@Romo said in Deploy Active Directory via PowerShell: Great Job @EddieJennings !!, Really liked the flow and tempo of the video Thanks

Good find.

@scottalanmiller said in Estación de trabajo con 10 segundos de atraso en el reloj: @dbeato said in Estación de trabajo con 10 segundos de atraso en el reloj: @scottalanmiller said in Estación de trabajo con 10 segundos de atraso en el reloj: Anyone know what the normal variance on Windows boxes is when not using a local time source? How close in seconds would we even expect a site to be able to be? You can have it up to 5 minutes from the Domain Controller Servers time. No DCs. No AD. Gotcha, I am still trying to see what is the issue. 10 seconds is almost unnoticeable. What is the purpose?

@wrx7m said in PowerShell - Off-boarding Script: @dafyre said in PowerShell - Off-boarding Script: @wrx7m said in PowerShell - Off-boarding Script: @dafyre I think I found where you got it - https://www.powershelladmin.com/wiki/Powershell_prompt_for_password_convert_securestring_to_plain_text Anyway, I am not sure where, in my script, I should place that function. You'd put the actual function at the top of your script, and then just $myPassword=convertFrom-SecureToPlain -securepassword $MySecurePassword Wherever you need the password in plain text form. Thanks. It mostly works. The only problem is that it isn't actually using the password I specify at the top. It is somehow generating its own and then writing it at the end. I put in write-host "Plain Text Says: $plainText" and it shows the password that I typed in for the secure variable at the beginning, followed by the one that it generated. Plain Text Says: $#@%4#@177 Jof91348 Works fine for me here.... Check and make sure you don't have an extra write-host or anything somewhere.

@DustinB3403 said in Nomad - Manage Mac OS in Windows/AD Environment - Anyone Used It?: I've heard of it, and it's supposedly a really good product, the issue with it is the cost. At least at the time. The product now is JAMF Connect. So it looks to be a dead product that was replaced. Interesting. I'll look into that. I didn't see any mention of jamf.

@Dashrender said in Need to Join Windows XP Clients to a 2016 Domain: @scottalanmiller said in Need to Join Windows XP Clients to a 2016 Domain: @Dashrender said in Need to Join Windows XP Clients to a 2016 Domain: @scottalanmiller said in Need to Join Windows XP Clients to a 2016 Domain: @Dashrender said in Need to Join Windows XP Clients to a 2016 Domain: Does the XP machine need to be part of the domain? What about working around that issue? We removed the domain completely. So now you're what - trying to use a 2019 SMB file share or something? What does file share have to do with AD? Completely disconnected concepts. True - I was making my own leap - So - where does this stand now then?? We removed AD. It turned out that it had been installed without evaluation and was serving no real purpose, but was posing a significant risk.

@wrx7m said in OSX 10.14.X Bug - Roaming AD Accounts unable to login when Off Network: @DustinB3403 said in OSX 10.14.X Bug - Roaming AD Accounts unable to login when Off Network: My co-worker thinks he may have a workaround, which involves backing up the user profile, deleting the existing one and restoring the files for the user. We're testing this currently to see if this actually "sticks". Did it work? Waiting to hear back

So we did an older restore and the issue was resolved. This error was caused by ransomware.

It is because of this licensing discrepency that we know that CloudAtCost was running a scam. They advertised Windows servers that were unlicensed, and unlicensable.

Azure AD's Use of SAML Protocol

Tags added.

@DustinB3403 said in Windows Server 2012 Essentials Cannot Find Login Server for AD: That's rough. Very

@Donahue said in Where do I start with replacing the whole MS AD stack: sing reservations. I think your knowledge of FG is not allowing you to do this, just create a new interface with the desired subnet and leave or tick DHCP option. And they you can do it what you want with it. Create an IPv4 policy to give access to internet to the new interface.

@mattbagan said in RocketChat LDAP: @scottalanmiller Do you know where the snap version of mongodb is installed? I can't find it. Under /var/lib/snapd/snap/rocketchat-server/current/bin/ But what you want to do I assume is use Compass and just attach to it remotely. It's on port 27017 as usual.

@JaredBusch said in DNS Update Issue: @scottalanmiller the issue with nslookup being useless is stupid though. Agreed, that's really messed up.

Turns out that it needed the -Credential flag, which Microsoft doesn't document as a requirement. This worked find... Add-Computer -DomainName "mydomain" -Credential mydomain\myusername

Since I was working with only ONE user this is what I needed to change it to, else was getting Parameter set cannot be resolved Import-module ActiveDirectory Get-ADUser -Filter {Name -eq "SomeUser"} -SearchBase "OU=Users,OU=OUGroup,DC=DOMAINname,DC=com" | Set-ADUser –scriptPath “\\SERVERNAME\netlogon\2018ADUC-script.txt” But it worked!

@eddiejennings said in Logging Domain user authentication failures: @travisdh1 said in Logging Domain user authentication failures: @eddiejennings No OSSEC, Wazuh, or some other security monitoring available? All of them monitor logins by default that I've looked at. Should be easy to customize a report for whatever you need. I haven't had to set this up in a Windows environment yet, so I'm also curious as to what you end up doing. We do have ExtraHop; however, it's not capturing all the traffic it should (and another team is in charge of its configuration), so using auditing on the domain controllers is a bit of a stop-gap measure. Ah. What an ..... effective use of resources. Good luck, ExtraHop is very nice, but like every other tool, it's useless untill deployed properly.

