Hmmmm.....

There are two releases per year: January, 31th and July, 31th.

@Obsolesce said in Active Directory - User Attribute RFID/HID Badge:

@DustinB3403 said in Active Directory - User Attribute RFID/HID Badge:

@Dashrender I'm a 3rd party to the end customer here. Acting as the middle man as the customer's IT department wanted to engage outside support to try and vet different products.

I candidly told the customer that while this product will work, it won't work with all of the features they want without some substantial changes to their infrastructure and that the support (at least from this vendor) is pretty awful.

The simple approach here is to not integrate RFID/HID's to the system and simply use the AD Integration with the built-in QR codes that each member is assigned.

Just because something may be supported, doesn't imply that it is support.

Except in this case the vendor very clearly has stated they support you adding custom attributes within AD.

@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:

@EddieJennings said in Managing Distribution Groups in an Exchange Hybrid Environment:

I ought to have clarified. DUO MFA comes into play with Outlook for our mailboxes that are in Exchange Online. On-prem mailboxes (the few we have left aren't subject to DUO).

Are those that are left on prem - are they actual users? If so, I'm curious why they can't be migrated?

Eventually all users will be migrated, so, yes, we still have real users on-prem.

This is outside the scope of the original question / scenario, but I've learned a good bit during this process with much of that learning validating a few things I already knew, such as the value of taking the necessary time to plan, and prep the environment for migration (removing unnecessary objects, etc.).

So far the rebuild appears to be still working. It ran all night. No complaints yet.

Try this instead:

$FolderPath = Get-ChildItem -Recurse -Depth 2 -Path "P:\Public" -Force

Where -Depth is the how many levels deep you want to go.

If you want to see what a cmdlet can do, you can use:

Get-Help Get-ChildItem -Full

@IRJ said in New to Windows Active Directory and Group Security Management:

Make an AD group called workstation_admins and add that group to local administrators account on each desktop. This group does not need any AD rights and nobody's account should be in there except for IT admin accounts. Even those IT admin accounts should not be used on local desktops to login on a regular basis. Only when elevation is actually needed, and even then you should use run as.

I do this - Those who need it have a workstation admin account and a local non admin normal account.

@flaxking said in PowerShell - Using Variables to Delete SMTP Proxy Addresses in AD:

if they do not have previous experience with objects

Describes me. lol

@Dashrender said in SAMIT: Do You Really Need Active Directory:

I am surprised that MS didn't come out with a better solution for this ages ago. That whole Direct Connect or whatever it was called - phone home VPN solution they have for Enterprise edition only - what a kluge.

They are working on phasing this out. DirectAccess was a kludge that is being replaced by Always-On-VPN. Which works on versions of Windows Professional and Up and requires very little outside of a certificate and Group Policies (or Intune).

Discussion on the policy side of this is over here:

https://mangolassi.it/topic/20894/policies-vs-network-access-control

@krisleslie said in Anyone figured out how to ZeroTier with AD?:

@Dashrender all ubnt

They have two models, the unifi USGs and the EdgeRouter series - which are you sporting?

A quick update for y'all that are watching/participating in this thread (thank you, by the way!).

Late Friday I realized where the lockouts where coming from. We have a Windows VM that has a suite of applications that folks need to use every blue moon or so, and they access the VM via RDP. Of course, users don't log out, they just close the RDP client (I am going to fix this). The user in question had an old logon session on this VM. Killing the user's session (I just rebooted the VM) seems to have done the trick.

Now the goal is to better position myself for the next time this happens. I also figure it's probably not a bad idea to have more visibility on account lockouts and where they are coming from in general.

@marcinozga said in Any Way to Automate Adding a New Computer to an AD Group?:

@flaxking said in Any Way to Automate Adding a New Computer to an AD Group?:

@marcinozga said in Any Way to Automate Adding a New Computer to an AD Group?:

Ansible can do that. https://docs.ansible.com/ansible/latest/modules/win_domain_group_membership_module.html#win-domain-group-membership-module
You can add new PCs to domain, and change their group membership, you just need to know computer names in advance.

Which is just a layer on top of Powershell. The Active Directory Powershell module is still required.

It's not required, or that module is included already in Windows 10 by default. Because I haven't had to install it on any machine I managed with Ansible.

"win_domain_group_membership requires the ActiveDirectory PS module to be installed"
https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/windows/win_domain_group_membership.ps1

They have it in the documentation as well "This must be run on a host that has the ActiveDirectory powershell module installed."
https://docs.ansible.com/ansible/latest/modules/win_domain_group_module.html