For later when people find this...

https://mangolassi.it/topic/18166/windows-10-goes-to-sleep-outside-listed-sleep-times/53

I ASSUME that their answer is that no one should be emailing attachments like that and they should be sending links to the hosted files instead?

I can't remember the last time that we had to email someone an attachment of an office document, just saying that sounds like a legacy process. Who needs to do that in the modern world?

@pmoncho said in Beelink PC issues:

@scottalanmiller said in Beelink PC issues:

@pmoncho said in Beelink PC issues:

@scottalanmiller said in Beelink PC issues:

@JaredBusch said in Beelink PC issues:

@stacksofplates said in Beelink PC issues:

I've bought a couple of the micro form factor Optiplex computers (9020) and have been happy with them. You couldn't have saved too much by buying something like this I can't imagine? I think I paid $250 for the last one and it came with 8GB RAM, an i7, and a 250GB SSD.

This? Yeah, it does not compare, except price.
3d300516-2370-4fe5-9158-18ceeb8a785b-image.png

Wow, that can't be worth $40 new, but $240 used? What the heck?

It should be worth $40 and my guess for the higher price is economics. It was built well and keep on chugging along. It seems they are continually in demand for a basic pc that needs just a web browser or to act as a kiosk.

Yes, but you can get brand new with much more performance for that price. Why get something that is a decade old, AND used when new and new is possible? Much less flexible. And can that unit even run current Windows?

Because it keeps chugging along and fulfilling the purpose it was intended. If @stacksofplates doesn't have to do anything to it for 2-3 years other than updates and/or deal with any issues @Dashrender is having, then it could be worth the money.

It seems, based on this thread, the issues @Dashrender is having with the more powerfull/lower cost Beelinks are becoming more expensive than if he just paid $550 for a Dell Optiplex 5070 micro. I cannot be sure as only @Dashrender knows the true cost and if the Beelink's are working out better.

I like products that fulfill the purpose and require less maintenance. If that is Beelink or a new $1200 OptiPlex 5090 micro, count me in.

I guess it comes down to the old axiom, "Price is what you pay, value is what you get!"

Gotta remember that we've all had Dell, HP and others be dead on arrival, too. Even in large batches. Anyone remember all those Dell laptops with bad capacitors that they shipped out? I ran the teams that had to go to client sites to replace them (I ran Dell support organizations.) The difference, for sure, was with Dell the customers had purchased long, extensive warranties and everything was on Dell to replace (and they did, normally.)

But you really have to compare bigger scope. That this is his first try with Beelink is concerning, for sure. It's not a good sign. And only a 30 day "warranty" is worrisome, too. It's good for me, because we often ship to places where warranties aren't honored anyway so paying for one is a loss.

But every vendor has issues, from time to time. So you have to be careful with extrapolating a lot of decision from a single datum.

@scottalanmiller said in Decentralized Identity:

@Dashrender said in Decentralized Identity:

@scottalanmiller said in Decentralized Identity:

@Dashrender said in Decentralized Identity:

And those situations exist why? because Google and Facebook make a mint knowing more about YOU - the product.

But twitter, GitHub, Discord, Apple and others don't and exist too. It's an easy thing to provide.

Do those platforms offer centralized authentication? And - is it open to anyone to use? i.e. could ML choose to use Apple's APIs to do authentication?

Yes, very common. We have hooks for many (not apple I don't think) available but it's a pain to maintain as they are third party and is it really valuable?

Some sites that I use offer Apple for sure. I see it all the time.

Is it valuable? I'd love the ability to use everything off my MS account - so yes, I think so.

But a websites need to support dozens or more "centralized" or as the stupid video puts it - decentralized - authentication providers would definitely be a PITA for them.

@scottalanmiller said in Weird DNS resolution issue:

@Dashrender said in Weird DNS resolution issue:

I suppose it's possible that would have resolved this specific issue as the router would have been the only device making connections to the external DNS... but then again - it could have caused all machines to go without DNS when the upstream server stopped responding...

