RE: PKI big picture?

[Ken Schaefer]

If you're buying a cert from a 3rd party, and then using that to issue your own 
certs, then you're buying a CA signing cert, not a server authentication cert.

The former is much more expensive than the latter, as you effectively can issue 
however many certs you want. Typically you only do this if you need to deal 
with 3rd parties (since you both mutually trust the original issuing CA 
organisation). If this is for internal use only, then most orgs will set up 
their own root CA.

Cheers
Ken

-Original Message-
From: Stephen Wimberly [mailto:riverside...@gmail.com] 
Sent: Friday, 24 August 2012 4:06 AM
To: NT System Admin Issues
Subject: PKI big picture?

I want to use PKI for SCCM 2012, and it's a nice to have for other servers.

QUESTION:  If I were to purchase a certificate from an outside trusted vendor 
like Verisign, could I skip the internal Enterprise server CA and import the 
purchased certificate directly to my SCCM server?

>From what I have read so far it looks best to purchase a cert, import it to 
>your Enterprise CA and then create certificates from the Enterprise CA but it 
>just sounds redundant.  Am I really seeing this 'right'?


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Windows InTune

[Richard Stovall]

Which, apropos of nothing, reminds me of a recent conversation with the
boss.

We were talking about our virtualization infrastructure since our VMware
licenses are up for renewal at the end of this month.  He asked me if we
should go with MS and the newest version of Hyper-V on Server 2012 instead
of VMware.

Long story short, I can't get a conversion done in a week, and Server 2012
isn't going to be generally available until September 4th anyway, so it's a
non-starter for the moment.  Next year, however...

The question I have is how in the heck do I compare the direct costs of
licensing ESX(i) and Hyper-V 2012.  Obviously I know my annual VMware
costs, and I think the Hyper-V bits are actually 'free'[1] in that they are
baked into the OS, but it's the System Center licensing that I really don't
understand.  SCVMM?  SCThis?  SCThat? SCEssentials?

SCWTF_Do_I really_need?

If there is a concise guide out there about licensing this stuff for a pure
Hyper-V-only environment, I would definitely appreciate a pointer.

Thanks, as always,

RS

[1] I've got current VL versions of Server 2012 Datacenter that I
could/will use if moving away from VMware.



On Thu, Aug 23, 2012 at 10:50 PM, Michael B. Smith wrote:

>  Maintaining full capabilities without internet connectivity.
>
> ** **
>
> Full capabilities without additional Internet-based licensing.
>
> ** **
>
> *From:* Rod Trent [mailto:rodtr...@myitforum.com]
> *Sent:* Thursday, August 23, 2012 6:11 PM
> *To:* NT System Admin Issues
> *Subject:* RE: Windows InTune
>
>  ** **
>
> Yeah…I have my reasons for some level of concern, but what’s yours?
>
> ** **
>
> *From:* Michael B. Smith [mailto:mich...@smithcons.com]
>
> *Sent:* Thursday, August 23, 2012 5:54 PM
>
> *To:* NT System Admin Issues
> *Subject:* RE: Windows InTune
>
>  ** **
>
> Which scares the crap outta me.
>
> ** **
>
> *From:* Rod Trent [mailto:rodtr...@myitforum.com]
> *Sent:* Thursday, August 23, 2012 5:30 PM
> *To:* NT System Admin Issues
> *Subject:* RE: Windows InTune
>
> ** **
>
> What exactly do you want to know?
>
> ** **
>
> InTune has come a long way in a short time and does a great job.  And,
> Microsoft is investing heavily in the future of InTune, and will eventually
> marry ConfigMgr and InTune.
>
> ** **
>
> *From:* Roger Wright [mailto:rhw...@gmail.com ]
> *Sent:* Thursday, August 23, 2012 4:48 PM
> *To:* NT System Admin Issues
> *Subject:* Windows InTune
>
> ** **
>
> We're seeing a greater need for something like Windows InTune for about
> 10-15 machines that rarely touch our network.  Currently, we have no way to
> manage these machines and assure they're receiving Microsoft, Adobe, Java,
> or other updates. VIPRE does report home, however, so at least that aspect
> is covered.  
>
> ** **
>
> Any comments regarding InTune usage results or evaluations would be
> helpful.  TIA...
>
>
> Roger Wright
> ___
>
> Geocaching:  Hide, Hunt, Find & Repeat - It's FUN!
>
> ** **
>
> ** **
>
> ** **
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware

