@IRJ said in New to Windows Active Directory and Group Security Management: Make an AD group called workstation_admins and add that group to local administrators account on each desktop. This group does not need any AD rights and nobody's account should be in there except for IT admin accounts. Even those IT admin accounts should not be used on local desktops to login on a regular basis. Only when elevation is actually needed, and even then you should use run as. I do this - Those who need it have a workstation admin account and a local non admin normal account.

@flaxking said in PowerShell - Using Variables to Delete SMTP Proxy Addresses in AD: if they do not have previous experience with objects Describes me. lol

@Dashrender said in SAMIT: Do You Really Need Active Directory: I am surprised that MS didn't come out with a better solution for this ages ago. That whole Direct Connect or whatever it was called - phone home VPN solution they have for Enterprise edition only - what a kluge. They are working on phasing this out. DirectAccess was a kludge that is being replaced by Always-On-VPN. Which works on versions of Windows Professional and Up and requires very little outside of a certificate and Group Policies (or Intune).

Discussion on the policy side of this is over here: https://mangolassi.it/topic/20894/policies-vs-network-access-control

@krisleslie said in Anyone figured out how to ZeroTier with AD?: @Dashrender all ubnt They have two models, the unifi USGs and the EdgeRouter series - which are you sporting?

A quick update for y'all that are watching/participating in this thread (thank you, by the way!). Late Friday I realized where the lockouts where coming from. We have a Windows VM that has a suite of applications that folks need to use every blue moon or so, and they access the VM via RDP. Of course, users don't log out, they just close the RDP client (I am going to fix this). The user in question had an old logon session on this VM. Killing the user's session (I just rebooted the VM) seems to have done the trick. Now the goal is to better position myself for the next time this happens. I also figure it's probably not a bad idea to have more visibility on account lockouts and where they are coming from in general.

@marcinozga said in Any Way to Automate Adding a New Computer to an AD Group?: @flaxking said in Any Way to Automate Adding a New Computer to an AD Group?: @marcinozga said in Any Way to Automate Adding a New Computer to an AD Group?: Ansible can do that. https://docs.ansible.com/ansible/latest/modules/win_domain_group_membership_module.html#win-domain-group-membership-module You can add new PCs to domain, and change their group membership, you just need to know computer names in advance. Which is just a layer on top of Powershell. The Active Directory Powershell module is still required. It's not required, or that module is included already in Windows 10 by default. Because I haven't had to install it on any machine I managed with Ansible. "win_domain_group_membership requires the ActiveDirectory PS module to be installed" https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/windows/win_domain_group_membership.ps1 They have it in the documentation as well "This must be run on a host that has the ActiveDirectory powershell module installed." https://docs.ansible.com/ansible/latest/modules/win_domain_group_module.html

@black3dynamite He shouldn't need to. I'm running it on 16.04 and what he is trying to do works for me.

@Dashrender I just checked a couple of clients and Time To Live where set to 3600 at most and counting down. @Obsolesce If it's default then one hour it is.

@mary said in Windows HomeGroups, WorkGroups, and Domains - CompTIA A+ 220-1002 Prof Messer: Is there any alternative to home group now that it isn't available on Windows 10? Also why would you use workgroup instead of Windows Domain? Is it a cost issue? "Home Group" was just a fancy name for network sharing without AD on Windows computers.

@Romo said in Deploy Active Directory via PowerShell: Great Job @EddieJennings !!, Really liked the flow and tempo of the video Thanks

Good find.

@scottalanmiller said in Estación de trabajo con 10 segundos de atraso en el reloj: @dbeato said in Estación de trabajo con 10 segundos de atraso en el reloj: @scottalanmiller said in Estación de trabajo con 10 segundos de atraso en el reloj: Anyone know what the normal variance on Windows boxes is when not using a local time source? How close in seconds would we even expect a site to be able to be? You can have it up to 5 minutes from the Domain Controller Servers time. No DCs. No AD. Gotcha, I am still trying to see what is the issue. 10 seconds is almost unnoticeable. What is the purpose?

@wrx7m said in PowerShell - Off-boarding Script: @dafyre said in PowerShell - Off-boarding Script: @wrx7m said in PowerShell - Off-boarding Script: @dafyre I think I found where you got it - https://www.powershelladmin.com/wiki/Powershell_prompt_for_password_convert_securestring_to_plain_text Anyway, I am not sure where, in my script, I should place that function. You'd put the actual function at the top of your script, and then just $myPassword=convertFrom-SecureToPlain -securepassword $MySecurePassword Wherever you need the password in plain text form. Thanks. It mostly works. The only problem is that it isn't actually using the password I specify at the top. It is somehow generating its own and then writing it at the end. I put in write-host "Plain Text Says: $plainText" and it shows the password that I typed in for the secure variable at the beginning, followed by the one that it generated. Plain Text Says: $#@%4#@177 Jof91348 Works fine for me here.... Check and make sure you don't have an extra write-host or anything somewhere.

@DustinB3403 said in Nomad - Manage Mac OS in Windows/AD Environment - Anyone Used It?: I've heard of it, and it's supposedly a really good product, the issue with it is the cost. At least at the time. The product now is JAMF Connect. So it looks to be a dead product that was replaced. Interesting. I'll look into that. I didn't see any mention of jamf.

@Dashrender said in Need to Join Windows XP Clients to a 2016 Domain: @scottalanmiller said in Need to Join Windows XP Clients to a 2016 Domain: @Dashrender said in Need to Join Windows XP Clients to a 2016 Domain: @scottalanmiller said in Need to Join Windows XP Clients to a 2016 Domain: @Dashrender said in Need to Join Windows XP Clients to a 2016 Domain: Does the XP machine need to be part of the domain? What about working around that issue? We removed the domain completely. So now you're what - trying to use a 2019 SMB file share or something? What does file share have to do with AD? Completely disconnected concepts. True - I was making my own leap - So - where does this stand now then?? We removed AD. It turned out that it had been installed without evaluation and was serving no real purpose, but was posing a significant risk.

@wrx7m said in OSX 10.14.X Bug - Roaming AD Accounts unable to login when Off Network: @DustinB3403 said in OSX 10.14.X Bug - Roaming AD Accounts unable to login when Off Network: My co-worker thinks he may have a workaround, which involves backing up the user profile, deleting the existing one and restoring the files for the user. We're testing this currently to see if this actually "sticks". Did it work? Waiting to hear back

So we did an older restore and the issue was resolved. This error was caused by ransomware.

It is because of this licensing discrepency that we know that CloudAtCost was running a scam. They advertised Windows servers that were unlicensed, and unlicensable.

Azure AD's Use of SAML Protocol

Tags added.

@DustinB3403 said in Windows Server 2012 Essentials Cannot Find Login Server for AD: That's rough. Very

@Donahue said in Where do I start with replacing the whole MS AD stack: sing reservations. I think your knowledge of FG is not allowing you to do this, just create a new interface with the desired subnet and leave or tick DHCP option. And they you can do it what you want with it. Create an IPv4 policy to give access to internet to the new interface.

@mattbagan said in RocketChat LDAP: @scottalanmiller Do you know where the snap version of mongodb is installed? I can't find it. Under /var/lib/snapd/snap/rocketchat-server/current/bin/ But what you want to do I assume is use Compass and just attach to it remotely. It's on port 27017 as usual.

@JaredBusch said in DNS Update Issue: @scottalanmiller the issue with nslookup being useless is stupid though. Agreed, that's really messed up.