for admins.

I know I can successfully block programs for admins as I have a similar rule 
already working that points to the groove.exe location in Program files and it 
can't be run, but everything I've tried for this one doesn't seem to work as I 
can't craft a working variable.

Am I stuck with hashing this file and every new version?  I realize there are 
options for not even installing some of the default apps that come with 10-we 
are looking at that as well, but we may want to allow the next gen sync client 
for some people later, if we ever get to one-to-one.

I'm also thinking that we might have a need to use this sort of path to ALLOW 
an executable to run from a user profile path.

Thanks for any and all ideas and suggestions!
-Bonnie

[NTSysADM] RE: Applocker Exe rules

[Kennedy, Jim]

Filtering the GPO based on local admin group perhapssome loopback going on? 
 But it is machine based not user based GPO.


You can also create rules that use the deny action. When applying rules, 
AppLocker first checks whether any explicit deny actions are specified in the 
rule list. If you have denied a file from running in a rule collection, the 
deny action will take precedence over any allow action, regardless of which 
Group Policy Object (GPO) the rule was originally applied in. Because AppLocker 
functions as an allowed list by default, if no rule explicitly allows or denies 
a file from running, AppLocker's default deny action will block the file.

https://technet.microsoft.com/en-us/library/ee460955.aspx

Also to my earlier point about block all then white list:

The deny action is generally less secure than the allow action because a 
malicious user could modify the file to invalidate the rule. Deny actions can 
also be circumvented.


From: Kennedy, Jim
Sent: Tuesday, January 19, 2016 3:24 PM
To: ntsys...@lists.myitforum.com
Subject: RE: Applocker Exe rules

Something isn't right.  If I have a specific deny on something even local 
admin's can't do it.  It works like NTFS in that a deny trumps all. I have a 
specific deny on powershell.  So even my desktop folks with local admin cannot 
run powershell. On my back burner to do list is to figure that out.



From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Miller Bonnie L.
Sent: Tuesday, January 19, 2016 3:20 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: Applocker Exe rules

So the recursion blocks it for most users (that is working), but if someone is 
on with an admin account we also need to block the app in this case.  When 
adding the default rules for exes, it adds an "Allow BUILTIN\Administrators" 
All files", meaning if you're an admin, you otherwise get to run everything and 
anything.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: Tuesday, January 19, 2016 12:07 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: Applocker Exe rules

Doesn't recursion from the profile directory catch that?  %USERPROFILE% would 
be the level above.  Unless of course you have legitimate things running from 
within the profile directory.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Miller Bonnie L.
Sent: Tuesday, January 19, 2016 2:52 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] Applocker Exe rules

I'm working on policies for our Win10 deployment (Surface Pro 4's have been 
ordered, they only come with 10) and have an applocker question, specifically 
with executable rules.

I can't use standard system variables in the paths, like we have done with 
Software Restriction Policies.  Instead there are some special vars available, 
but I'm not finding anything for user folders/appdata.  Has anyone found a way 
to define the following with any sort of variable?

C:\users\username\appdata\something.exe

Specifically, we have a program (onedrive.exe) that is in the user profile path 
by default, but needs to be blocked for all users, even administrators.  With 
the default rules, the program is blocked for everyone who is a standard user 
but is allowed for admins.

I know I can successfully block programs for admins as I have a similar rule 
already working that points to the groove.exe location in Program files and it 
can't be run, but everything I've tried for this one doesn't seem to work as I 
can't craft a working variable.

Am I stuck with hashing this file and every new version?  I realize there are 
options for not even installing some of the default apps that come with 10-we 
are looking at that as well, but we may want to allow the next gen sync client 
for some people later, if we ever get to one-to-one.

I'm also thinking that we might have a need to use this sort of path to ALLOW 
an executable to run from a user profile path.

Thanks for any and all ideas and suggestions!
-Bonnie

[NTSysADM] RE: Applocker Exe rules

[Kennedy, Jim]

And when B0$$ calls for onedrive you can put a path exception on the deny rule.

C:\users\Bo$$\appdata\onedrive.exe

And for the record, the above path is made up.  Dunno where onedrive hides.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Tuesday, January 19, 2016 3:01 PM
To: 'ntsys...@lists.myitforum.com'
Subject: [NTSysADM] RE: Applocker Exe rules

Wildcards work.   So add a specific deny for it for everyone.

C:\users\*\appdata \onedrive.exe


From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Miller Bonnie L.
Sent: Tuesday, January 19, 2016 2:52 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] Applocker Exe rules

I'm working on policies for our Win10 deployment (Surface Pro 4's have been 
ordered, they only come with 10) and have an applocker question, specifically 
with executable rules.

I can't use standard system variables in the paths, like we have done with 
Software Restriction Policies.  Instead there are some special vars available, 
but I'm not finding anything for user folders/appdata.  Has anyone found a way 
to define the following with any sort of variable?

C:\users\username\appdata\something.exe

Specifically, we have a program (onedrive.exe) that is in the user profile path 
by default, but needs to be blocked for all users, even administrators.  With 
the default rules, the program is blocked for everyone who is a standard user 
but is allowed for admins.

I know I can successfully block programs for admins as I have a similar rule 
already working that points to the groove.exe location in Program files and it 
can't be run, but everything I've tried for this one doesn't seem to work as I 
can't craft a working variable.

Am I stuck with hashing this file and every new version?  I realize there are 
options for not even installing some of the default apps that come with 10-we 
are looking at that as well, but we may want to allow the next gen sync client 
for some people later, if we ever get to one-to-one.

I'm also thinking that we might have a need to use this sort of path to ALLOW 
an executable to run from a user profile path.

Thanks for any and all ideas and suggestions!
-Bonnie

[NTSysADM] RE: Applocker Exe rules

[Kennedy, Jim]

Wildcards work.   So add a specific deny for it for everyone.

C:\users\*\appdata \onedrive.exe


From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Miller Bonnie L.
Sent: Tuesday, January 19, 2016 2:52 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] Applocker Exe rules

I'm working on policies for our Win10 deployment (Surface Pro 4's have been 
ordered, they only come with 10) and have an applocker question, specifically 
with executable rules.

I can't use standard system variables in the paths, like we have done with 
Software Restriction Policies.  Instead there are some special vars available, 
but I'm not finding anything for user folders/appdata.  Has anyone found a way 
to define the following with any sort of variable?

C:\users\username\appdata\something.exe

Specifically, we have a program (onedrive.exe) that is in the user profile path 
by default, but needs to be blocked for all users, even administrators.  With 
the default rules, the program is blocked for everyone who is a standard user 
but is allowed for admins.

I know I can successfully block programs for admins as I have a similar rule 
already working that points to the groove.exe location in Program files and it 
can't be run, but everything I've tried for this one doesn't seem to work as I 
can't craft a working variable.

Am I stuck with hashing this file and every new version?  I realize there are 
options for not even installing some of the default apps that come with 10-we 
are looking at that as well, but we may want to allow the next gen sync client 
for some people later, if we ever get to one-to-one.

I'm also thinking that we might have a need to use this sort of path to ALLOW 
an executable to run from a user profile path.

Thanks for any and all ideas and suggestions!
-Bonnie

RE: [NTSysADM] Source of DNS queries

[Kennedy, Jim]

Doug Burks also does a boatload of training on it.  Most of it is available 
online for reasonable fee. I got turned onto it at Derbycon a few years ago by 
Doug, he is a great guy. Very easy to work with.

-Original Message-
From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Joey Smith
Sent: Saturday, January 9, 2016 7:27 PM
To: ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Source of DNS queries

On Fri, 8 Jan 2016, Kennedy, Jim wrote:

> Another option.  Port mirror your DNS server and spin up 
> SecurityOnion.  That is what I am using….port mirroring all my 
> to/from server traffic to it.  That will get you basic IDS, or you can 
> use the Bro logs.

I definately like Security Onion.  It's a beast to learn, but it does get all 
the tools installed or staged to use for a nice Open Source Network 
Monitoring System.   

I would recommend Standalone mode to start and get a copy of Richard
Bejtlich's Practice of Network Security Monitoring.They're big fans of
Security Onion and even hired the author of SO to work for them.   Good
stuff!  

[NTSysADM] RE: In-place upgrade of a 2008 R2 DC to 2012 R2?

[Kennedy, Jim]

Oh now you’ve done it.

I asked this question back in the spring of this year.  Got a bazillion ‘you 
are crazy don’t do it’.  But no one that had ever tried it that I could tell, 
including me.  I was also in the you are crazy camp.  But it is supported and 
this isn’t NT 4 anymore.  So I did 5 of our 6 and had no issues whatsoever. The 
one I didn’t do had questionable hardware, so it was replaced with new gear.  
My environment is fairly simple, everything is fully patched and maintained 
very well.  DC’s are only DC’s with DNS, DHCP and WINS.

After the first two, which are in my building, I decided to do the rest of them 
remote. No problems. If your stuff is clean, and you have a spare that isn’t 
mission critical, go for it. I think you will be fine.

Donning my flame resistant undies now.


From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Jonathan Raper
Sent: Friday, January 8, 2016 2:26 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] In-place upgrade of a 2008 R2 DC to 2012 R2?

Happy New Year to the collective!

I know this has been supported since at least 2008….and sounds like it has 
improved with each iteration since.

However, I am old school and have *never* been a fan of any kind of in-place 
upgrade. Further….

The very first sentence in Microsoft’s TechNet article Upgrade Domain 
Controllers to Windows Server 2012 R2 and Windows Server 
2012
 , updated less than a year ago:

“The recommended way to upgrade a domain is to promote domain controllers that 
run newer versions of Windows Server and demote older domain controllers as 
needed. That method is preferable to upgrading the operating system of an 
existing domain controller.”

That being said, I’ve got an admin (junior to me) who seems to think it is a 
good idea (because he wants to cut a corner). I and another peer (also a senior 
engineer) disagree with him.

Regardless, I’m curious if anyone here has tried this and if so what your 
experience was?

Thanks,

Jonathan

RE: [NTSysADM] Source of DNS queries

[Kennedy, Jim]

Another option.  Port mirror your DNS server and spin up SecurityOnion.  That 
is what I am using….port mirroring all my to/from server traffic to it.  That 
will get you basic IDS, or you can use the Bro logs.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Richard Stovall
Sent: Thursday, January 7, 2016 4:27 PM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Source of DNS queries

And, thanks to y'all for helping me talk it out, here's the general direction 
for what I'm trying to do.

https://www.alienvault.com/forums/discussion/4564/how-to-get-my-dns-logs-into-usm

Woot!

On Thu, Jan 7, 2016 at 3:55 PM, Richard Stovall 
> wrote:
The SIEM can do it, but I guess I'm missing how to get it in there using the 
default tools in Windows Server.

On Thu, Jan 7, 2016 at 3:48 PM, Michael B. Smith 
> wrote:
Well, if your SIEM can’t parse it, it’s pretty easy to do with WMI/PowerShell.

From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] 
On Behalf Of Richard Stovall
Sent: Thursday, January 7, 2016 3:16 PM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Source of DNS queries

Not averse to it, per se.  They just get pretty big pretty quickly, and are 
temporal because they wrap as well.

Just thinking out loud about how it would be nice to have the relevant info in 
a single, non-expiring repository.

On Thu, Jan 7, 2016 at 2:41 PM, Michael B. Smith 
> wrote:
Why are you averse to scanning the logs?

From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] 
On Behalf Of Richard Stovall
Sent: Thursday, January 7, 2016 1:49 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] Source of DNS queries

I am in the early stages of deploying a SIEM solution and one of the things 
that pop up occasionally are alarms for when a DNS query is conducted and the 
response contains a known-malicious ip.  What I'm trying to do is figure out 
which machine queried the DNS server because the alert just shows that a query 
response with the malicious ip went back to the DNS server.

Short of enabling DNS debug logging on my MS DNS servers and picking through 
them to find the source of the query, is there another solution that's more 
permanent?

I'm thinking that if I had something like a "DNS proxy" that does the kind of 
logging I'm looking for, that would be great.  Essentially a DNS server that 
forwards everything on to the 'regular' servers.

client  <-->  proxy  <-->  internal DNS server  <-->  external DNS servers

Just messing around with ideas.  Anyone have a solution to this already in 
place?  (Preferably one that's affordable for the little guys.  :-)

Thanks,
RS

RE: [NTSysADM] AD question

[Kennedy, Jim]

Makes no difference.

Is the real issue here that there are ‘big’ delays in replication?

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of James Rankin
Sent: Thursday, January 7, 2016 9:17 AM
To: ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] AD question

I’m just using the short domain name rather than FQDN – does that make a 
difference?