One that I love Get-ADPrincipalGroupMembership -Identity SOMEUSERNAME | Select name List all of the groups in which the user is a member.

I got you # This script will export all users of the specified domain, and their group memberships to a CSV file. The usefulness of this tool is expressed when # setting up new hire employees or reviewing domain membership permissions. # It's not advisable to store the user credentials required to run this script as they can be decrypted. This script is not designed to save these credentials but could be modified to do so. # Use of this script implies that you understand what it does, and will do to with regards to your Active Directory installation members and group memberships. # As designed there are no changes made to your installation, the script simply generates a report of members, and their group memberships. # Any changes to this script are the responsibility of the person/organization which made said changes. # We cannot be held responsible for your misuse or misunderstanding of this script as it was designed. # # # # # Imports Active Directory information Import-Module Activedirectory $credentials = Get-Credential # Prompts for user credentials default user is “ ”, enter an administrator account in the form of “domain-name\administrator-account” Get-ADUser -Credential $credentials -Filter * -Properties DisplayName,EmailAddress,memberof,DistinguishedName,Enabled | % { New-Object PSObject -Property @{ UserName = $_.DisplayName EmailAddress = $_.EmailAddress DistinguishedName = $_.DistinguishedName Enabled = $_.Enabled # Deliminates the document for easy copy and paste using ";" as the delimiter. Incredibly useful for Copy & Paste of group memberships to new hire employees. Groups = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -join ";" } # The export path is variable change to desired location on domain controller or end user computer. } | Select UserName,EmailAddress,@{l='OU';e={$_.DistinguishedName.split(',')[1].split('=')[1]}},Groups,Enabled | Sort-Object Username | Export-Csv $ENV:UserProfile\Documents\User-Permissions.csv –NTI #Function Get-SaveFile($initialDirectory) #{ #[System.Reflection.Assembly]::LoadWithPartialName("System.windows.forms") | #Out-Null # #$SaveFileDialog = New-Object System.Windows.Forms.SaveFileDialog #$SaveFileDialog.initialDirectory = $initialDirectory #$SaveFileDialog.filter = "All files (*.*)| *.*" #$SaveFileDialog.ShowDialog() | Out-Null #$SaveFileDialog.filename #} # # # open dialog box to select the .nessuss file. #$InputFile = Get-OpenFile #$OutputFile = Get-SaveFile # # #$Contents = [io.file]::ReadAllText($inputfile) #$Contents = [io.file]::ReadAllText('C:\tools\wd\nessus\data\data.xml') #$Global:OutFile = [System.IO.StreamWriter] "c:\tools\wd\nessus\outfile.csv" # ##$InputFile #$OutputFile #

See the following for ideas as to how you can accomplish what you're seeking to do: https://macmule.com/2011/09/08/how-to-map-drives-printers-based-on-ad-group-membership-on-osx/

I've have used that ProfileWiz before by ForensiT, works really well.

@lakshmana The above helps me and its working but i need the output of that file to be append at the same .csv file which is not working.How to do that ?

@jaredbusch said in Small Restaurant Network Redesign: @scottalanmiller said in Small Restaurant Network Redesign: Also worth noting, there are some problematic switches at each site. Again, because the VAR was clearly trying to add complexity to up the support bill, and I'm having them put in simple, low cost, unmanaged Netgears to make this really simple and reliable. I detest NetGear switches. They generally work, but everytime I try to use one for something even half specific, they puke. Sites this small can use the EdgeSwitch 8 https://www.ubnt.com/edgemax/edgeswitch-8-150w/ And it will report into UNMS along with the routers. Plus it's actually a switch, hardware- and software-wise. Not a breadbox which jumps over the table because you "accidentally" attached a cable to it. (yeah, I know, some NetGears also feature a metal case but it's not the same).

@black3dynamite said in Least Privilege Accounts Setup: @zachary715 said in Least Privilege Accounts Setup: @jaredbusch said in Least Privilege Accounts Setup: @jaredbusch said in Least Privilege Accounts Setup: @zachary715 said in Least Privilege Accounts Setup: @jaredbusch said in Least Privilege Accounts Setup: I create an AD account specifically for local admin rights. This account information is ususally given to department managers. So if software or something needs installed, and they choose not to contact me, they can. They are also warned that fixing something will be billed... So you have one AD account setup that multiple department managers use when they need something that requires admin privileges? And then what you give that account local admin rights on each machine, or give it some sort of admin authority within the domain itself? That account gets local admin rights only. No other access. If I was an on site IT department, I woudl probably do it a bit different. I would have time to experiment and setup better methods. Yeah this is what I'm going through now and why I'm coming to the community to get input. Trying to think through this carefully and make sure I do it right and the way I want it done the first time. With the help of GPO Preferences, you could take advantage of using Item-level targeting for Local Users and Groups to fine tune who should have local admin privileges depending on the user, groups and/or computers. This is what I do. Works like a champ.

@scottalanmiller said in AD Emulation on *Nix: @jrc said in AD Emulation on *Nix: However the company that makes the software could care less about Windows client licensing, and as a franchisee they have zero options on using this software. Of course they don't care, the responsibility for that falls 100% onto the end client to ensure that they have properly licensed their environment. The vendor has zero responsibility here. Reminds me of a PBX appliance vendor that shipped their "server" with Windows XP Pro as the OS.