Not very likely. Plausible, but not likely enough to avoid it.

sure - but then again, I've never seen this situation before either - so I would have previously called it unlikely.

@scottalanmiller said in Migrating to xxxxx:

I have a similar situation. There's no more panic. Just "let me do my job and get on with it." People sometimes see that as not taking it seriously when really, I'm just that much more on top of things.

I've definitely walked into a few crisis that way with my old boss. Actually those were the best of work conditions - the confidence to just roll up the sleeves and get shit done. If only more of my life was like that.

@jaredbusch said in Locking down vendors:

@scottalanmiller said in Locking down vendors:

@dashrender said in Locking down vendors:

They MIGHT have an internal team for this, but since we have our own IT department, my management has decide to take the costs internal versus paying the new vendor to set up remote access for themselves.

That doesn't really make sense as this is all questions about THEIR IT. All your team can do is get in the way 😉

Right, I have no idea WTF you think you are doing here @Dashrender.

The most you should do is setup a VLAN or actual separate LAN with no access to your network. The other company can deal with putting something on this shit old device that reaches to their support infrastructure.

No one on there side has even breathed a word about something like that.

As I previously mentioned - the old HVAC vendor did all of their own management - I only provided them an internet connection, they managed everything else.
I can see the advantages of that - time to toss this at the new vendor similarly.

@dashrender said in Windows send only specific domains to proxy?:

@scottalanmiller said in Windows send only specific domains to proxy?:

Easiest thing is to override DNS for that domain and point to the proxy. Then the proxy can point on to whatever is real.

How do you propose doing that? remember these are laptops to be used from anywhere, I won't be able to control DNS in most places.

Are you suggesting putting an entry in hosts?

But an EASIER answer, I think, is to make your own CNAME.

Well - this vendor has called me back this morning (last bit of information was passed from the owner from a conversation they had with the vendor).

The vendor knows we are looking for remote access - specifically so we can run reports from home.

rep said - oh, you need that OK sure, fine - give me the user and their home IP and I'll get that added.

me - uh - home ISPs change IPs, sometimes daily - how are we supposed to keep you updated?

rep - oh - they'll have to give us the new IP so we can add it

me - /sigh - does your system support dynamic DNS based OK I screwed up - I should have just asked - Can you put an internet resolvable host name in your list instead of an IP?

rep - oh yeah I know what DDNS is

me - ok do you support it?

rep - well if you're attaching to your server using some type of VPN

me - no, that's not what DDNS is, I explain DDNS

rep - oh, I don't know if our system supports hostnames

me - can you check?

rep - sure

click

Of course this kinda flies in the face of the licensing issue the owner was told, but there's still hope - though very very little.

@dashrender said in Looking for a remote access solution:

@scottalanmiller said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

@dashrender said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

Put zerotier on the box in the DC and the user's box. restrict it to only RDP.

Done.

I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.

Then put the 2fa on the Windows RDP login with a service like Duo.
https://duo.com/docs/rdp
https://duo.com/editions-and-pricing/duo-free

Just use ZT to lower (all but remove) the attack surface.

That would get them up to 3FA (which isn't a bad thing) assuming ZT isn't somehow tied to some other authentication mechanism.

As it's been AGES since I've used ZT - can you make the user have to log into it each time they launch it? If yes - and it's logon isn't associated with AD (as you mentioned) then OK - I see how you consider ZT and RDP MFA.

The user can be forced to start or stop the process. The fact that it uses a key (something you have) owned by the user makes it MFA regardless of if they automate the login or force it to be manual.

Don't try to compare it to Duo or something like that which uses "something you have" to generate "something you know." Compare it to a security USB stick like YubiKey. It's a direct "something you have" 2FA in that sense.

@openit said in Offsite backup and CentOS Upstream - looking for suggestions.:

CentOS Upstream: Isn't okay for Production Servers anymore?

I assume you mean CentOS Stream?

Honestly it is a more viable solution for a Linux server than CentOS ever was as it is no longer so out dated.