From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Andrew S. Baker
Sent: 07 January 2016 14:13
To: ntsysadm >
Subject: Re: [NTSysADM] AD question

If you browse to \\fqdn\someshare, where you end up 
is determined by DNS resolution.

\\contoso.com\NetLogon will be resolved to 
\\some.contoso.dc.ip\NetLogon and then 
your system will go there.






ASB
http://XeeMe.com/AndrewBaker
Providing Virtual CIO Services (IT Operations & Information Security) for the 
SMB market…


 GPG: 1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A

On Thu, Jan 7, 2016 at 7:32 AM, James Rankin 
> wrote:
A question for the AD masters out there…

If I browse to the \\DOMAIN\netlogon share, how is 
the DC I browse to in this instance defined? I’m fairly sure it isn’t the 
server specified in the %LOGONSERVER% variable. Got users who are changing 
things in the NETLOGON share and they’re finding big delays in seeing these 
updates because they’re hitting servers in different physical sites.

Am I right in thinking it depends in how subnets are configured in Sites and 
Services? Or way off base?

Cheers,



James Rankin
EUC Director | HTG TaloSys | 07809 668579 | 
ja...@htguk.com
One Trinity Green, Eldon Street, South Shields, Tyne & Wear, NE33 1SA
Tel: 0191 481 3489
Email address: i...@talosys.co.uk
Website: www.talosys.co.uk
[phpy9YoGNAM]

RE: [NTSysADM] Source of DNS queries

[Kennedy, Jim]

It all depends on what you are using, what it is monitoring and where it 
monitoring. In my case I do a traffic capture on all traffic to and from my 
servers.  So I too see the server make the request, and also the client.  Then 
the box analyzes all the traffic. A second monitoring point to and from the 
internet is in the works.


From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Richard Stovall
Sent: Thursday, January 7, 2016 3:19 PM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Source of DNS queries

In this instance I don't know the original source of the query, be it an 
iPhone, PC, server, or whatever.  Trying to find a way to make discovering that 
device as easy as possible.

On Thu, Jan 7, 2016 at 2:44 PM, Ed Ziots 
> wrote:

I agree the malicious iPhone should be blocked then you can parse firewall logs 
to see who are the connection and just put that on a egress filter last 
firewall block rule.

Ed
On Jan 7, 2016 2:42 PM, "Michael B. Smith" 
> wrote:
Why are you averse to scanning the logs?

From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] 
On Behalf Of Richard Stovall
Sent: Thursday, January 7, 2016 1:49 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] Source of DNS queries

I am in the early stages of deploying a SIEM solution and one of the things 
that pop up occasionally are alarms for when a DNS query is conducted and the 
response contains a known-malicious ip.  What I'm trying to do is figure out 
which machine queried the DNS server because the alert just shows that a query 
response with the malicious ip went back to the DNS server.

Short of enabling DNS debug logging on my MS DNS servers and picking through 
them to find the source of the query, is there another solution that's more 
permanent?

I'm thinking that if I had something like a "DNS proxy" that does the kind of 
logging I'm looking for, that would be great.  Essentially a DNS server that 
forwards everything on to the 'regular' servers.

client  <-->  proxy  <-->  internal DNS server  <-->  external DNS servers

Just messing around with ideas.  Anyone have a solution to this already in 
place?  (Preferably one that's affordable for the little guys.  :-)

Thanks,
RS

RE: [NTSysADM] Source of DNS queries

[Kennedy, Jim]

So if we merged our networks we would both be golden.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Richard Stovall
Sent: Thursday, January 7, 2016 3:35 PM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Source of DNS queries

Got it.  At the moment, I've only got the capability to capture LAN <--> 
Internet.

On Thu, Jan 7, 2016 at 3:25 PM, Kennedy, Jim 
<kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote:


It all depends on what you are using, what it is monitoring and where it 
monitoring. In my case I do a traffic capture on all traffic to and from my 
servers.  So I too see the server make the request, and also the client.  Then 
the box analyzes all the traffic. A second monitoring point to and from the 
internet is in the works.


From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>] 
On Behalf Of Richard Stovall
Sent: Thursday, January 7, 2016 3:19 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: Re: [NTSysADM] Source of DNS queries

In this instance I don't know the original source of the query, be it an 
iPhone, PC, server, or whatever.  Trying to find a way to make discovering that 
device as easy as possible.

On Thu, Jan 7, 2016 at 2:44 PM, Ed Ziots 
<eziot...@gmail.com<mailto:eziot...@gmail.com>> wrote:

I agree the malicious iPhone should be blocked then you can parse firewall logs 
to see who are the connection and just put that on a egress filter last 
firewall block rule.

Ed
On Jan 7, 2016 2:42 PM, "Michael B. Smith" 
<mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote:
Why are you averse to scanning the logs?

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>] 
On Behalf Of Richard Stovall
Sent: Thursday, January 7, 2016 1:49 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] Source of DNS queries

I am in the early stages of deploying a SIEM solution and one of the things 
that pop up occasionally are alarms for when a DNS query is conducted and the 
response contains a known-malicious ip.  What I'm trying to do is figure out 
which machine queried the DNS server because the alert just shows that a query 
response with the malicious ip went back to the DNS server.

Short of enabling DNS debug logging on my MS DNS servers and picking through 
them to find the source of the query, is there another solution that's more 
permanent?

I'm thinking that if I had something like a "DNS proxy" that does the kind of 
logging I'm looking for, that would be great.  Essentially a DNS server that 
forwards everything on to the 'regular' servers.

client  <-->  proxy  <-->  internal DNS server  <-->  external DNS servers

Just messing around with ideas.  Anyone have a solution to this already in 
place?  (Preferably one that's affordable for the little guys.  :-)

Thanks,
RS

[NTSysADM] RE: Win 10 applocker

[Kennedy, Jim]

Don’t forget to deploy the default rules for packaged apps and enforce them.  
It will blocked all the preinstalled apps including the start menu, so I read…..

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Miller Bonnie L.
Sent: Tuesday, December 22, 2015 3:19 PM
To: 'ntsys...@lists.myitforum.com'
Subject: [NTSysADM] RE: Win 10 applocker

The win10 box I have started for testing is honoring our existing settings for 
the service, but we don’t deploy the service change via prefs.  We use 
\Computer configuration\Windows Settings\Security Settings\System Services and 
set Application Identity to automatic.

Haven’t actually started testing applocker & new apps, but the service is 
running and set correctly.

-Bonnie

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Tuesday, December 22, 2015 8:00 AM
To: 'ntsys...@lists.myitforum.com' 
<ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>>
Subject: [NTSysADM] Win 10 applocker


If you are pushing it via GPO there is a chance it is not working.

Setting the startup type to Automatic does not work in Pref’s, you will see the 
GPO denied in your event log.  You have to regedit it to Automatic, and also 
delete the TriggerInfo key to remove the trigger restriction.

At this point, I am not getting any message when it blocks something.  No pop 
up telling the user what happened as it did in Win 7.

[NTSysADM] Win 10 applocker

[Kennedy, Jim]

If you are pushing it via GPO there is a chance it is not working.

Setting the startup type to Automatic does not work in Pref’s, you will see the 
GPO denied in your event log.  You have to regedit it to Automatic, and also 
delete the TriggerInfo key to remove the trigger restriction.

At this point, I am not getting any message when it blocks something.  No pop 
up telling the user what happened as it did in Win 7.

RE: [NTSysADM] browse / mount VHD file offline

[Kennedy, Jim]

http://www.howtogeek.com/51174/mount-and-unmount-a-vhd-file-in-windows-explorer-via-a-right-click/


From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of J- P
Sent: Tuesday, December 22, 2015 11:15 AM
To: NT
Subject: [NTSysADM] browse / mount VHD file offline


Hi all,

I have a server that wont boot  due to  the notorious Broadcom bxvbda.sys 
driver,

I can boot into recovery and see  the files are all there,  HOWEVER,  the 
particular files I want to get to right away, are inside  a guest OS ( 1 TB VHD)
I can also boot into Centos (livecd) and see the VHD  as well .

Trying to copy the VHD will take approx. 4 hours , I was hoping to somehow  
mount /  browse the VHD file ( be it on *nix  or any other means) for a 
particular folder and copy its content  to a usb drive for a user,



is there anything I can boot into that will allow the exploring / browsing of a 
VHD file?

RE: [NTSysADM] Barracuda Spam fw appliance

[Kennedy, Jim]

Take a look at adding some external RBL’s to augment Cuda’s.

https://www.spamhaus.org/sbl/  and 
https://www.spamcop.net/fom-serve/cache/290.html



From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Jake Gardner
Sent: Friday, December 18, 2015 10:54 AM
To: 'ntsys...@lists.myitforum.com'
Subject: RE: [NTSysADM] Barracuda Spam fw appliance

I guess my question was if anyone else is seeing this type of increase.

Is there a list of common regex’s that I could use?

Thanks,

Jake Gardner
IT Administrator
267-352-2020 Ext. 246
www.ttcdas.com

From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Todd Lemmiksoo
Sent: Friday, December 18, 2015 10:14 AM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Barracuda Spam fw appliance

I have a physical 400 and a virtual 300 in a cluster config. I also block .ru, 
.cn, .cz
Ask your questions.

On Fri, Dec 18, 2015 at 9:08 AM, Sean Martin 
> wrote:
We have a couple of 800s, but they're second tier behind ProofPoint, so they 
don't see a lot of malicious traffic. What does slip through ProofPoint does 
appear to get caught by the Barracuda's in most cases.

- Sean

On Fri, Dec 18, 2015 at 5:37 AM, Jake Gardner 
> wrote:
Does anyone here use one?  We have a model 300 and lately we are getting 
absolutely hammered with SPAM that the ‘cuda just won’t catch.

I have opened a few tickets with them about the issue and all they say is that 
my firewall is blocking the ‘cuda from checking websites.  I’ve checked my 
firewall and I don’t see any blocks and the ‘cuda is in a policy with no  
outbound restrictions.

The only thing that seems to slow it down is rate control.  I turned it down to 
20/30mins.   In the last 9 hours it controlled 3700 and only outright blocked 
1450.We see about 17k messages a day on average.  A couple months again we 
were averaging 12k.


Thanks,

Jake Gardner
IT Administrator
267-352-2020 Ext. 246
www.ttcdas.com



***Teletronics Technology Corporation***
This e-mail is confidential and may also be privileged. If you are not the 
addressee or authorized by the addressee to receive this e-mail, you may not 
disclose, copy, distribute, or use this e-mail. If you have received this 
e-mail in error, please notify the sender immediately by reply e-mail or by 
telephone at 267-352-2020 and destroy this message and any 
copies.

Thank you.

***
  ­­




--
T. Todd Lemmiksoo


***Teletronics Technology Corporation***
This e-mail is confidential and may also be privileged. If you are not the 
addressee or authorized by the addressee to receive this e-mail, you may not 
disclose, copy, distribute, or use this e-mail. If you have received this 
e-mail in error, please notify the sender immediately by reply e-mail or by 
telephone at 267-352-2020 and destroy this message and any copies.

Thank you.

***
  ­­

[NTSysADM] RE: ptr records

[Kennedy, Jim]

Who owns/controls the IP addresses?  That is who has to do the PTR records.  
What is the sending IP address?

Sorry, I was out of touch this weekend so I didn't get through the whole thread 
of you issue.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Monday, December 7, 2015 9:41 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: ptr records

It might be since it doesn't appear that my new PTR records are there.
It's like the company I am using did the A, CNAME, MX records but did not 
remove the old or add the new.


From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Monday, December 7, 2015 9:37 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: ptr records

The old PTR records won't cause this issue.  Consider the process that is 
happening..

You HELO mailout.imcu.com and connect with from 192.168.1.1

The receiving server looks at the A record for mailout.imcu.com...it must match 
192.168.1.1
It then looks at the PTR for 192.168.1.1 it must return mailout.imcu.com

They are not looking at your old PTR records, they don't even know about them 
anymore.  That isn't your issue.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of David McSpadden
Sent: Monday, December 7, 2015 9:31 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: ptr records

Or maybe just maybe I need to ask them to show me the old PTR's we migrated 
from.
Just happened to think this morning that maybe the old PTR's were out there.
They are right there like always.
Have asked them to remove the old PTR for the old IP's.
You would think after this many years I would know to ask that type of question.