Re: How to maintain Adobe and Java updates

[Tom Miller]

KBox.  Besides regular Windows security patches, updates all Adobe products, 
JAVA, and Sophos and number of other vendor defs.  Very easy to use, but 
perhaps overkill since kbox is complete system management.

>>> Stefan Jafs  8/23/2012 2:39 PM >>>

I just got Sophos 10 up and running with about 80% of my clients moved over 
from ESET, just checked Patch Assessment yesterday, not a pretty sight! 1/3 of 
my machines need some kind of Adobe update and about half Java updates.

How to you guys manage updates on Java and Adobe Applications?

BTW aout 250 PC's

-- 
Stefan Jafs

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
Confidentiality Notice:  This e-mail message, including attachments, is for the 
sole use of the intended recipient(s) and may contain confidential and 
privileged information.  Any unauthorized review, use, disclosure, or 
distribution is prohibited.  If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: How to maintain Adobe and Java updates

[Richard Stovall]

How do you update Chrome for your users?  I've heard about the "Enterprise"
management features, but I haven't looked at them too deeply.  All I've
seen is an .msi.

Don't get me wrong, btw.  I love Chrome, and personally I use it almost
exclusively.  I just haven't looked seriously at deploying throughout the
company where I work.

On Thu, Aug 23, 2012 at 10:34 PM, joe user  wrote:

> We use Google Chrome and don't really worry about it.
>
>
> --
> Regards,
>  joeuser - Still looking for the 'any' key...
>
> "...now these points of data make a beautiful line..."
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ 
> 
> **>  ~
>
> ---
> To manage subscriptions click here: http://lyris.sunbelt-software.**
> com/read/my_forums/ 
> or send an email to 
> listmanager@lyris.**sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: How to maintain Adobe and Java updates

[Jonathan Link]

Say what?

On Thu, Aug 23, 2012 at 10:34 PM, joe user  wrote:

> We use Google Chrome and don't really worry about it.
>
>
> --
> Regards,
>  joeuser - Still looking for the 'any' key...
>
> "...now these points of data make a beautiful line..."
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ 
> 
> **>  ~
>
> ---
> To manage subscriptions click here: http://lyris.sunbelt-software.**
> com/read/my_forums/ 
> or send an email to 
> listmanager@lyris.**sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: PKI big picture?

[Brian Desmond]

My understanding is that you're likely looking at a high five figure to mid six 
figure annual cost to have your CA signed so you are issuing publicly trusted 
certs as you describe. If this is something you want to do, you need to hire a 
consultant to help you - there's a ton of work involved.

I think SCCM expects a trusted cert on each device for the Internet client 
scenario so that's why you need the internal PKI infrastructure. 

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c   - 312.731.3132

-Original Message-
From: Stephen Wimberly [mailto:riverside...@gmail.com] 
Sent: Thursday, August 23, 2012 1:06 PM
To: NT System Admin Issues
Subject: PKI big picture?

I want to use PKI for SCCM 2012, and it's a nice to have for other servers.

QUESTION:  If I were to purchase a certificate from an outside trusted vendor 
like Verisign, could I skip the internal Enterprise server CA and import the 
purchased certificate directly to my SCCM server?