But, I would give the entire RHEL ecosystem a wide berth at this point.

This problem sounds familiar.
It's not a normal.dot type problem is it? Where the originator used normal.dot as their doc tempate, saved it as .dot again and it's screwing up everyone's normal.dot that reads / alters the document.

@scottalanmiller said in Laptops versus desktops and roaming users:

@irj said in Laptops versus desktops and roaming users:

@obsolesce said in Laptops versus desktops and roaming users:

I've not worked in hospitals but can image them with different needs and device purposes.

I worked for an 18k employee hospital system. All the support staff (IT, administration, etc) had laptops. The hospitals themselves used desktops as shared stations, but even administrators (or anyone with an office who didn't use shared computer) at hospital locations used laptops.

I work with doctors and we see desktops over laptops. Lots of laptops, to be sure. But desktops remain common that we see. Even in current green field deployments.

Oh - for the doctors themselves - absolutely, in general it seems they don't want to carry anything around with them, so that leaves desktops as the primary interface for them.

In hospitals in-patient care I generally still desktops also generally with swipe care access, at least on in room computers.

@rjt said in Who do you call for IT assistance:

@scottalanmiller As someone who has had to deal with vendor supplied hardware and software for a medical practice, I have come to firmly believe vendors are the enemy, a $very $very $expensive enemy.

Yup. In some cases, a true enemy. In others, just on the other side of the chess board. It's not always malicious, normally it is not. But their interest are very, very different than ours and their financial responsibilities oppose ours. So they are stuck either being ethical to their employers, or ethical to the people they are paid to convince to do things not in their interest.

If they are true to their employer, they can be ethical across the board. If they try to be good for the customer, they have to be unethical to their employer. A nonsensical situation.

@jaredbusch said in script to download and extract MicroSip portable:

@dashrender chocolatey can easily run as non-admin. The question is whether or not the application installs can handle that. Of course your centralized scrips for keeping things up-to-date would not get that use your space one you have to have a script to keep the user space chocolatey package up-to-date also

Yeah, I'll have to look at it - but only after someone else actually picks ownership of the package back up. The current maintainer has stated he's no longer maintaining it.

@dashrender said in M365 Migration - helpful scripts:

@jaredbusch said in M365 Migration - helpful scripts:

@dashrender said in M365 Migration - helpful scripts:

@jaredbusch said in M365 Migration - helpful scripts:

@dashrender You used $group but did not define it in your first example.

it's not defined on purpose - several of these have undefined, it's expected that you will define/replace them yourself.

That is a very poor guide. You posted a script. I expect to copy and paste it and see something work.

Jared is right to a point.

I've now gone back and added variables to all of my scripts making it easier for someone using these to see that they need to enter their own information into the variables to make it work.
I could take it a step further and prompt for that data - but one thing at a time.

1ac5e2e9-a96b-4311-b299-0cd34fcc7b14-image.png

@siringo said in hot potato workers:

I was thinking about this last night. Is there anything you could do with QR codes or similar. Issue a card per device. They swipe/flash the card to log on and the same to log off.

you know of a windows solution that does that? I don't, though I've never looked for one either.

@dashrender said in iPad 2 - are they still considered secure?:

@scottalanmiller said in iPad 2 - are they still considered secure?:

@dashrender said in iPad 2 - are they still considered secure?:

I'm primarily asking in regards to HIPAA.

More importantly than "is it secure" would be "does it meet HIPAA requirements?"

In both cases, the answer is "no". It is a HIPAA violation to use one for PHI.

Well, people are now making excuses - the data collected on them isn't PHI therefore we don't need to worry about it. /sigh.

Then the answer is simple... in no way, in no universe, does using an iPad 2 constitute defensible due diligence. No semi-reasonable court would look on that as anything but an intentional lack of effort at the cost of customer data being put at risk.

@dustinb3403 said in Digital sign boards:

Again, RP and screenly.io/ose

Literally 15 minutes and done for a single screen.

only support the 3.
3c94e740-8619-4553-8593-24e78efa3da8-image.png