From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of HELP_PC
Sent: Monday, December 7, 2015 12:50 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: ptr records

As long as you have a A record recorded for your domain the ISP should have a 
subsequent PTR record

GuidoElia
HELPPC-HELPPCSERVICE

Da: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[listsadmin@lists.myitforum.com] per conto di David McSpadden [dav...@imcu.com]
Inviato: domenica 6 dicembre 2015 17.59
A: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>; 
excha...@lists.myitforum.com<mailto:excha...@lists.myitforum.com>
Oggetto: [NTSysADM] RE: ptr records

Thank you all

The PTR records are still not out there.

Gonna be a busy day Monday.



AT and Comcast are refusing our traffic.




From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[listsadmin@lists.myitforum.com] on behalf of Brian Desmond 
[br...@briandesmond.com]
Sent: Saturday, December 05, 2015 6:17 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>; 
excha...@lists.myitforum.com<mailto:excha...@lists.myitforum.com>
Subject: [NTSysADM] RE: ptr records
No, they're not necessary.

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of David McSpadden
Sent: Friday, December 4, 2015 1:55 PM
To: excha...@lists.myitforum.com<mailto:excha...@lists.myitforum.com>; 
ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] ptr records

Do I need PTR records for Legacymail, outlook, and autodiscover?

This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, pri

[NTSysADM] RE: ptr records

[Kennedy, Jim]

Yep, no ptr for 192.171.14.74.  At least you know what it is, now it is just 
the struggle to get the folks to fix it up.

http://mxtoolbox.com/domain is a great way to check all this out.  If you plug 
in mail.imcu.com it will let you cycle through finding problems.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Monday, December 7, 2015 9:54 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: ptr records

No worries.
We purchased a class c.
We migrated from our ISP to our own class c addresses.
Web Solutions at Fiserv hosts our website and offers DNS management.
They are responsible for our DNS updates.
Looks to me like they have not removed some PTR's and have not added some PTR's.
Once I have a clean Zone I'll let everyone know.
And we can see about any other issues that may be out there.
What I want to see is this:

imcu.com.
@86400IN
   SOA pdns206.ultradns.com. bill\.krause.fiserv.com. (

2014081271 ;Serial

10800;Refresh

3600   ;Retry

2592000;Expire

86400;Minimum

)
@86400IN
   NS  pdns206.ultradns.org.
@86400IN
   NS  pdns206.ultradns.com.
@86400IN
   NS  pdns206.ultradns.net.
@86400IN
   NS  pdns206.ultradns.biz.
@86400IN
   A 12.145.177.146
@86400IN
   MX 10 mail.imcu.com.
@86400IN
   TXT "v=spf1 ip4:184.72.242.195 ip4:192.171.14.74 ~all"
@86400IN
   TXT "\"v=spf1 ip4:184.72.242.195 ip4:192.171.14.74 ~all\""
www 86400IN   A 
12.145.177.146
mail600 IN  
 A 192.171.14.74
autodiscover  600 IN   A
 192.171.14.74
legacymail   600 IN   A 
192.171.14.74
outlook600 IN   
A 192.171.14.74
secure  600 IN  
 A 192.171.14.73
ftp  600 IN 
  A 192.171.14.72
vpn86400IN  
 A 38.109.185.130
m86400IN
   CNAME ml-http-generic-300922534.us-east-1.elb.amazonaws.com.
74.14.171.192.in-addr.arpa  86400IN   PTR
mail.imcu.com.
72.14.171.192.in-addr.arpa  86400IN   PTR
ftp.imcu.com<ftp://ftp.imcu.com>.
73.14.171.192.in-addr.arpa  86400IN   PTR
secure.imcu.com.
130.185.109.38.in-addr.arpa86400IN   PTR
VPN.IMCU.COM.

But the PTR's are not there  at all and these old PTR's are still hanging out 
there:
193.185.109.38.in-addr.arpa86400IN   PTR
mail.IMCU.COM.
194.185.109.38.in-addr.arpa86400IN   PTR
board.IMCU.COM.
196.185.109.38.in-addr.arpa86400IN   PTR
ftp.IMCU.COM<ftp://ftp.IMCU.COM>.
193.185.109.38.in-addr.arpa86400IN   PTR
mx1.IMCU.COM.
206.185.109.38.in-addr.arpa86400IN   PTR
secure.IMCU.COM.

ATT.net, Comcast.net, sbcglobal.net, and Aol.com are all bouncing my outbound 
email.



From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Monday, December 7, 2015 9:44 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys.

[NTSysADM] RE: ptr records

[Kennedy, Jim]

The old PTR records won't cause this issue.  Consider the process that is 
happening..

You HELO mailout.imcu.com and connect with from 192.168.1.1

The receiving server looks at the A record for mailout.imcu.com...it must match 
192.168.1.1
It then looks at the PTR for 192.168.1.1 it must return mailout.imcu.com

They are not looking at your old PTR records, they don't even know about them 
anymore.  That isn't your issue.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Monday, December 7, 2015 9:31 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: ptr records

Or maybe just maybe I need to ask them to show me the old PTR's we migrated 
from.
Just happened to think this morning that maybe the old PTR's were out there.
They are right there like always.
Have asked them to remove the old PTR for the old IP's.
You would think after this many years I would know to ask that type of question.


From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of HELP_PC
Sent: Monday, December 7, 2015 12:50 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: ptr records

As long as you have a A record recorded for your domain the ISP should have a 
subsequent PTR record

GuidoElia
HELPPC-HELPPCSERVICE

Da: listsadmin@lists.myitforum.com 
[listsadmin@lists.myitforum.com] per conto di David McSpadden [dav...@imcu.com]
Inviato: domenica 6 dicembre 2015 17.59
A: ntsys...@lists.myitforum.com; 
excha...@lists.myitforum.com
Oggetto: [NTSysADM] RE: ptr records

Thank you all

The PTR records are still not out there.

Gonna be a busy day Monday.



AT and Comcast are refusing our traffic.




From: listsadmin@lists.myitforum.com 
[listsadmin@lists.myitforum.com] on behalf of Brian Desmond 
[br...@briandesmond.com]
Sent: Saturday, December 05, 2015 6:17 PM
To: ntsys...@lists.myitforum.com; 
excha...@lists.myitforum.com
Subject: [NTSysADM] RE: ptr records
No, they're not necessary.

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of David McSpadden
Sent: Friday, December 4, 2015 1:55 PM
To: excha...@lists.myitforum.com; 
ntsys...@lists.myitforum.com
Subject: [NTSysADM] ptr records

Do I need PTR records for Legacymail, outlook, and autodiscover?

This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

RE: [NTSysADM] RE: DC's not getting updates

[Kennedy, Jim]

Check and see if someone disabled IPV6.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Thursday, November 19, 2015 10:36 PM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] RE: DC's not getting updates

Dcdiag tested good
I'll dig deeper in the morning.

Sent from my iPhone

On Nov 19, 2015, at 10:19 PM, Andrew S. Baker 
> wrote:
I just had to address an issue like that recently, where DCDIAG showed RPC 
errors (1722), which turned out to be one DC that wasn't listening on an IPv6 
interface...

Fun times.






ASB
http://XeeMe.com/AndrewBaker
Providing Virtual CIO Services (IT Operations & Information Security) for the 
SMB market...


 GPG: 1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A

On Thu, Nov 19, 2015 at 5:27 PM, Michael B. Smith 
> wrote:
I'd start with dcdiag.

From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] 
On Behalf Of David McSpadden
Sent: Thursday, November 19, 2015 4:57 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] DC's not getting updates

I have 5 DC's
2 2012R2's (One is the Primary)
1 2008
1 2008 Read Only
And a 2003 (I know, it is going away as soon as I can get the last app off of 
it.)
I made a change to a user account on a 2012r2 the other day (Name change).
It still had not made it to the 2008 server after 48 hours but when I look in 
repadmin syncing looks fine?
Where should I be looking for something like this?


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

[NTSysADM] RE: KMS fact check. SOLVED

[Kennedy, Jim]

And the correct answer is it requires 25 Win 10 boxes after you put in the 
actual correct KMS key.


From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: 13. november 2015 14:24
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] KMS fact check.


When I add a new Win 10 KMS key to my existing server that has been happily 
activating Win 7, Office and servers for years I still need 25 Win 10 clients 
right.  It is 25 for EACH client OS?

[NTSysADM] RE: KMS fact check. SOLVED

[Kennedy, Jim]

And I believed you.   But it wasn't working, I actually gave up on the 2012 R2 
build after realizing my key mistake.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Michael B. Smith
Sent: Thursday, November 19, 2015 3:50 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: KMS fact check. SOLVED

I TOLD YOU THAT.

:)

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Thursday, November 19, 2015 3:46 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: KMS fact check. SOLVED

And the correct answer is it requires 25 Win 10 boxes after you put in the 
actual correct KMS key.


From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: 13. november 2015 14:24
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] KMS fact check.


When I add a new Win 10 KMS key to my existing server that has been happily 
activating Win 7, Office and servers for years I still need 25 Win 10 clients 
right.  It is 25 for EACH client OS?

[NTSysADM] RE: KMS fact check. SOLVED

[Kennedy, Jim]

Oh my. It failed at 3:27 shortly after putting the correct kms key in and 
clearly said it was because the count was too low.  After sending my findings 
to the list, I hit activate on it again...it activated.  We do not have 25 Win 
10 clients on the network.  8 tops and half of those are laptops that are 
mostly off.



From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Thursday, November 19, 2015 3:53 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: KMS fact check. SOLVED

And I believed you.   But it wasn't working, I actually gave up on the 2012 R2 
build after realizing my key mistake.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Michael B. Smith
Sent: Thursday, November 19, 2015 3:50 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: KMS fact check. SOLVED

I TOLD YOU THAT.

:)

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Thursday, November 19, 2015 3:46 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: KMS fact check. SOLVED

And the correct answer is it requires 25 Win 10 boxes after you put in the 
actual correct KMS key.


From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: 13. november 2015 14:24
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] KMS fact check.


When I add a new Win 10 KMS key to my existing server that has been happily 
activating Win 7, Office and servers for years I still need 25 Win 10 clients 
right.  It is 25 for EACH client OS?

[NTSysADM] RE: Certificate Authority and KMS

[Kennedy, Jim]

Cert authority runs on DC's.  I think they have to be...part of AD. However I 
don't use it anymore. Just bought a wildcard cert from GoDaddy.  I hate certs.

KMS is on my SystemCenter server. I don't put anything on a DC that isn't 
required to be on a DC.

All 2012 R2's

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Thursday, November 19, 2015 9:59 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] Certificate Authority and KMS

Do you have to have these in Active Directory?
If so do they run on the DC's?
In a 2012 R2 environment that is?


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

[NTSysADM] RE: Certificate Authority and KMS

[Kennedy, Jim]

I think all you need to do is delete the offending cert to fix the RDP issue. 
Betting you have an old cert laying around.  Export it before you delete it, 
just in case.

Damn it, now I am involved in certs and kms on the same day.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Thursday, November 19, 2015 10:09 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: Certificate Authority and KMS

Good to know.
If I get a cert from GoDaddy, Put in on the DC's, would this make my 'RDP your 
workstation cert is bogus message' go away?
And I am evaluating the KMS and SCCM server seems like a good fit for me as 
well.


From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Thursday, November 19, 2015 10:03 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: Certificate Authority and KMS

Cert authority runs on DC's.  I think they have to be...part of AD. However I 
don't use it anymore. Just bought a wildcard cert from GoDaddy.  I hate certs.

KMS is on my SystemCenter server. I don't put anything on a DC that isn't 
required to be on a DC.

All 2012 R2's

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of David McSpadden
Sent: Thursday, November 19, 2015 9:59 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] Certificate Authority and KMS

Do you have to have these in Active Directory?
If so do they run on the DC's?
In a 2012 R2 environment that is?


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

RE: [NTSysADM] Re: KMS update from 2008 R2 to 2012 R2

[Kennedy, Jim]

Thanks man, I have given up on using my 2008 r2 box for KMS anymore for Win 10. 
 And I am literally moments away from adding keys to my new 2012 r2 kms box.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Webster
Sent: Thursday, November 19, 2015 9:45 AM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Re: KMS update from 2008 R2 to 2012 R2


I found this https://support.microsoft.com/en-us/kb/3094354
[Image removed by sender.]<https://support.microsoft.com/en-us/kb/3094354>

Can't add CSVLKs for Windows 10 activation to VAMT 3.1
Describes an issue that triggers a ... To work around this issue, use one of 
the following methods. Method 1 Do not add the CSVLK to the VAMT 3.1 tool.
Read more...<https://support.microsoft.com/en-us/kb/3094354>


and did the cli option but it still will not add the WIn10 key.