>From what I have read so far it looks best to purchase a cert, import it to 
>your Enterprise CA and then create certificates from the Enterprise CA but it 
>just sounds redundant.  Am I really seeing this 'right'?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Network PDF/Tiff printers

[David L Herrick]

And via api calls we frequently set the destination folder and the end user 
never knows

-Original Message-
From: David L Herrick [mailto:davidherr...@nincal.com] 
Sent: Thursday, August 23, 2012 4:29 PM
To: NT System Admin Issues
Subject: RE: Network PDF/Tiff printers

Pdf995 can be set to use the saveas dialogue every time

-Original Message-
From: N Parr [mailto:npar...@mortonind.com]
Sent: Thursday, August 23, 2012 12:13 PM
To: NT System Admin Issues
Subject: RE: Network PDF/Tiff printers

I tried PDF Creator but I have the same problem with it as I do with other 
creators I've found that support print server installs.  It cant give the 
client a save dialog.  You can only set the server to save in a certain 
location.  That just won't work for me.  My users are saving different file 
types in different locations and I can't set up 50 different printer shares.  
Maybe it's just something impossible to do, sure you can install it locally but 
that defeats the entire purpose central print server and management. 

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Wednesday, August 22, 2012 2:36 PM
To: NT System Admin Issues
Subject: RE: Network PDF/Tiff printers

We are using PDF Creator.
It saves the PDF in the users home folder and so far has worked great.

-Original Message-
From: N Parr [mailto:npar...@mortonind.com]
Sent: Wednesday, August 22, 2012 2:17 PM
To: NT System Admin Issues
Subject: Network PDF/Tiff printers

I dug though the archives and didn't find anything specific to networking pdf 
printers.  Hoping someone has tackled this already.  Almost everyone uses a PDF 
printer of some sort, we also use a Tiff printer because that's what our Doc 
management system uses and it's also the type of file most of our customers 
send us prints in.  In Googling around I found a package from IMECOM that has a 
print 2 image driver that can be installed on a print server and shared that 
handles pdf, tiff, etc.  Anyone recommend others?
Thanks
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Network PDF/Tiff printers

[David L Herrick]

Pdf995 can be set to use the saveas dialogue every time

-Original Message-
From: N Parr [mailto:npar...@mortonind.com] 
Sent: Thursday, August 23, 2012 12:13 PM
To: NT System Admin Issues
Subject: RE: Network PDF/Tiff printers

I tried PDF Creator but I have the same problem with it as I do with other 
creators I've found that support print server installs.  It cant give the 
client a save dialog.  You can only set the server to save in a certain 
location.  That just won't work for me.  My users are saving different file 
types in different locations and I can't set up 50 different printer shares.  
Maybe it's just something impossible to do, sure you can install it locally but 
that defeats the entire purpose central print server and management. 

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Wednesday, August 22, 2012 2:36 PM
To: NT System Admin Issues
Subject: RE: Network PDF/Tiff printers

We are using PDF Creator.
It saves the PDF in the users home folder and so far has worked great.

-Original Message-
From: N Parr [mailto:npar...@mortonind.com]
Sent: Wednesday, August 22, 2012 2:17 PM
To: NT System Admin Issues
Subject: Network PDF/Tiff printers

I dug though the archives and didn't find anything specific to networking pdf 
printers.  Hoping someone has tackled this already.  Almost everyone uses a PDF 
printer of some sort, we also use a Tiff printer because that's what our Doc 
management system uses and it's also the type of file most of our customers 
send us prints in.  In Googling around I found a package from IMECOM that has a 
print 2 image driver that can be installed on a print server and shared that 
handles pdf, tiff, etc.  Anyone recommend others?
Thanks
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: PKI big picture?

[Kurt Buff]

We'll be implementing both once I have my new VMware environment up and running.

I needed our PKI to start with for Direct Acces/UAG, and now it's also
in use for Lync, and soon our 8021.X wireless, and, well, I'm sure
there's more to come.

Terribly useful, all told.

