Can you elaborate on the 2016 functionality issues?
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
¯\_(ツ)_/¯
-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf Of Michael B.
Well, NAP is gone in 2016, so DA can't use it (and that kills it right there
for a lot of environments).
WIP doesn't work with DA.
DA is not xplat.
DA requires domain join (thus it isn't suitable for mobile devices,
contractors, and work-from-home - at this point, MSFT estimates that a third o
All fair points. However it appears that AVPN requires either Azure or SCCM,
neither of which are in the mix for us. NAP is gone in Windows 10 anyway, so
that's already hit us in our current RRAS config. As for the rest, they are
actually aligned with preferences for us so that may be a good t
AVPN doesn't require Azure or SCCM. Why do you think so?
Intune and SCCM make it EASIER to deploy VPN policies (especially when it comes
to versioning). But it can all be done with GPOs and login scripts (for Windows
devices). You do require some MDM for mobile/BYOD deployments, whether it's
In
The first update to the Active Directory documentation script (V2.16) is on
Github. Working on making the script work for a single domain in a multi-domain
Forest.
https://github.com/CarlWebster/ActiveDirectory/tree/V2.16
There are other changes coming to the script, with the help of MBS, but
Multiple articles during my initial, but granted brief, research indicated one
of those were required. Not having any exposure to it I reverted to my trusted
source, the list, to confirm or debunk. :)
https://social.technet.microsoft.com/Forums/azure/en-US/0dccbf52-89ae-4109-902d-5e7393e171d5/d
It's been so long since I've had to do this, I need a check. I'm doing
something fundamentally wrong, I think.
We use groups to set share/ACLs on folders. I got a request to share a
4th level sub-folder with other employees not in the ACL. So what I
have is:
Folder A1 (shared)
-->>B2
-->>C
ABE won't do that, it just controls what they seeit just hides what they
don't have read access to. Great feature, I use it everywhere but not what you
need for this.
Break inheritance on D4, add the group for the new users and create a shortcut
for them directly to that path. \\server\B2\
I agree with Jim, but I note that we often have problems with people who just
can't handle that they can't navigate the structure to the file. Assuming there
is no sensitivity to the filenames in the intermediate directories, another
option here would be to give the new group permissions to just
You need to setup folder traversal. Whatever group needs access at D4, needs
read/execute (This folder only) at the levels above it. They'll be able to see
folders along the way, but won't be able to open them.
[cid:image001.png@01D35D27.B71D1300]
-Original Message-
From: listsad.
On Tue, Nov 14, 2017 at 12:02 PM, Kennedy, Jim
wrote:
> ABE won't do that, it just controls what they seeit just hides what they
> don't have read access to. Great feature, I use it everywhere but not what
> you need for this.
>
> Break inheritance on D4, add the group for the new users and
That was true prior to 1703, unless you wrote your own packager. It isn't any
longer.
The AVPN PowerShell cmdlets are now public:
[cid:image001.png@01D35D49.82B852B0]
And if you want to do this BEFORE 1703, you just use rasdial.exe and a
triggered task in Task Scheduler. That works all
Interesting. I actually tried using rasdial at some point to do this instead
of doing CMAK connectoids but could never make it work. We actually managed to
make RRAS work with NAP in our setup via CMAK, which I couldn’t reproduce.
BTW, everyone we’ve talked to, including multiple Microsoft par
You need to adjust the permissions in the directory tree, and breaking
inheritance is the wrong way of doing it.
Change the permissions at each level so that they are explicitly
defined to allow "This Folder and Files" for those who only need to
see the files in that directory, but not other subdi
The 2.0.0.0 is the module version of VpnClient.
On Windows 10, Add-VpnConnectionRoute doesn’t require admin privs.
Add-VpnConnection also allows you to specify SplitTunneling when you create a
VPN, which is (in my experience) the real reason you want to add a route 95% of
the time.
If you aren
Hmm, I actually thought about task scheduler at one point but as I recall I
couldn’t find a way to determine the proper gateway for the route. The CMAK
connectoid does that with cmroute.dll and knows what the connection looks like.
I’ll revisit and see what I can find now that I have some new
On Tue, Nov 14, 2017 at 1:50 PM, Kurt Buff wrote:
> You need to adjust the permissions in the directory tree, and breaking
> inheritance is the wrong way of doing it.
>
> Change the permissions at each level so that they are explicitly
> defined to allow "This Folder and Files" for those who only
Perhaps I missed it, but I didn't see that GP will autoconnect to the
closest/fastest site.
That doesn't mean GP is out of the running - I like it where I've set
it up, so it's on my list, especially since all of our sites have Palo
Altos already.
But, from the way the questions were put to me, i
Ran through your posts in this thread, and i have to say that it looks
like the days of DA are numbered.
However, if I implement it under 2016, it should be supported for at
least 5 more years (assuming that Win10 still supports it, too).
So, I'm not worried too much about that as such, but AVPN
Sure it can, DNS RR or some kind of GTM
As for cloud, PA does GP in the cloud. Scales up and down as needed...
On Tue, Nov 14, 2017 at 1:35 PM Kurt Buff wrote:
> Perhaps I missed it, but I didn't see that GP will autoconnect to the
> closest/fastest site.
>
> That doesn't mean GP is out of the
I can't speak to your environment, but many of my customers are pushing for
Office 365/Azure Constrained Access.
Especially because of mobile/BYOD.
I suggest you should consider the likelihood or whether you'll NEED that
capability within 5 years.
-Original Message-
From: listsad...@li
I presume this requires Panorama? We don't have that, I've been
wanting it for a while, but it's been hard to justify when we have
only 3 sites, two of which are PA500s.
On Tue, Nov 14, 2017 at 1:49 PM, Don Ely wrote:
> Sure it can, DNS RR or some kind of GTM
>
> As for cloud, PA does GP in the c
Do you mean need mobile/BYOD?
Likely will, but whether we'll be on O365/Azure by then is an open
question in my mind.
I'd prefer not, but I recognize that MSFT wants their money, so will
do everything they can to force us there.
Kurt
On Tue, Nov 14, 2017 at 1:56 PM, Michael B. Smith wrote:
> I
Sorry I wasn't clear.
I meant, will you require "Office 365/Azure Constrained Access"?
-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf Of Kurt Buff
Sent: Tuesday, November 14, 2017 8:21 PM
To: ntsysadm
Subject: Re: [NTSysADM] Look
Panorama is only a MGMT tool for the firewalls. It has nothing to do with
traffic mgmt
On Nov 14, 2017 17:25, "Kurt Buff" wrote:
> I presume this requires Panorama? We don't have that, I've been
> wanting it for a while, but it's been hard to justify when we have
> only 3 sites, two of which are
25 matches
Mail list logo