Carl Webster

Consultant and Citrix Technology Professional

http://www.CarlWebster.com<http://www.carlwebster.com/>


From: listsadmin@lists.myitforum.com <listsadmin@lists.myitforum.com> on behalf 
of Webster <webs...@carlwebster.com>
Sent: Thursday, November 19, 2015 8:31 AM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Re: KMS update from 2008 R2 to 2012 R2


I just added them in. I tried to add their Win10 KMS key but it said their VAMT 
3.0 was not compatible with that key. I will leave that for their guy to handle 
tomorrow unless you can tell me how to resolve that.



Carl Webster

Consultant and Citrix Technology Professional

http://www.CarlWebster.com<http://www.carlwebster.com/>


From: listsadmin@lists.myitforum.com <listsadmin@lists.myitforum.com> on behalf 
of Kennedy, Jim <kennedy...@elyriaschools.org>
Sent: Thursday, November 19, 2015 8:20 AM
To: ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Re: KMS update from 2008 R2 to 2012 R2


Did the kms keys get added back in for Win 7?



I hate KMS almost as much as I hate certs.



From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Webster
Sent: Thursday, November 19, 2015 9:18 AM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Re: KMS update from 2008 R2 to 2012 R2



The server it was on refused to upgrade or be removed from the domain (it put 
itself on a public network, took some effort to get that resolved and then it 
refused to see any of the DCs or DNS servers). They wound up having to do what 
I originally asked them to do. Build a new VM and start fresh. Then we had 
issues getting SQL Server Express 2012/2014 installed on the new server. Found 
a full SQL Server they allowed me to use for the VAMT database. Now none of 
their Windows 7 machines are showing as activated. I never actually work with 
KMS or VAMT and the guy who does this is out today with sick kids. Trying to 
get this resolved now.



Carl Webster

Consultant and Citrix Technology Professional

http://www.CarlWebster.com<http://www.carlwebster.com/>





From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
<listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>> on 
behalf of Kennedy, Jim 
<kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>>
Sent: Thursday, November 19, 2015 7:17 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: RE: [NTSysADM] Re: KMS update from 2008 R2 to 2012 R2



So, how did the KMS part go?



From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Webster
Sent: Thursday, November 19, 2015 6:01 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: Re: [NTSysADM] Re: KMS update from 2008 R2 to 2012 R2



License cost is not an issue for this EDU. Limited virtualization resources 
were.





Webster



From: <listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>> 
on behalf of J- P <jnat...@hotmail.com<mailto:jnat...@hotmail.com>>
Reply-To: "ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>" 
<ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>>
Date: Thursday, November 19, 2015 at 2:24 AM
To: NT <ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>>
Subject: RE: [NTSysADM] Re: KMS update from 2008 R2 to 2012 R2



May seem obvious, but you can get server license for next to nothing via 
techsoup.org , if I recall the std license is under 100, and datacenter like 
200 or so





From: webs...@carlwebster.com<mailto:webs...@carlwebster.com>
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] Re: KMS update from 2008 R2 to 2012 R2
Date: Wed, 1

RE: [NTSysADM] Re: KMS update from 2008 R2 to 2012 R2

[Kennedy, Jim]

So, how did the KMS part go?

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Webster
Sent: Thursday, November 19, 2015 6:01 AM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Re: KMS update from 2008 R2 to 2012 R2

License cost is not an issue for this EDU. Limited virtualization resources 
were.


Webster

From: > 
on behalf of J- P >
Reply-To: "ntsys...@lists.myitforum.com" 
>
Date: Thursday, November 19, 2015 at 2:24 AM
To: NT >
Subject: RE: [NTSysADM] Re: KMS update from 2008 R2 to 2012 R2

May seem obvious, but you can get server license for next to nothing via 
techsoup.org , if I recall the std license is under 100, and datacenter like 
200 or so





From: webs...@carlwebster.com
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] Re: KMS update from 2008 R2 to 2012 R2
Date: Wed, 18 Nov 2015 20:15:17 +
Don't have the physical or virtual resources here to do that. I asked if we 
could just build two new 2012 R2 servers and the answer was no. Very tight 
budget here in this very small school system. Working with I have to work with. 
At least we got all their AD/DNS/DHCP issues resolved. Now they want to move 
the last two DCs to 2012 R2.




Webster

From: listsadmin@lists.myitforum.com 
> on 
behalf of Michael B. Smith >
Sent: Wednesday, November 18, 2015 2:11 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: KMS update from 2008 R2 to 2012 R2

I didn’t say that. ☺

I’ve never upgraded a DC, since probably Win2003. I always flatten and rebuild.

From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Webster
Sent: Wednesday, November 18, 2015 3:06 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] Re: KMS update from 2008 R2 to 2012 R2

So the upgrade to 2012 R2 should not adversely affect the KMS that is already 
running on the server?


Webster


From: listsadmin@lists.myitforum.com 
> on 
behalf of Michael B. Smith >
Sent: Wednesday, November 18, 2015 2:03 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: KMS update from 2008 R2 to 2012 R2

VAS does not replace KMS. It adds additional capabilities – e.g., AD based 
activation.

https://technet.microsoft.com/en-us/library/hh831612.aspx
[Image removed by 
sender.]

Volume Activation Overview on TechNet
This technical overview for the IT professional describes the volume activation 
technologies in Windows operating systems and how your organization can ...
Read more...




From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Webster
Sent: Wednesday, November 18, 2015 2:31 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] KMS update from 2008 R2 to 2012 R2

2008 R2 Domain Controller has KMS installed.

We will be doing an in-place update of that server to 2012 R2 tonight. I have 
never worked with KMS before as it is usually taken care of when I get to a 
customer site. I see that in 2012 R2 their is a new role, Volume Activation 
Services, that replaces KMS. When the server is updating to 2012 R2, will the 
update process automatically install the VAS role or will I need to manually 
install it?

Is there anything else I need to consider before the update?

Thanks


Webster

RE: [NTSysADM] Re: KMS update from 2008 R2 to 2012 R2

[Kennedy, Jim]

Did the kms keys get added back in for Win 7?

I hate KMS almost as much as I hate certs.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Webster
Sent: Thursday, November 19, 2015 9:18 AM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Re: KMS update from 2008 R2 to 2012 R2


The server it was on refused to upgrade or be removed from the domain (it put 
itself on a public network, took some effort to get that resolved and then it 
refused to see any of the DCs or DNS servers). They wound up having to do what 
I originally asked them to do. Build a new VM and start fresh. Then we had 
issues getting SQL Server Express 2012/2014 installed on the new server. Found 
a full SQL Server they allowed me to use for the VAMT database. Now none of 
their Windows 7 machines are showing as activated. I never actually work with 
KMS or VAMT and the guy who does this is out today with sick kids. Trying to 
get this resolved now.



Carl Webster

Consultant and Citrix Technology Professional

http://www.CarlWebster.com<http://www.carlwebster.com/>


From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
<listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>> on 
behalf of Kennedy, Jim 
<kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>>
Sent: Thursday, November 19, 2015 7:17 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: RE: [NTSysADM] Re: KMS update from 2008 R2 to 2012 R2


So, how did the KMS part go?



From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Webster
Sent: Thursday, November 19, 2015 6:01 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: Re: [NTSysADM] Re: KMS update from 2008 R2 to 2012 R2



License cost is not an issue for this EDU. Limited virtualization resources 
were.





Webster



From: <listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>> 
on behalf of J- P <jnat...@hotmail.com<mailto:jnat...@hotmail.com>>
Reply-To: "ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>" 
<ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>>
Date: Thursday, November 19, 2015 at 2:24 AM
To: NT <ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>>
Subject: RE: [NTSysADM] Re: KMS update from 2008 R2 to 2012 R2



May seem obvious, but you can get server license for next to nothing via 
techsoup.org , if I recall the std license is under 100, and datacenter like 
200 or so






From: webs...@carlwebster.com<mailto:webs...@carlwebster.com>
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] Re: KMS update from 2008 R2 to 2012 R2
Date: Wed, 18 Nov 2015 20:15:17 +

Don't have the physical or virtual resources here to do that. I asked if we 
could just build two new 2012 R2 servers and the answer was no. Very tight 
budget here in this very small school system. Working with I have to work with. 
At least we got all their AD/DNS/DHCP issues resolved. Now they want to move 
the last two DCs to 2012 R2.




Webster



From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
<listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>> on 
behalf of Michael B. Smith <mich...@smithcons.com<mailto:mich...@smithcons.com>>
Sent: Wednesday, November 18, 2015 2:11 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: KMS update from 2008 R2 to 2012 R2



I didn't say that. :)



I've never upgraded a DC, since probably Win2003. I always flatten and rebuild.



From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Webster
Sent: Wednesday, November 18, 2015 3:06 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] Re: KMS update from 2008 R2 to 2012 R2



So the upgrade to 2012 R2 should not adversely affect the KMS that is already 
running on the server?





Webster





From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
<listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>> on 
behalf of Michael B. Smith <mich...@smithcons.com<mailto:mich...@smithcons.com>>
Sent: Wednesday, November 18, 2015 2:03 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: KMS update from 2008 R2 to 2012 R2



VAS does not replace KMS. It adds additional capabilities - e.g., AD based 
activation.

RE: [NTSysADM] Blocking Java, Google, Adobe automagic updaters

[Kennedy, Jim]

Putting on my PDQ Deploy advocate hat again.

The OP can solve the bandwidth issues and the control issues and the update 
issue for 500 bucks.  This thread and the prior work on all those GPO’s and the 
ongoing work every month costs his org more than that.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Richard Stovall
Sent: Monday, November 16, 2015 11:06 AM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Blocking Java, Google, Adobe automagic updaters



Totally understood.  This does not appear to be that sort of environment.  If I 
read the thread correctly, things appear to be working well for the OP with 
auto-updating enabled, except for Internet bandwidth saturation at inopportune 
times.  Purposefully disabling updates to vulnerable applications that are not 
bound to specific versions without a plan to immediately assume a managed plan 
to patch them is not wise at best. At worst it's potentially career limiting.



On Mon, Nov 16, 2015 at 10:23 AM, Mark Liechty 
> wrote:
On Nov 16, 2015, at 6:33 AM, Richard Stovall 
> wrote:
>
> Understood.  I totally get that there are valid reasons to retain old 
> versions of Java for some very specific use cases.  But Reader/Acrobat?  
> Chrome?  And heaven forbid, Flash?
> #


I worked with a medical device company a few years ago that was very specific 
about the Adobe Reader version.   They have very complex QA around any changes 
to the processes of any kind.  Rules come from the FDA, Legal Department and 
lots of other strangeness that It cannot, and should not, control.

It seems that at one point the PDF documents that were generated by some other 
process did not display properly when looked at by the newest version ##.### of 
Adobe but were perfect when using version YY.YYY  since opening these documents 
was required for each device as it came from assembly (had testing results) we 
could not use the latest versions.

Added to that ANY change at any point in the process required a complete 
end-to-end revalidation\certification that was a very detailed process.

So we stayed with the old versions and moved on.  My last contact was 5 years 
later and they still had not been able to change.  What they had worked and 
there was no motivation to upgrade for the sake of being “new and shiny”

RE: [NTSysADM] Blocking Java, Google, Adobe automagic updaters

[Kennedy, Jim]

-1

Letting them auto update requires local admin for the currently logged in user, 
in most cases.


From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Andrew S. Baker
Sent: Monday, November 16, 2015 9:30 AM
To: ntsysadm
Cc: Patch Management Mailing List (patchmanagem...@listserv.patchmanagement.org)
Subject: Re: [NTSysADM] Blocking Java, Google, Adobe automagic updaters

Agreed...






ASB
http://XeeMe.com/AndrewBaker
Providing Virtual CIO Services (IT Operations & Information Security) for the 
SMB market…


 GPG: 1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A

On Mon, Nov 16, 2015 at 9:23 AM, Richard Stovall 
> wrote:


If you don't have a robust strategy for keeping these applications updated, you 
might be better off letting them auto-update.  If you've got Internet-connected 
PCs running these applications, you're just asking to get bitten if you don't 
keep them up to date.  A managed strategy with reporting is best, but 
auto-updating is better than nothing (and certainly better than willfully 
keeping them out of date.)



On Mon, Nov 16, 2015 at 8:57 AM, David McSpadden 
> wrote:
I have put in place the GPO’s for these but apparently I don’t have the right 
settings.
Adobe DC Reader and Java update 6v8whatever are trying to update to my internet 
PC’s.
What should the settings be on the GPO’s to stop these autoupdaters from even 
running?