Kurt

On Thu, Aug 23, 2012 at 2:59 PM, Michael B. Smith  wrote:
> Eh, SCOM wants a cert more than SCCM does. IME.
>
> But I still agree with your conclusion.
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Thursday, August 23, 2012 3:18 PM
> To: NT System Admin Issues
> Subject: Re: PKI big picture?
>
> On Thu, Aug 23, 2012 at 11:06 AM, Stephen Wimberly
>  wrote:
>> I want to use PKI for SCCM 2012, and it's a nice to have for other servers.
>>
>> QUESTION:  If I were to purchase a certificate from an outside trusted
>> vendor like Verisign, could I skip the internal Enterprise server CA
>> and import the purchased certificate directly to my SCCM server?
>>
>> From what I have read so far it looks best to purchase a cert, import
>> it to your Enterprise CA and then create certificates from the
>> Enterprise CA but it just sounds redundant.  Am I really seeing this
>> 'right'?
>
> I suspect that won't work. We haven't yet brought up SCCM here, but at
> least some MSFT products require not only a cert installed on the
> server, but also a cert installed on the workstation. Even if SCCM
> doesn't require workstation certs, other stuff will.
>
> I'd bite the bullet and put in a proper CA structure, with a root CA
> (running Win2k8R2 standard, probably as a VM) that is shut down 99+%
> of the time, and an intermediate CA (running Win2k8 R2 Enterprise),
> that is always up and running.
>
> IMHO, if you're big enough to run SCCM, you're big enough to have a PKI.
>
> Kurt
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: How to check bandwidth on fibre

[Stefan Jafs]

Actuallt: show interface Port#, gives me lots of info, that's all i need

thanks
Stefan


On Thu, Aug 23, 2012 at 3:07 PM, Kurt Buff  wrote:

> On Thu, Aug 23, 2012 at 11:31 AM, Stefan Jafs 
> wrote:
> > I have an HP 8212zl switch with a JBIC connected fibre to a Dell PC
> 3448P, I
> > would like to know what approximate bandwidth the connection uses, is
> there
> > built in monitoring or do I need some 3rd party application?
>
> What do you use for monitoring bandwidth usage on your other equipment?
>
> I'm not terribly familiar with SCOM, but it looks as if 2012 has some
> of the functionality you need.
>
> OTOH, if you have a *nix box laying around, either cacti or MRTG will
> do the job nicely.
>
> In any case, it will take a tool that understands SNMP, and perhaps
> can graph the data for you (if you want history to look at), and
> certainly cacti and MRTG can do both of those.
>
> Kurt
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>



-- 
Stefan Jafs

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: PKI big picture?

[Rod Trent]

BTW: Plan your PKI appropriately.  There's a patch available now that requires 
strong keys, but won't be mandatory for a bit.

http://myitforum.com/myitforumwp/2012/08/15/update-to-the-update-that-could-harm-your-system-center-environment-if-youre-not-ready/
 



-Original Message-
From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Thursday, August 23, 2012 6:00 PM
To: NT System Admin Issues
Subject: RE: PKI big picture?

Eh, SCOM wants a cert more than SCCM does. IME.

But I still agree with your conclusion.

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Thursday, August 23, 2012 3:18 PM
To: NT System Admin Issues
Subject: Re: PKI big picture?

On Thu, Aug 23, 2012 at 11:06 AM, Stephen Wimberly  
wrote:
> I want to use PKI for SCCM 2012, and it's a nice to have for other servers.
>
> QUESTION:  If I were to purchase a certificate from an outside trusted 
> vendor like Verisign, could I skip the internal Enterprise server CA 
> and import the purchased certificate directly to my SCCM server?
>
> From what I have read so far it looks best to purchase a cert, import 
> it to your Enterprise CA and then create certificates from the 
> Enterprise CA but it just sounds redundant.  Am I really seeing this 
> 'right'?

I suspect that won't work. We haven't yet brought up SCCM here, but at least 
some MSFT products require not only a cert installed on the server, but also a 
cert installed on the workstation. Even if SCCM doesn't require workstation 
certs, other stuff will.