This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

[NTSysADM] RE: OT : Notification apps for your mobile device of choice

[Kennedy, Jim]

Nine using folders rules in Exchange and VIP settings. Also Exchange only.

http://9folders.com/faq/


-Original Message-
From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Dan Bartley
Sent: Monday, November 16, 2015 3:09 PM
To: 'ntsys...@lists.myitforum.com'
Subject: [NTSysADM] RE: OT : Notification apps for your mobile device of choice

Touchdown. It does all of that and more. It is for Exchange only though.

Best Regards,

Dan Bartley


-Original Message-
From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Maglinger, Paul
Sent: Monday, November 16, 2015 15:06
To: New NT System Admin List (ntsys...@lists.myitforum.com) 

Subject: [NTSysADM] OT : Notification apps for your mobile device of choice

 We're a Blackberry shop, as far as our IS department is concerned.  Most other 
users have IOS devices.
One of the reasons we're still on BB is that there is an app for Blackberry 
called Hub++ that allows you to set up different notifications (sound and/or 
light) depending on the rules you set up.  You can base the rules on sender, 
recipient, subject, etc.  Very handy for a sys admin for getting you up at 
night when you need to be and letting you sleep through other stuff (like this 
list).  
With the release of the Blackberry Priv it's now going to be Android based and 
there doesn't appear to be any plans to develop HUB++ for it.  Also, the 
reviews for the Priv are less than stellar.  
What, if any, are you guys using to filter notifications of your emails?  We 
want to get more granular than just "high-importance".

-Paul





CONFIDENTIALITY NOTICE***The information contained in this message may be 
privileged, confidential, and protected from disclosure. If the reader of this 
message is not the intended recipient, or any employee or agent responsible for 
delivering this message to the intended recipient, you are hereby notified that 
any dissemination, distribution, or copying of this communication is strictly 
prohibited. If you have received this communication in error, please notify us 
immediately by replying to the message and deleting it from your computer. 
Thank you.

[NTSysADM] RE: Outlook patch issue?

[Kennedy, Jim]

3097877 is the problem child this month. It was killing Outlook and was revised 
Thursday morning. Not killing outlook anymore but still killing touchscreens on 
Win 7.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: Friday, November 13, 2015 9:22 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] Outlook patch issue?

Anyone seeing any issues with KB3101535 for Outlook?

We've seen some folks suddenly start having issues with Outlook not starting up 
and removing that patch seems to be the solution to the issue.  Still 
investigating, but I figured here was a good place to pose the question.

Thanks

Melvin Backus | Sr. Systems Engineer | Byers Engineering Company | 404.497.1565
Service Desk | 404-497-1599 | http://servicedesk.byers.com
--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

[NTSysADM] KMS fact check.

[Kennedy, Jim]

When I add a new Win 10 KMS key to my existing server that has been happily 
activating Win 7, Office and servers for years I still need 25 Win 10 clients 
right.  It is 25 for EACH client OS?

[NTSysADM] Win 10 audit mode

[Kennedy, Jim]

Anyone else gone down this road yet?  It is a struggle, hitting ctrl shift F3 
blows up most of the time.  Sits at a black screen forever, or it fails with 
Windows cannot continue installation at this time.  Pulled a command prompt, 
logs are clean.  Enabling the Admin account, boot into safe mode then reboot 
again works…once in awhile.

Am I missing something here?

[NTSysADM] RE: Win 10 audit mode

[Kennedy, Jim]

It appears enabling the admin account and setting a blank password works, most 
of the time.  Still pretty flakey overall.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Wednesday, November 4, 2015 11:27 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] Win 10 audit mode

Anyone else gone down this road yet?  It is a struggle, hitting ctrl shift F3 
blows up most of the time.  Sits at a black screen forever, or it fails with 
Windows cannot continue installation at this time.  Pulled a command prompt, 
logs are clean.  Enabling the Admin account, boot into safe mode then reboot 
again works…once in awhile.

Am I missing something here?

[NTSysADM] RE: PDF's not opening in IE

[Kennedy, Jim]

https://www.captechconsulting.com/blogs/allowing-pdfs-to-open-in-a-browser-in-sharepoint-2010-the-right-way


From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Tuesday, November 3, 2015 1:24 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] PDF's not opening in IE

Using IE 10 32bit or 64 bit, Adobe Reader 9-11, on Windows 7 32 bit and 64 bit 
machines and not getting linked PDF's to open from our internal Sharepoint 2010 
server?

Chrome opens the files fine.
But my IE's are having issue?
Where do I look?
The below did not help.

http://superuser.com/questions/613214/ie10-does-not-open-pdf

This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

[NTSysADM] Oracle builds a High School OT/Friday Funny

[Kennedy, Jim]

I sure as heck hope they aren’t teaching them to install Java.

http://www.latimes.com/business/technology/la-fi-oracle-high-school-20151027-story.html

RE: [NTSysADM] Cat5e or 6 for wifi

[Kennedy, Jim]

How long are the runs, and how old is the building?

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of J- P
Sent: Friday, October 30, 2015 1:44 PM
To: NT
Subject: [NTSysADM] Cat5e or 6 for wifi

Hi all,

I have project coming up for 50 ap deployments, and they are asking "do they 
really need cat6"
I guess the bulk of the budget is going to the AP's and are trying to save 
elsewhere.

you would think they wouldn't quibble over 2500 after spending 30k on AP's

This is for an elementary school

any thoughts

tia

RE: [NTSysADM] Cat5e or 6 for wifi

[Kennedy, Jim]

I can't imagine how injectors could be a good idea, other than trying to save 
money in exchange for accepting complexity and unreliability.

I asked about length because unless it is 6a the potential for faster speeds 
later is limited.


[cid:image001.png@01D1131C.2B24D060]



From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of J- P
Sent: Friday, October 30, 2015 2:01 PM
To: NT
Subject: RE: [NTSysADM] Cat5e or 6 for wifi

waiting for floor plans,  no clue at this moment-

One thing i noticed, and I'm baffled by is that they are opting for 50 power 
injectors as opposed to using  POE switches





From: kennedy...@elyriaschools.org
To: ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Cat5e or 6 for wifi
Date: Fri, 30 Oct 2015 17:47:13 +
How long are the runs, and how old is the building?

From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of J- P
Sent: Friday, October 30, 2015 1:44 PM
To: NT
Subject: [NTSysADM] Cat5e or 6 for wifi

Hi all,

I have project coming up for 50 ap deployments, and they are asking "do they 
really need cat6"
I guess the bulk of the budget is going to the AP's and are trying to save 
elsewhere.

you would think they wouldn't quibble over 2500 after spending 30k on AP's

This is for an elementary school

any thoughts

tia

RE: [NTSysADM] Interactive Services Detection

[Kennedy, Jim]

It is manual as you say. I am thinking of disabling it all together.

It is either the Java update, or a script to remove old versions of Java…have 
not narrowed it down yet as I released them both at the same time but certainly 
the removal script would be most suspect. It is not as widespread as I thought, 
just a handful of machines. I may also do nothing.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Micheal Espinola Jr
Sent: Thursday, October 22, 2015 11:54 PM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Interactive Services Detection

AFAIK, it should be disabled (or set to manual) by default.  Its considered a 
security risk (it attempts legacy interaction between service and user/desktop 
security), and was implemented as temporary workaround for Vista. AFAIK, it was 
slated to be removed in later versions of Windows.

What do you have that's triggering it?



--
Espi


On Thu, Oct 22, 2015 at 11:24 AM, Kennedy, Jim 
<kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote:

What’s the down side to disabling it on the desktop?  I have some updates that 
are triggering it and annoying people with the pop ups.

[NTSysADM] Interactive Services Detection

[Kennedy, Jim]

What’s the down side to disabling it on the desktop?  I have some updates that 
are triggering it and annoying people with the pop ups.

RE: [NTSysADM] campus lockdown question

[Kennedy, Jim]

Perhaps a Net Send to pop a message…then wait 5 seconds…and then lock it.  You 
could  copy a custom lock screen photo to the computers ahead of time and set 
it with regedit as part of your procedure. Then undo it after the emergency.  
But that is a lot of moving parts and relies on computers being on to undo..

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of roycroet
Sent: Tuesday, October 20, 2015 11:21 AM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] campus lockdown question

Yes I can, is there any way to display a custom message in that lock screen?


Le mardi 20 octobre 2015 10h43, Erik Goldoff 
> a écrit :

do you have the ability on all the windows systems to remotely execute 
something like :
%windir%\system32\rundll32.exe user32.dll,LockWorkStation

same as CTRL-ALT-DEL , Lock Workstation from the keyboard


On Tue, Oct 20, 2015 at 10:28 AM, roycroet 
> wrote:
Good morning,

I've been asked by our school to lock and display a message on all computers in 
case of a campus lockdown.

SMS and alert on our website are not enough for upper management, they want to 
completely lock the systems.

Any idea would be greatly appreciated!

[NTSysADM] Outlook 2016 Calendar OT

[Kennedy, Jim]

This is really bugging me, I just stare at it all day and get nothing done.

Since upgrading to Office 2016 the To Do Bar Calendar is not showing the dates 
I have appointments with a bold font.  I know they won't show bold unless the 
appointment is flagged as 'busy'.  They are, in fact I have tried every type to 
be sure.  Ran all the outlook switches, reset views...googled my fingers until 
they hurt.

Anyone else seeing this? Maybe it is working as intended now?

[NTSysADM] RE: Outlook 2016 Calendar OT

[Kennedy, Jim]

I am hating Outlook 2016.  It forgets view settings, PITA to propagate those 
settings to other folders...it just doesn't work that well or consistently.  
Slow as dirt switching folders. Reminds me why I rolled back from 2013. I will 
probably roll this one back also.

But it looks cool, that is all that matters right.

-Original Message-
From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of James Rankin
Sent: Friday, October 16, 2015 8:52 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: Outlook 2016 Calendar OT

Me neither. Rather annoying now you've brought it to my attention. Looks like 
it's another change Microsoft have made for us that isn't very helpful...

-Original Message-
From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: 16 October 2015 13:44
To: 'ntsys...@lists.myitforum.com' <ntsys...@lists.myitforum.com>
Subject: [NTSysADM] Outlook 2016 Calendar OT

This is really bugging me, I just stare at it all day and get nothing done.

Since upgrading to Office 2016 the To Do Bar Calendar is not showing the dates 
I have appointments with a bold font.  I know they won't show bold unless the 
appointment is flagged as 'busy'.  They are, in fact I have tried every type to 
be sure.  Ran all the outlook switches, reset views...googled my fingers until 
they hurt.

Anyone else seeing this? Maybe it is working as intended now?

[NTSysADM] Power company vs fiber company. (OT)

[Kennedy, Jim]

So the other day the power company was working on the lines to one of our 
buildings and back hoe'd our fiber line.  Today the fiber company is out fixing 
it, they just back hoe'd the power lines.

RE: [NTSysADM] Power company vs fiber company. (OT)

[Kennedy, Jim]

Last I heard they are both there now.  We are watching the security cameras 
hoping for fisticuffs.


-Original Message-
From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Kurt Buff
Sent: Wednesday, October 14, 2015 1:41 PM
To: ntsysadm <ntsys...@lists.myitforum.com>
Subject: Re: [NTSysADM] Power company vs fiber company. (OT)

Hah!

Recursive BIFs.

I suppose there is some justice in the world after all...

Kurt

On Wed, Oct 14, 2015 at 10:37 AM, Kennedy, Jim <kennedy...@elyriaschools.org> 
wrote:
>
>
> So the other day the power company was working on the lines to one of 
> our buildings and back hoe’d our fiber line.  Today the fiber company 
> is out fixing it, they just back hoe’d the power lines.

[NTSysADM] RE: Power company vs fiber company. (OT)

[Kennedy, Jim]

It was our redundant fiber that was cut. Building is currently running on 
generator.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: Wednesday, October 14, 2015 2:20 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: Power company vs fiber company. (OT)

Which is why we have redundant fiber from opposite ends of the building and our 
power is actually from a redundant substation.  Even with that, they still 
manage to kill our power sometimes. :(

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Wednesday, October 14, 2015 1:38 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] Power company vs fiber company. (OT)


So the other day the power company was working on the lines to one of our 
buildings and back hoe'd our fiber line.  Today the fiber company is out fixing 
it, they just back hoe'd the power lines.

[scripting] RE: Register Dll's from bat file

[Kennedy, Jim]

I would multi line it, to avoid the inevitable quote struggle. Second line may 
need some work.

CD "C:\Program Files (x86)\Open Text\DM Extensions"
for %x (*.dll) do regsvr32 /s %x






From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Marcum, John
Sent: Thursday, October 8, 2015 3:52 PM
To: Scripting List (script...@lists.myitforum.com) 

Subject: [scripting] Register Dll's from bat file

How do I register all the dll's in a given path from a batch file? The catch is 
the path has spaces in it. Every combination of this I've tried fails.:

for %x in "C:\Program Files (x86)\Open Text\DM Extensions"(*.dll) do regsvr32 
/s %x


John Marcum
MCITP, MCTS, MCSA
  Desktop Architect
   Bradley Arant Boult Cummings LLP


  [H_Logo]




Confidentiality Notice: This e-mail is from a law firm and may be protected by 
the attorney-client or work product privileges. If you have received this 
message in error, please notify the sender by replying to this e-mail and then 
delete it from your computer.

[NTSysADM] RE: Dumb TCP port question - Win2012 and others

[Kennedy, Jim]

Lets start by turning on the windows firewall log.

http://www.howtogeek.com/220204/how-to-track-firewall-activity-with-the-windows-firewall-log/


From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Richard McClary
Sent: Thursday, September 24, 2015 10:29 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] Dumb TCP port question - Win2012 and others

Greetings!

We are having a number of problems with our new VoIP system (no such problems 
with previous version).  There are a number of TCP ports which must be opened 
between the servers involved.

The new servers are all Windows2012R2, but we have temporary need to access 
some Win2003 servers.  All servers are in the same VLAN.

Windows firewall within the domain is turned off.  That is, as far as I can 
tell, the OS has no firewall restrictions, etc within the domain.

So, how would one check the port status (and change) for, say, Port 8106?  This 
would be for Win2012, Win7 (client workstations), and (hopefully not for long!) 
Win2003.

Thank you...
The information contained in this e-mail, and any attachments hereto, is from 
The American Society for the Prevention of Cruelty to Animals(r) (ASPCA(r)) and 
is intended only for use by the addressee(s) named herein and may contain 
privileged and/or confidential information. If you are not the intended 
recipient(s) of this e-mail, you are hereby notified that any dissemination, 
distribution, copying or use of the contents of this e-mail, and any 
attachments hereto, is strictly prohibited unless authorized by the sender. If 
you have received this e-mail in error, please immediately notify the sender by 
reply email and permanently delete this e-mail and any printout thereof.

[NTSysADM] RE: Question about OWA authentication

[Kennedy, Jim]

Event log on the OWA server, might need to turn up logging if you don't have it 
already.  Or grep the W3SVC1 folder.

http://windowsitpro.com/windows/how-can-i-monitor-outlook-web-access-activity


From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Heaton, Joseph@Wildlife
Sent: Monday, September 21, 2015 3:13 PM
To: 'ntsys...@lists.myitforum.com'
Subject: [NTSysADM] RE: Question about OWA authentication

So, you're saying that logging into OWA will not update either of the Last 
Logon attributes?  Makes sense with what I'm seeing.  However, it makes it 
difficult to track if a user account is still valid.  Any other methods of 
seeing if the user is valid, aside from reaching out to the supervisor?

From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Monday, September 21, 2015 10:37 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: Question about OWA authentication

OWA or any web logon is not the same as an interactive logon.

From: listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Monday, September 21, 2015 7:58 AM
To: NT System Admin Issues Discussion list
Subject: [NTSysADM] Question about OWA authentication

Our organization uses a customized Office 365 installation, due to working for 
the State of California.  My question is how logging into OWA affects the Last 
Logon/Last Logon Timestamp attribute.  I have users who are showing up on my 
Inactive Users report, and I want to make sure that I don't disable an account 
that really is being used.  One particular user has a Last Logon Timestamp of 
8/6/2014, but his account was just renewed for another year in August of this 
year.  So, is it possible that this user only accesses OWA for e-mail, and 
never logs into a domain computer?  I've been finding conflicting info on the 
internet.

Thanks,

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

RE: [NTSysADM] secondary/temporary rdns

[Kennedy, Jim]

If I understand your question right, you want to put up:

192.168.1.1   mail.yourdomain.comwhere the address is your Fiber
10.55.1.1mail.yourdomain.com  where the address is your cable modem.


No, there is no problem doing that.  The only issue you might have is with some 
folks check the A record on your HELO.   Exchange will allow you to easily 
change the HELO so I would put up to A records.

Fiber.yourdomain.com  A 192.168.1.1
Cable.yourdomain.com   A   10.55.1.1

And just hit the fqdn option on the sending exchange server and change it to 
match the current in use setup.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of J- P
Sent: Friday, September 18, 2015 10:31 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] secondary/temporary rdns

Hi all,

a site is having  issues witht the fiber and wants to use the cable till its 
resolved. The issue is that rdns for exchange  points to the fiber IP, is it 
possible  or recommend  or not recommended  to have rdns for one domain point 
to different  ip's?

RE: [NTSysADM] Using DFS for user home folders

[Kennedy, Jim]

We don't use Home folders with our DFS. I just redirect everything via GPP's.   
Should be a pretty easy migration for you to go that way.

-Original Message-
From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Thursday, September 3, 2015 12:53 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] Using DFS for user home folders

Here's my current situation - my users all get assigned 1 of 4 file
servers, as their home profile (depends on what department they work
for, and which server is closest). Then Group Policy initiates a
folder redirection of "My Documents" and "Desktop". Additionally, the
GPO turns on Offline files (pointing at the same server)..

Here's the problem - I have a lot of users who end up being
transferred around, and hence at some point, we have to move thir
files from server A to server B; change their group membership so now
a GPO which redirects to server B; and we have to clear the offline
folders cache on the old workstation, else it continues to point at
server A, and files never sync properly.

This is aggravating, to say the least.

We thought of using DFS (set up a new namespace, adding these 4 file
servers to it; change all the users to use the DFS namespace to store
their home profile (and moving all the files there). That way, I never
have to move files, I need less GPOs, I don't have the offline files
headache, etc.

Problem is, using DFS for home folders is officially not supported by MS ...

So what are others doing in this situation? There must be others with
such issues of having to move user folders, etc.

I could make 1 central file server for all home profiles, but if there
are ever any network hiccups, then you can't reach your files. (so I'd
still need offline files).

We looked at AppSense, and while it can alleviate some of the issues,
it can't fix all of them.

RE: [NTSysADM] Using DFS for user home folders

[Kennedy, Jim]

Group your users in OU's via site.  Move the user and they pick up the new 
target priority because each OU has it's own GPP with the different priorities.

-Original Message-
From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Tuesday, September 8, 2015 9:51 AM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Using DFS for user home folders

We don't redirect the entire profile (so no roaming profiles), but we do set 
the home folder to be a share on a server.

The problem is not the redirection, it's when the target for that particular 
user changes (i.e., when it moves to a different server in a different physical 
site)..

On Tue, Sep 8, 2015 at 8:43 AM, Kennedy, Jim <kennedy...@elyriaschools.org> 
wrote:
> We don't use Home folders with our DFS. I just redirect everything via GPP's. 
>   Should be a pretty easy migration for you to go that way.
>
> -Original Message-
> From: listsadmin@lists.myitforum.com 
> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Michael Leone
> Sent: Thursday, September 3, 2015 12:53 PM
> To: ntsys...@lists.myitforum.com
> Subject: [NTSysADM] Using DFS for user home folders
>
> Here's my current situation - my users all get assigned 1 of 4 file 
> servers, as their home profile (depends on what department they work 
> for, and which server is closest). Then Group Policy initiates a 
> folder redirection of "My Documents" and "Desktop". Additionally, the 
> GPO turns on Offline files (pointing at the same server)..
>
> Here's the problem - I have a lot of users who end up being 
> transferred around, and hence at some point, we have to move thir 
> files from server A to server B; change their group membership so now 
> a GPO which redirects to server B; and we have to clear the offline 
> folders cache on the old workstation, else it continues to point at 
> server A, and files never sync properly.
>
> This is aggravating, to say the least.
>
> We thought of using DFS (set up a new namespace, adding these 4 file 
> servers to it; change all the users to use the DFS namespace to store 
> their home profile (and moving all the files there). That way, I never 
> have to move files, I need less GPOs, I don't have the offline files 
> headache, etc.
>
> Problem is, using DFS for home folders is officially not supported by MS ...
>
> So what are others doing in this situation? There must be others with 
> such issues of having to move user folders, etc.
>
> I could make 1 central file server for all home profiles, but if there 
> are ever any network hiccups, then you can't reach your files. (so I'd 
> still need offline files).
>
> We looked at AppSense, and while it can alleviate some of the issues, 
> it can't fix all of them.
>
>

[NTSysADM] RE: Script (VB) or powershell

[Kennedy, Jim]

Back in the old days we used to answer every question with either Robocopy or 
JoeWare.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Monday, August 3, 2015 3:16 PM
To: 'ntsys...@lists.myitforum.com'
Subject: [NTSysADM] RE: Script (VB) or powershell

Seriously that simple?
I am annoyed.
And thank you.

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Joe Spinks
Sent: Monday, August 03, 2015 3:13 PM
To: 'ntsys...@lists.myitforum.com'
Subject: [NTSysADM] RE: Script (VB) or powershell

robocopy c:\*.sql n:\sql /s /e /w:0 /r:0 /log:sqlcopy.txt /nfl /ndl
robocopy c:\*.bat n:\sql /s /e /w:0 /r:0 /log:batcopy.txt /nfl /ndl


From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of David McSpadden
Sent: Monday, August 03, 2015 2:08 PM
To: 'ntsys...@lists.myitforum.com'
Subject: [NTSysADM] RE: Script (VB) or powershell

?

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Damien Solodow
Sent: Monday, August 03, 2015 3:05 PM
To: ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: Script (VB) or powershell

Could just do that with robocopy.

DAMIEN SOLODOW
Senior Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of David McSpadden
Sent: Monday, August 3, 2015 3:01 PM
To: ntsysadm ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com
Subject: [NTSysADM] Script (VB) or powershell

Anyone have a good script to go through all directories on a volume and move to 
a network or flash drive?
Specifically I want a script that can grab all .sql or .bat's from my machine 
and move them to a network folder called N:\SQL\  ???


David McSpadden
Systems Administrator
Indiana Members Credit Union
P: 317.554.8190 | F: 317.554.8106
[Description: imcu email icon]http://imcu.com/  [Description: facebook email 
icon] https://www.facebook.com/IndianaMembersCU   [Description: twitter email 
icon] https://twitter.com/IndMembersCU

[Description: email logo]
[mcp2]


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

[NTSysADM] RE: Appdata registry value

[Kennedy, Jim]

Improperly Sysprep'd image?  Not Syspreping a box really borkes all the folder 
keys.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Ryan Shugart
Sent: Tuesday, July 28, 2015 5:36 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] Appdata registry value

Hi:
To make a long story short, we've been troubleshooting errors with the 
SCCM client push and have determined that on several of our workstations, the 
registry value of
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User 
Shell Folders\AppData
Is somehow being changed from its usual value of
%USERPROFILE%\AppData\Roaming
To something else, on the machines I've been looking at its being changed to 
%USERPROFILE%\AppData, which is breaking the SCCM client install.  So, we have 
a plan to fix this on the effected workstations, my question is does anyone 
have an idea what might have caused this in the first place?  We know this reg 
value is set properly in our standard image, and we have a mixture of machines 
in the environment, both workstation and server, with this set properly and not 
set properly.  I've done some Googling, and found quite a few things on how to 
fix it (apparently this screws up a bunch of installs and not just SCCM), but 
nothing on what might have messed this up in the first place to try and prevent 
it from happening again.  So was just wondering if anyone has seen this in 
their environment?
Ryan

Ryan Shugart
LAN Administrator
MiTek USA, MiTek Denver
314-851-7414


MiTek Holdings, Inc., 2011-2014, All Rights Reserved
  
This communication (including any attachments) contains information which is 
confidential and may also be privileged. It is for the exclusive use of the 
intended recipient(s). If you are not the intended recipient(s), please note 
that any distribution, copying, or use of this communication or the information 
in it is strictly prohibited. If you have received this communication in error, 
please notify the sender immediately and then destroy any copies of it.

RE: [NTSysADM] OT: VirusScanning software

[Kennedy, Jim]

Chase down where the exe is as you dig through this. You will find it in the 
users profile in appdata most likely.  Applock the user profile, all of it.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Jonathan Link
Sent: Wednesday, July 8, 2015 12:24 PM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] OT: VirusScanning software

That's my assessment as well.

On Wed, Jul 8, 2015 at 12:17 PM, Susan Bradley 
sbrad...@pacbell.netmailto:sbrad...@pacbell.net wrote:

If the infection occurred as soon as he attached to the network, I'm guessing 
he was already nailed and he just brought it in when he came in.