I'd bite the bullet and put in a proper CA structure, with a root CA (running 
Win2k8R2 standard, probably as a VM) that is shut down 99+% of the time, and an 
intermediate CA (running Win2k8 R2 Enterprise), that is always up and running.

IMHO, if you're big enough to run SCCM, you're big enough to have a PKI.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Windows InTune

[Rod Trent]

Yeah.I have my reasons for some level of concern, but what's yours?

 

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Thursday, August 23, 2012 5:54 PM
To: NT System Admin Issues
Subject: RE: Windows InTune

 

Which scares the crap outta me.

 

From: Rod Trent [mailto:rodtr...@myitforum.com] 
Sent: Thursday, August 23, 2012 5:30 PM
To: NT System Admin Issues
Subject: RE: Windows InTune

 

What exactly do you want to know?

 

InTune has come a long way in a short time and does a great job.  And,
Microsoft is investing heavily in the future of InTune, and will eventually
marry ConfigMgr and InTune.

 

From: Roger Wright [mailto:rhw...@gmail.com] 
Sent: Thursday, August 23, 2012 4:48 PM
To: NT System Admin Issues
Subject: Windows InTune

 

We're seeing a greater need for something like Windows InTune for about
10-15 machines that rarely touch our network.  Currently, we have no way to
manage these machines and assure they're receiving Microsoft, Adobe, Java,
or other updates. VIPRE does report home, however, so at least that aspect
is covered.  

 

Any comments regarding InTune usage results or evaluations would be helpful.
TIA...


Roger Wright
___

Geocaching:  Hide, Hunt, Find & Repeat - It's FUN!

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: PKI big picture?

[Michael B. Smith]

Eh, SCOM wants a cert more than SCCM does. IME.

But I still agree with your conclusion.

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Thursday, August 23, 2012 3:18 PM
To: NT System Admin Issues
Subject: Re: PKI big picture?

On Thu, Aug 23, 2012 at 11:06 AM, Stephen Wimberly
 wrote:
> I want to use PKI for SCCM 2012, and it's a nice to have for other servers.
>
> QUESTION:  If I were to purchase a certificate from an outside trusted
> vendor like Verisign, could I skip the internal Enterprise server CA
> and import the purchased certificate directly to my SCCM server?
>
> From what I have read so far it looks best to purchase a cert, import
> it to your Enterprise CA and then create certificates from the
> Enterprise CA but it just sounds redundant.  Am I really seeing this
> 'right'?

I suspect that won't work. We haven't yet brought up SCCM here, but at
least some MSFT products require not only a cert installed on the
server, but also a cert installed on the workstation. Even if SCCM
doesn't require workstation certs, other stuff will.

I'd bite the bullet and put in a proper CA structure, with a root CA
(running Win2k8R2 standard, probably as a VM) that is shut down 99+%
of the time, and an intermediate CA (running Win2k8 R2 Enterprise),
that is always up and running.

IMHO, if you're big enough to run SCCM, you're big enough to have a PKI.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Windows InTune

[David Lum]

What can possibly go wrong? :)

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Thursday, August 23, 2012 2:54 PM
To: NT System Admin Issues
Subject: RE: Windows InTune

Which scares the crap outta me.

From: Rod Trent 
[mailto:rodtr...@myitforum.com]
Sent: Thursday, August 23, 2012 5:30 PM
To: NT System Admin Issues
Subject: RE: Windows InTune

What exactly do you want to know?

InTune has come a long way in a short time and does a great job.  And, 
Microsoft is investing heavily in the future of InTune, and will eventually 
marry ConfigMgr and InTune.

From: Roger Wright [mailto:rhw...@gmail.com]
Sent: Thursday, August 23, 2012 4:48 PM
To: NT System Admin Issues
Subject: Windows InTune

We're seeing a greater need for something like Windows InTune for about 10-15 
machines that rarely touch our network.  Currently, we have no way to manage 
these machines and assure they're receiving Microsoft, Adobe, Java, or other 
updates. VIPRE does report home, however, so at least that aspect is covered.