On 7/8/2015 9:10 AM, Jonathan Link wrote:
Well, he wasn't in the office for much of the past two days, so firewall logs 
are ineffective in this instance.  It appears that the infection started as 
soon as his computer attached to the network.  Browser history is a good place 
to look, but I can't access the machine without it being turned on and on the 
network (I'm on vacation) and that would be counterproductive at this point.  I 
am hoping I can recover some of his data that was on the computer, but made him 
no promises.


On Wed, Jul 8, 2015 at 11:55 AM, Susan Bradley 
sbrad...@pacbell.netmailto:sbrad...@pacbell.net 
mailto:sbrad...@pacbell.netmailto:sbrad...@pacbell.net wrote:

IE history
Firewall logs

Should help narrow it down.

And we have a zero day flash being patched today.  Expect a
Microsoft patch for Windows 8 and above.


On 7/8/2015 8:32 AM, Jonathan Link wrote:

No, not yet.  It's one of our directors, and he swears that
the only site he visited within the last 24 hours was 
msn.comhttp://msn.com
http://msn.com http://msn.com. So it could be the flash 0
day from an infected ad that wasn't caught?  Of course, he
might not be remembering something...

It started working at around 8am this morning which is when he
fired up his computer in the office.

On Wed, Jul 8, 2015 at 11:08 AM, David McSpadden
dav...@imcu.commailto:dav...@imcu.com 
mailto:dav...@imcu.commailto:dav...@imcu.com
mailto:dav...@imcu.commailto:dav...@imcu.com 
mailto:dav...@imcu.commailto:dav...@imcu.com wrote:

I know you are on vacation but do you know the attack vector?


*From:*listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com

mailto:listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com

mailto:listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com

mailto:listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com

[mailto:listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com

mailto:listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com

mailto:listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com

mailto:listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com]
 *On Behalf Of
*Jonathan Link
*Sent:* Wednesday, July 08, 2015 10:43 AM
*To:* 
ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com

mailto:ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com

mailto:ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com

mailto:ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com
*Subject:* Re: [NTSysADM] OT: VirusScanning software

So, we just got hit with a Croptywall variant with SRP in
place. I didn't disbelieve you Susan, I was just hoping
that we could
avoid infection until I got a true whitelisting solution
in place.

Oh and I'm on vacation, so this is extra fun to restore
backups
via the VPN.  Luckily we have other systems in place that
mitigated the extent of damage, such as really good
backups, and
tested restore procedures.

On Fri, Jul 3, 2015 at 3:36 PM, Susan Bradley
sbrad...@pacbell.netmailto:sbrad...@pacbell.net 
mailto:sbrad...@pacbell.netmailto:sbrad...@pacbell.net
mailto:sbrad...@pacbell.netmailto:sbrad...@pacbell.net 
mailto:sbrad...@pacbell.netmailto:sbrad...@pacbell.net
wrote:

I have many consultant stories of ransomware nailing
clients with
software restriction policies in place - especially the web
cocktail variants.

Applocker/whitelisting = Enterprise SKUs. Which I hardly
ever see
in my space, nor does the customer base afford the time
and effort.

Great if you have the budget to do it, sucks if you don't
have the
licenses and infrastructure.

On 7/3/2015 11:54 AM, Jonathan Link wrote:

I was posting from my phone in a hurry, DYAC. Software
  

RE: [NTSysADM] In place 2008 R2 DC to 2012 DC

[Kennedy, Jim]

But but it is less work if it goes well!

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Jonathan Link
Sent: Thursday, July 2, 2015 1:11 PM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] In place 2008 R2 DC to 2012 DC

Why would you make more work for yourself?
Transfer fsmo roles, if necessary.
Dcpromo and demote the server to a member server then nuke and repave.

The environment doesn't matter, the risk of borking a dc and the ease of 
removing and adding a dc should make this kind of decision a no brainer.

On Thursday, July 2, 2015, Kennedy, Jim 
kennedy...@elyriaschools.orgmailto:kennedy...@elyriaschools.org wrote:

I know, don’t do it….migrate.

But I am going for it, the boxes are pretty fresh with rock solid hardware. I 
have no nagging event log issues or issues with the DC’s. I have a 2012 DC on a 
VM in the same room if it goes bad. They only do DC stuff no other crazy apps 
on them. My domain is very flat and simple…..it’s summer time there are only 75 
people tops working and they are all cool if it gets annoying.

Anyone done it this way, how did it go?

No, not doing it today, don’t want to mess up the holiday weekend.

[NTSysADM] In place 2008 R2 DC to 2012 DC

[Kennedy, Jim]

I know, don’t do it….migrate.

But I am going for it, the boxes are pretty fresh with rock solid hardware. I 
have no nagging event log issues or issues with the DC’s. I have a 2012 DC on a 
VM in the same room if it goes bad. They only do DC stuff no other crazy apps 
on them. My domain is very flat and simple…..it’s summer time there are only 75 
people tops working and they are all cool if it gets annoying.

Anyone done it this way, how did it go?

No, not doing it today, don’t want to mess up the holiday weekend.

[NTSysADM] RE: User lock out

[Kennedy, Jim]

+1

IIS reset with a force if you can.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Michael B. Smith
Sent: Tuesday, June 23, 2015 10:17 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: User lock out

Iis caches usernames/passwords for 4 - 24 hours. Seems likely that they have 
more than one device attempting to connect.

I personally have 3 devices plus Outlook. When I change my password I expect to 
get locked out a couple of times until I get all the passwords updated.

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of David McSpadden
Sent: Tuesday, June 23, 2015 10:07 AM
To: 'ntsys...@lists.myitforum.com'
Subject: [NTSysADM] User lock out

User changed password.
Keeps getting locked out.
Removes email from phone.
Resets password.
Keeps getting locked out.
Logs or events show attempts from the exchange server.
What tool can I use to determine exactly what is causing the bad attempts that 
are locking her out?


David McSpadden
Systems Administrator
Indiana Members Credit Union
P: 317.554.8190 | F: 317.554.8106
[Description: imcu email icon]http://imcu.com/  [Description: facebook email 
icon] https://www.facebook.com/IndianaMembersCU   [Description: twitter email 
icon] https://twitter.com/IndMembersCU

[Description: email logo]
[mcp2]


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

RE: [NTSysADM] Monday humor (truth)

[Kennedy, Jim]

Well, they do get points for trying to avoid sneaker net.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of J- P
Sent: Monday, June 22, 2015 6:41 PM
To: NT
Subject: [NTSysADM] Monday humor (truth)

So a server goes down in one of our overseas offices, I ask them please go to 
the server (emphasis on GO TO THE SERVER) and tell me what you see on the 
screen (power issues are a battle ) they have inverters and car batteries in 
the office, its pretty scary.

Anyhow 3 hours later i get this photo

[cid:image001.png@01D0AD8E.112B3530]



Yes it was the end users screen :) ( i guess they missed the GO TO THE SERVER 
part lol)

[NTSysADM] RE: Slow access after DC replacement

[Kennedy, Jim]

Pinging the namespace from the DC is quick and correct?

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: Thursday, June 11, 2015 2:51 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: Slow access after DC replacement

That was actually the first thing I thought about too.  I checked the client 
setups.  DNS is set via DHCP and the new server is pointing to itself as 
expected.  I did a spot check on client machines and they're all fine in that 
respect.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Edward Berner
Sent: Thursday, June 11, 2015 2:35 PM
To: ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: Slow access after DC replacement

If the old DC was also a DNS server, maybe the clients are still pointing to it?

Edward

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: Thursday, June 11, 2015 11:22 AM
To: ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com
Subject: [NTSysADM] Slow access after DC replacement

OK, I'm going around spinning my wheels on this one and the tread is getting 
kinda thin. :)

I've got a remote office which has an RODC that we're replacing.  Rather than 
trying to do a direct replacement of the hardware we're moving from 2008r2 to 
202r2 as well, so I stood up the new server, added it as a new RODC, etc.  I've 
migrated all the printers, DHCP, and since all the file shares were DFS I added 
the new server as another node on all those.

I've marked all the DFS shares for the old server instances as disabled so no 
one is accessing them, but what we're seeing is that as soon as the old server 
is taken offline file access times slow to a crawl.  When I brought the old 
server back online (just powered back on) everything returns to normal.

The only thing that I've found that was different was the Password Replication 
list between them, and I corrected that.  This morning we simply unplugged the 
network cable and access is back to a crawl again.

Obviously I've missed something in the picture but I'd appreciate some 
suggestions of other things to check.


Melvin Backus | Sr. Systems Engineer | Byers Engineering Company | 404.497.1565
Service Desk | 404-497-1599 | http://servicedesk.byers.com
--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

RE: [NTSysADM] Cryptlocker

[Kennedy, Jim]

Nope, if they did I would be pushing hard to replace it.   Have they gotten any 
better at keeping up with updates?

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Kurt Buff
Sent: Thursday, June 4, 2015 1:28 PM
To: ntsysadm
Subject: Re: [NTSysADM] Cryptlocker

Your users don't file their timecards with ADP, then...
Kurt

On Thu, Jun 4, 2015 at 9:52 AM, Kennedy, Jim 
kennedy...@elyriaschools.orgmailto:kennedy...@elyriaschools.org wrote:
2 depends on Oracle, Chrome has been begging them for it for some time.  From 
Chrome’s perspective 1 and 2 are the same. That said, I honestly do not think 
Firefox has any plans to discontinue NPAPI support. Their approach is disabled 
by default….user beware if you enable it.

Anecdotal but I can say that most of my users use Chrome, and they have not 
missed Java.

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com] 
On Behalf Of Damien Solodow
Sent: Thursday, June 4, 2015 12:49 PM

To: ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Cryptlocker

Doubtful; I see one of two things happening:

1)  Oracle blinks and releases an updated JRE that doesn’t use NPAPI

2)  Chrome includes its own JRE like they did with Flash

DAMIEN SOLODOW
Senior Systems Engineer
317.447.6033tel:317.447.6033 (office)
317.447.6014tel:317.447.6014 (fax)
HARRISON COLLEGE

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: Thursday, June 4, 2015 12:44 PM
To: ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Cryptlocker

So if I’m reading this correctly that would seem to mean that all the thousands 
(millions?) of pages with Java embedded are going to be relegated to IE only?  
(And JAVA will finally DIE? Albeit a slow and lingering death.)


--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kurt Buff
Sent: Thursday, June 4, 2015 10:41 AM
To: ntsysadm
Subject: Re: [NTSysADM] Cryptlocker

Not Java specifically - the NPAPI interface.
So is Firefox, and so will Edge...
Kurt

On Thu, Jun 4, 2015 at 6:42 AM, Heaton, Joseph@Wildlife 
joseph.hea...@wildlife.ca.govmailto:joseph.hea...@wildlife.ca.gov wrote:
Interesting.  I didn’t realize that Chrome was doing away with Java 
functionality.  Thanks for the update.

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com] 
On Behalf Of Kennedy, Jim
Sent: Thursday, June 04, 2015 5:12 AM

To: ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Cryptlocker

Demand for this in Chrome will dwindle to zero in September when there isn’t 
any way to run Java in Chrome.  It’s already dwindling….we did not bypass the 
block in the last patch for Chrome that disabled it.

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of James Rankin
Sent: Thursday, June 4, 2015 7:08 AM
To: ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Cryptlocker

OK, FSLogix confirm that currently the Java remediation only works with IE. You 
can restrict other browsers on a process basis only currently, so you could 
force Chrome or Firefox to a specific Java version by process, but not by URL.

However, support for other browsers is on the roadmap. Any customer demand 
(probably someone coming along with 5000 users and wanting it to work in 
Chrome) will “drive the roadmap forward”, i.e. they’ll do it ASAP if there’s a 
big enough sale at the end of it ☺

Hope this helps,



JR

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of James Rankin
Sent: 03 June 2015 18:56
To: ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Cryptlocker

OK, I tried to test with Chrome and found out that Chrome has disabled just 
about all the plugins from the websites I was using for testing ☹

Waiting for an answer from FSLogix support as I now have to put the kids in the 
bath!


From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Jonathan Link
Sent: 03 June 2015 18:44
To: ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Cryptlocker

Probably not pants.

On Wed, Jun 3, 2015 at 12:26 PM, James Rankin 
james.ran...@talosys.co.ukmailto:james.ran...@talosys.co.uk wrote:
Let me get you an answer on that…maybe something I should have tested

From

RE: [NTSysADM] Cryptlocker

[Kennedy, Jim]

There is a java based app that a huge percentage of schools in Ohio uses.  We 
conspired together to put pressure on the vendor. They heard us, and packaged 
it as  a self contained jar.  A simple install msi and we are done with it. Now 
are Java version proof. I am no programmer, let alone a java expert but I don't 
get why more of these apps don't go that way.  It helps them tremendously 
also...they can update and change away and and use java version they want.