Any comments regarding InTune usage results or evaluations would be helpful.  
TIA...


Roger Wright
___
Geocaching:  Hide, Hunt, Find & Repeat - It's FUN!




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Short term wireless needed

[Tom Miller]

Sorry if this was recently discussed.  I thought it was but can't find it when 
I search archives.
I need a few WAPs in bridge mode for one of my buildings.  This is temporary 
since I have enterprise wireless equipment on order for our campus, but won't 
be here in time for when it's needed.  I think four should be fine.  Nothing 
fancy needed.  Suggestions?  Something I could pick up at a store would be 
best.  
 
Thanks,
Tom
Confidentiality Notice:  This e-mail message, including attachments, is for the 
sole use of the intended recipient(s) and may contain confidential and 
privileged information.  Any unauthorized review, use, disclosure, or 
distribution is prohibited.  If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Network PDF/Tiff printers

[Glen Johnson]

Ah ha.
We just set it to autosave in \\domain\homedirs\\ and the users 
know where it is and can move/rename if they want.
Don't remember where I found that variable name, but it works.
The file name is 
No complaints so far.


-Original Message-
From: N Parr [mailto:npar...@mortonind.com] 
Sent: Thursday, August 23, 2012 3:13 PM
To: NT System Admin Issues
Subject: RE: Network PDF/Tiff printers

I tried PDF Creator but I have the same problem with it as I do with other 
creators I've found that support print server installs.  It cant give the 
client a save dialog.  You can only set the server to save in a certain 
location.  That just won't work for me.  My users are saving different file 
types in different locations and I can't set up 50 different printer shares.  
Maybe it's just something impossible to do, sure you can install it locally but 
that defeats the entire purpose central print server and management. 

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Wednesday, August 22, 2012 2:36 PM
To: NT System Admin Issues
Subject: RE: Network PDF/Tiff printers

We are using PDF Creator.
It saves the PDF in the users home folder and so far has worked great.

-Original Message-
From: N Parr [mailto:npar...@mortonind.com]
Sent: Wednesday, August 22, 2012 2:17 PM
To: NT System Admin Issues
Subject: Network PDF/Tiff printers

I dug though the archives and didn't find anything specific to networking pdf 
printers.  Hoping someone has tackled this already.  Almost everyone uses a PDF 
printer of some sort, we also use a Tiff printer because that's what our Doc 
management system uses and it's also the type of file most of our customers 
send us prints in.  In Googling around I found a package from IMECOM that has a 
print 2 image driver that can be installed on a print server and shared that 
handles pdf, tiff, etc.  Anyone recommend others?
Thanks
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: PKI big picture?

[Kurt Buff]

On Thu, Aug 23, 2012 at 11:06 AM, Stephen Wimberly
 wrote:
> I want to use PKI for SCCM 2012, and it's a nice to have for other servers.
>
> QUESTION:  If I were to purchase a certificate from an outside trusted
> vendor like Verisign, could I skip the internal Enterprise server CA
> and import the purchased certificate directly to my SCCM server?
>
> From what I have read so far it looks best to purchase a cert, import
> it to your Enterprise CA and then create certificates from the
> Enterprise CA but it just sounds redundant.  Am I really seeing this
> 'right'?

I suspect that won't work. We haven't yet brought up SCCM here, but at
least some MSFT products require not only a cert installed on the
server, but also a cert installed on the workstation. Even if SCCM
doesn't require workstation certs, other stuff will.

I'd bite the bullet and put in a proper CA structure, with a root CA
(running Win2k8R2 standard, probably as a VM) that is shut down 99+%
of the time, and an intermediate CA (running Win2k8 R2 Enterprise),
that is always up and running.

IMHO, if you're big enough to run SCCM, you're big enough to have a PKI.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Network PDF/Tiff printers

[N Parr]

I tried PDF Creator but I have the same problem with it as I do with other 
creators I've found that support print server installs.  It cant give the 
client a save dialog.  You can only set the server to save in a certain 
location.  That just won't work for me.  My users are saving different file 
types in different locations and I can't set up 50 different printer shares.  
Maybe it's just something impossible to do, sure you can install it locally but 
that defeats the entire purpose central print server and management. 