-Original Message-
From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Rankin, James R
Sent: Thursday, June 4, 2015 4:21 PM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Cryptlocker

Sounds like my assertion that half the world's sysadmins are crying out for a 
decent Java remediation solution is correct...


---

James Rankin | Director | TaloSys | 07809668579 Sent from my Blackberry

-Original Message-
From: Maglinger, Paul pmaglin...@scvl.com
Sender: listsadmin@lists.myitforum.com
Date: Thu, 4 Jun 2015 19:54:57
To: 'ntsys...@lists.myitforum.com'ntsys...@lists.myitforum.com
Reply-To: ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Cryptlocker

Updates would be fine... if they didn't break things.
Reminds me of when we put in our latest Cisco IP Telephony solution.
The phone system wanted me to upgrade my Java but then Cisco's web site 
wouldn't work with that version. 
*thunk* *thunk* *thunk*
I LOATHE Java...

-Original Message-
From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Kurt Buff
Sent: Thursday, June 04, 2015 2:34 PM
To: ntsysadm
Subject: Re: [NTSysADM] Cryptlocker

Updates of Java? Hell no.

Some of our users somehow get Java fubared, and when ADP can't find Java, they 
tell the user to install 6u29, so I've put in an exception in our AV to block 
the download,

Kurt

On Thu, Jun 4, 2015 at 10:30 AM, Kennedy, Jim kennedy...@elyriaschools.org 
wrote:
 Nope, if they did I would be pushing hard to replace it.   Have they gotten
 any better at keeping up with updates?



 From: listsadmin@lists.myitforum.com
 [mailto:listsadmin@lists.myitforum.com]
 On Behalf Of Kurt Buff
 Sent: Thursday, June 4, 2015 1:28 PM


 To: ntsysadm
 Subject: Re: [NTSysADM] Cryptlocker



 Your users don't file their timecards with ADP, then...

 Kurt



 On Thu, Jun 4, 2015 at 9:52 AM, Kennedy, Jim 
 kennedy...@elyriaschools.org
 wrote:

 2 depends on Oracle, Chrome has been begging them for it for some time.
 From Chrome’s perspective 1 and 2 are the same. That said, I honestly 
 do not think Firefox has any plans to discontinue NPAPI support. Their 
 approach is disabled by default….user beware if you enable it.



 Anecdotal but I can say that most of my users use Chrome, and they 
 have not missed Java.



 From: listsadmin@lists.myitforum.com
 [mailto:listsadmin@lists.myitforum.com]
 On Behalf Of Damien Solodow
 Sent: Thursday, June 4, 2015 12:49 PM


 To: ntsys...@lists.myitforum.com
 Subject: RE: [NTSysADM] Cryptlocker



 Doubtful; I see one of two things happening:

 1)  Oracle blinks and releases an updated JRE that doesn’t use NPAPI

 2)  Chrome includes its own JRE like they did with Flash



 DAMIEN SOLODOW

 Senior Systems Engineer

 317.447.6033 (office)

 317.447.6014 (fax)

 HARRISON COLLEGE



 From: listsadmin@lists.myitforum.com
 [mailto:listsadmin@lists.myitforum.com]
 On Behalf Of Melvin Backus
 Sent: Thursday, June 4, 2015 12:44 PM
 To: ntsys...@lists.myitforum.com
 Subject: RE: [NTSysADM] Cryptlocker



 So if I’m reading this correctly that would seem to mean that all the 
 thousands (millions?) of pages with Java embedded are going to be 
 relegated to IE only?  (And JAVA will finally DIE? Albeit a slow and 
 lingering death.)





 --
 There are 10 kinds of people in the world...
  those who understand binary and those who don't.



 From: listsadmin@lists.myitforum.com
 [mailto:listsadmin@lists.myitforum.com]
 On Behalf Of Kurt Buff
 Sent: Thursday, June 4, 2015 10:41 AM
 To: ntsysadm
 Subject: Re: [NTSysADM] Cryptlocker



 Not Java specifically - the NPAPI interface.

 So is Firefox, and so will Edge...

 Kurt



 On Thu, Jun 4, 2015 at 6:42 AM, Heaton, Joseph@Wildlife 
 joseph.hea...@wildlife.ca.gov wrote:

 Interesting.  I didn’t realize that Chrome was doing away with Java 
 functionality.  Thanks for the update.



 From: listsadmin@lists.myitforum.com
 [mailto:listsadmin@lists.myitforum.com]
 On Behalf Of Kennedy, Jim
 Sent: Thursday, June 04, 2015 5:12 AM


 To: ntsys...@lists.myitforum.com
 Subject: RE: [NTSysADM] Cryptlocker



 Demand for this in Chrome will dwindle to zero in September when there 
 isn’t any way to run Java in Chrome.  It’s already dwindling….we did 
 not bypass the block in the last patch for Chrome that disabled it.



 From: listsadmin@lists.myitforum.com
 [mailto:listsadmin@lists.myitforum.com]
 On Behalf Of James Rankin
 Sent: Thursday, June 4, 2015 7:08 AM

RE: [NTSysADM] Cryptlocker

[Kennedy, Jim]

2 depends on Oracle, Chrome has been begging them for it for some time.  From 
Chrome’s perspective 1 and 2 are the same. That said, I honestly do not think 
Firefox has any plans to discontinue NPAPI support. Their approach is disabled 
by default….user beware if you enable it.

Anecdotal but I can say that most of my users use Chrome, and they have not 
missed Java.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Damien Solodow
Sent: Thursday, June 4, 2015 12:49 PM
To: ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Cryptlocker

Doubtful; I see one of two things happening:

1)  Oracle blinks and releases an updated JRE that doesn’t use NPAPI

2)  Chrome includes its own JRE like they did with Flash

DAMIEN SOLODOW
Senior Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: Thursday, June 4, 2015 12:44 PM
To: ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Cryptlocker

So if I’m reading this correctly that would seem to mean that all the thousands 
(millions?) of pages with Java embedded are going to be relegated to IE only?  
(And JAVA will finally DIE? Albeit a slow and lingering death.)


--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kurt Buff
Sent: Thursday, June 4, 2015 10:41 AM
To: ntsysadm
Subject: Re: [NTSysADM] Cryptlocker

Not Java specifically - the NPAPI interface.
So is Firefox, and so will Edge...
Kurt

On Thu, Jun 4, 2015 at 6:42 AM, Heaton, Joseph@Wildlife 
joseph.hea...@wildlife.ca.govmailto:joseph.hea...@wildlife.ca.gov wrote:
Interesting.  I didn’t realize that Chrome was doing away with Java 
functionality.  Thanks for the update.

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com] 
On Behalf Of Kennedy, Jim
Sent: Thursday, June 04, 2015 5:12 AM

To: ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Cryptlocker

Demand for this in Chrome will dwindle to zero in September when there isn’t 
any way to run Java in Chrome.  It’s already dwindling….we did not bypass the 
block in the last patch for Chrome that disabled it.

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of James Rankin
Sent: Thursday, June 4, 2015 7:08 AM
To: ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Cryptlocker

OK, FSLogix confirm that currently the Java remediation only works with IE. You 
can restrict other browsers on a process basis only currently, so you could 
force Chrome or Firefox to a specific Java version by process, but not by URL.

However, support for other browsers is on the roadmap. Any customer demand 
(probably someone coming along with 5000 users and wanting it to work in 
Chrome) will “drive the roadmap forward”, i.e. they’ll do it ASAP if there’s a 
big enough sale at the end of it ☺

Hope this helps,



JR

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of James Rankin
Sent: 03 June 2015 18:56
To: ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Cryptlocker

OK, I tried to test with Chrome and found out that Chrome has disabled just 
about all the plugins from the websites I was using for testing ☹

Waiting for an answer from FSLogix support as I now have to put the kids in the 
bath!


From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Jonathan Link
Sent: 03 June 2015 18:44
To: ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Cryptlocker

Probably not pants.

On Wed, Jun 3, 2015 at 12:26 PM, James Rankin 
james.ran...@talosys.co.ukmailto:james.ran...@talosys.co.uk wrote:
Let me get you an answer on that…maybe something I should have tested

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com] 
On Behalf Of Heaton, Joseph@Wildlife
Sent: 03 June 2015 17:22
To: 'ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com'
Subject: RE: [NTSysADM] Cryptlocker

So, it looks like FSLogix only works with IE?  Is that true?

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of James Rankin
Sent: Tuesday, June 02, 2015 11:16 AM
To: ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com

RE: [NTSysADM] Cryptlocker

[Kennedy, Jim]

Do you have a source on Firefox…I have been looking for a while for a solid 
confirmation.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Kurt Buff
Sent: Thursday, June 4, 2015 10:41 AM
To: ntsysadm
Subject: Re: [NTSysADM] Cryptlocker

Not Java specifically - the NPAPI interface.
So is Firefox, and so will Edge...
Kurt

On Thu, Jun 4, 2015 at 6:42 AM, Heaton, Joseph@Wildlife 
joseph.hea...@wildlife.ca.govmailto:joseph.hea...@wildlife.ca.gov wrote:
Interesting.  I didn’t realize that Chrome was doing away with Java 
functionality.  Thanks for the update.

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com] 
On Behalf Of Kennedy, Jim
Sent: Thursday, June 04, 2015 5:12 AM

To: ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Cryptlocker

Demand for this in Chrome will dwindle to zero in September when there isn’t 
any way to run Java in Chrome.  It’s already dwindling….we did not bypass the 
block in the last patch for Chrome that disabled it.

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of James Rankin
Sent: Thursday, June 4, 2015 7:08 AM
To: ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Cryptlocker

OK, FSLogix confirm that currently the Java remediation only works with IE. You 
can restrict other browsers on a process basis only currently, so you could 
force Chrome or Firefox to a specific Java version by process, but not by URL.

However, support for other browsers is on the roadmap. Any customer demand 
(probably someone coming along with 5000 users and wanting it to work in 
Chrome) will “drive the roadmap forward”, i.e. they’ll do it ASAP if there’s a 
big enough sale at the end of it ☺

Hope this helps,



JR

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of James Rankin
Sent: 03 June 2015 18:56
To: ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Cryptlocker

OK, I tried to test with Chrome and found out that Chrome has disabled just 
about all the plugins from the websites I was using for testing ☹

Waiting for an answer from FSLogix support as I now have to put the kids in the 
bath!


From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Jonathan Link
Sent: 03 June 2015 18:44
To: ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Cryptlocker

Probably not pants.

On Wed, Jun 3, 2015 at 12:26 PM, James Rankin 
james.ran...@talosys.co.ukmailto:james.ran...@talosys.co.uk wrote:
Let me get you an answer on that…maybe something I should have tested

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com] 
On Behalf Of Heaton, Joseph@Wildlife
Sent: 03 June 2015 17:22
To: 'ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com'
Subject: RE: [NTSysADM] Cryptlocker

So, it looks like FSLogix only works with IE?  Is that true?

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of James Rankin
Sent: Tuesday, June 02, 2015 11:16 AM
To: ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Cryptlocker

OK, quick and dirty run-down, but I’m sure you can all get the gist of it 
(hopefully!)

http://appsensebigot.blogspot.co.uk/2015/06/fslogix-first-look-1-managing-legacy-or.html


From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Kurt Buff
Sent: 02 June 2015 17:38
To: ntsysadm
Subject: Re: [NTSysADM] Cryptlocker

Yes, please put up the link here when done.
Kurt

On Tue, Jun 2, 2015 at 8:43 AM, James Rankin 
james.ran...@talosys.co.ukmailto:james.ran...@talosys.co.uk wrote:
I shall endeavour to finish this as soon as possible then!

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com] 
On Behalf Of Maglinger, Paul
Sent: 02 June 2015 16:12
To: 'ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com'
Subject: RE: [NTSysADM] Cryptlocker

Me too!

-Paul

From: listsadmin@lists.myitforum.commailto:listsadmin@lists.myitforum.com 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Sean Martin
Sent: Tuesday, June 02, 2015 10:07 AM

To: ntsys...@lists.myitforum.commailto:ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Cryptlocker

Definitely interested.

- Sean

On Jun 2, 2015, at 6:08 AM, James Rankin 
james.ran...@talosys.co.ukmailto:james.ran...@talosys.co.uk wrote:
What you need is FSLogix