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
Sent: Wednesday, August 22, 2012 2:36 PM
To: NT System Admin Issues
Subject: RE: Network PDF/Tiff printers

We are using PDF Creator.
It saves the PDF in the users home folder and so far has worked great.

-Original Message-
From: N Parr [mailto:npar...@mortonind.com]
Sent: Wednesday, August 22, 2012 2:17 PM
To: NT System Admin Issues
Subject: Network PDF/Tiff printers

I dug though the archives and didn't find anything specific to networking pdf 
printers.  Hoping someone has tackled this already.  Almost everyone uses a PDF 
printer of some sort, we also use a Tiff printer because that's what our Doc 
management system uses and it's also the type of file most of our customers 
send us prints in.  In Googling around I found a package from IMECOM that has a 
print 2 image driver that can be installed on a print server and shared that 
handles pdf, tiff, etc.  Anyone recommend others?
Thanks
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: How to check bandwidth on fibre

[Kurt Buff]

On Thu, Aug 23, 2012 at 11:31 AM, Stefan Jafs  wrote:
> I have an HP 8212zl switch with a JBIC connected fibre to a Dell PC 3448P, I
> would like to know what approximate bandwidth the connection uses, is there
> built in monitoring or do I need some 3rd party application?

What do you use for monitoring bandwidth usage on your other equipment?

I'm not terribly familiar with SCOM, but it looks as if 2012 has some
of the functionality you need.

OTOH, if you have a *nix box laying around, either cacti or MRTG will
do the job nicely.

In any case, it will take a tool that understands SNMP, and perhaps
can graph the data for you (if you want history to look at), and
certainly cacti and MRTG can do both of those.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Admin account and Event ID 540 using Authz

[Christopher Bodnar]

this was new to me so thought I would pass it along to the group in case 
it saves anyone some time.

Got a call from one of the other admins and they noticed a logon by me at 
the same time that a service stopped. I have a remediation script that 
kicks off at this time, but wasn't aware it  was using my admin account. 
So told him that's what it was and I'd take care of it. So as I dig into 
it, I find none of the other servers that ran the script showed a logon 
using my account. So now, I'm really scratching my head. So I start 
googling the specifics of the 540 event ID in particular the Authz part, 
since I wasn't sure exactly what that referred to, and I found this:

http://techblog.wanierke.de/2009/09/23/service-stoppsstarted-event-id-540-logonlogoff-by-username/print

It was exactly the issue in this situation. Very strange. I've never even 
heard of a problem like this before. 

fun stuff



Christopher Bodnar 
Enterprise Architect I, Corporate Office of Technology:Enterprise 
Architecture and Engineering Services 
Tel 610-807-6459 
3900 Burgess Place, Bethlehem, PA 18017 
christopher_bod...@glic.com 




The Guardian Life Insurance Company of America

www.guardianlife.com 





-
This message, and any attachments to it, may contain information
that is privileged, confidential, and exempt from disclosure under
applicable law.  If the reader of this message is not the intended
recipient, you are notified that any use, dissemination,
distribution, copying, or communication of this message is strictly
prohibited.  If you have received this message in error, please
notify the sender immediately by return e-mail and delete the
message and any attachments.  Thank you.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

PKI big picture?

[Stephen Wimberly]

I want to use PKI for SCCM 2012, and it's a nice to have for other servers.

QUESTION:  If I were to purchase a certificate from an outside trusted
vendor like Verisign, could I skip the internal Enterprise server CA
and import the purchased certificate directly to my SCCM server?

>From what I have read so far it looks best to purchase a cert, import
it to your Enterprise CA and then create certificates from the
Enterprise CA but it just sounds redundant.  Am I really seeing this
'right'?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin