I'm trying to clean up some unneeded Windows 10 apps. But I'm not sure about what method to use.
Does anyone know the difference between using:
DISM /Online /Remove-ProvisionedAppxPackage /PackageName:Microsoft.WindowsCamera_2018.826.98.0...
versus using:
Get-AppxPackage *camera* | Remove-AppxPackage
@JaredBusch said in Eaton Rack Mount 5P: power on issue:
@Pete-S said in Eaton Rack Mount 5P: power on issue:
So this has nothing to do with Eaton. It's just how the battery chemistry works.
Not true, it is a new unit. It is Eaton's responsibility. That or the distributor, depending on how it was purchased.
Either way, it is RMA as failed/bad on delivery.
Yes, the "problem" could be the battery, but still a vendor issue.
Sure, the vendor have to replace it.
I'm just saying in case you buy an UPS of any brand and you have it as a spare sitting on the shelf in it's box for three years. Then there is a very high probablility the battery is damaged - even if you are covered under warranty. The higher the temperature, the lower the life span.
I brought this up just because it was mentioned that it's possible it has been sitting on the shelf for a while.
@gjacobse said in Eaton Rack Mount 5P: power on issue:
@NHCSAdmin said in Eaton Rack Mount 5P: power on issue:
@gjacobse Is the power input set to the correct voltage? We ran into something similar with the 9p line where the power from the street was 208 but of course the generator was at 240. With the UPS set to 208 and the batteries not at 100% it would not turn on while the UPS was running. We found it out the hardway when the power went on and the generator did not kick on and the batteries drained down. Then the generator repair tech got the generator on but it didnt matter since we couldnt turn on the unit since it was set to 208. Confirmed it with Eaton and all.
That's a good call - but sadly no.
I pulled it out of the rack - thankful for the use of a lift as pulling it down from twelve-fifteen feet up on a step-ladder would have been no joy.
Walked it across the warehouse and plugged it back in and noticed that the reported state of charge on the battery was 88%.
Wait, what now? you lost twelve percent, powered off and no load while I walked across the building? That can't be right.
Unit's going back RMA as failed..
Lead acid batteries (VRLA) can't be left uncharged for long periods of time. It cause sulphation on the cells and destroys the battery. Recommended storage time without charging is 6 months at room temperature.
So having an UPS sitting on a shelf is a bad idea. It should be hooked up at least every 6 month.
So this has nothing to do with Eaton. It's just how the battery chemistry works.
If you had the UPS sitting for a long time without installing it, this could be a factor.
@scottalanmiller said in ZeroTier rules to limit freelancer access:
@Pete-S said in ZeroTier rules to limit freelancer access:
Or you can just rely on authentication and authorization for every service and have no network segmentation. More risky but less work.
To me this is what makes more sense. I get the value is DOUBLE protection. But at a minimum this should be there first, ZT only as a completely additional layer of protection.
I agree. Network access control and segmentation is just to make it freakishly hard to traverse for malicious actors and software.
@scottalanmiller said in Local Storage vs SAN ...:
@PhlipElder said in Local Storage vs SAN ...:
StarWind and VMware adopted the vSAN designation for their Hyper-Converged Infrastructure solution sets IIRC. Both did.
Both do vSAN. So it makes sense as they run SAN appliances on VMs.
VMware vSAN runs directly on the hypervisor as far as I know. I haven't installed it myself even if I specced it for customers.
@scottalanmiller said in ZeroTier rules to limit freelancer access:
@Pete-S said in ZeroTier rules to limit freelancer access:
You prevent network access on ssh from SERVER1 to SERVER2 by setting the OS firewall on SERVER 2 to only allow ssh from IPs on the VPN subnet.
That means you can reach each servers ssh port from VPN, but not from anywhere else. So if you ssh into one server through VPN, you can't ssh from there to the next server.That might not work. Two problems that I can think of...
Each devices is on the VPN and has a VPN IP address. So server to server communications can happen via VPN IPs. So it would potentially end up being allowed. ZT is specifically a VPN designed to be used for local, as well as distant, communications so we expect even local server to server traffic to still traverse the VPN, just not the router.
There might be a need for other users to SSH between servers or the servers themselves to communicate over SSH. This isn't stated, so it is only a possibility. But we have to consider that we might be blocking more than requested if we get this behaviour to work.
It's very easy to make it work. Zerotier makes it slightly more complicated than a perimeter firewall with VPN because every server becomes dual homed. So you have to firewall zerotier as well or rely on the stateless zerotier flow rules.
Or you can just rely on authentication and authorization for every service and have no network segmentation. More risky but less work.
It's likely not ssh the OP is trying to do access control on though. I just used it as an example.
@JaredBusch said in ZeroTier rules to limit freelancer access:
@Pete-S said in ZeroTier rules to limit freelancer access:
@dafyre said in ZeroTier rules to limit freelancer access:
@Pete-S said in ZeroTier rules to limit freelancer access:
@JaredBusch said in ZeroTier rules to limit freelancer access:
Because once a user is in said server, via any secure method, you need to have a solution inside the network to prevent access to any other server from inside.
That makes sense.
However that can be as simple as using each servers firewall to block rdp/ssh from everything but zerotier.
That prevents moving horizontally from one server to another.Again after I've connected to SERVER5 via ZT, how do you prevent me from accessing SERVER1-4 and SERVER6-15 -- or any other internal resource since the server I'm connecting to is already inside your network's main firewall?
Let's call zerotier a VPN for simplicity and let's say we want to control ssh network access.
You prevent network access on ssh from SERVER1 to SERVER2 by setting the OS firewall on SERVER 2 to only allow ssh from IPs on the VPN subnet.
That means you can reach each servers ssh port from VPN, but not from anywhere else. So if you ssh into one server through VPN, you can't ssh from there to the next server.
Right, which is why I asked the OP to clarify what he meant by server access.
Sure, I know why you asked. My reply was to @dafyre as an example how you can limit traversing the network once you're "inside".
@scottalanmiller said in Local Storage vs SAN ...:
@Pete-S said in Local Storage vs SAN ...:
DRBD, Gluster and Ceph are simply technologies used to build a vSAN.
They can be, but 99% of the time no SAN layer will be used. I've never seen Gluster or CEPH used to make a vSAN and DRBD mostly only in a lab. They are so much faster and more robust without the SAN layer that it's not popular to do that. So much of their value comes from removing the need and complexity of the networking layer since the storage itself is already replicated to each node. If you add the vSAN layer, you have to deal with a loss of redundancy (in the connection layer) and build that back in.
I don't think that there is such a thing as a SAN layer by definition.
A SAN is just a storage area network. It doesn't imply that it has to have SAS, iSCSI or fiber channel or any other protocol that is traditionally used by physical SAN units.
I'd say a SAN is an architecture more than a specific technology.
@scottalanmiller said in Local Storage vs SAN ...:
vSAN is any SAN run virtualized
I think that is incorrect. The definition is virtual storage area network. A software defined storage area network if you will.
That is not the same as a virtualized storage area network.
@dafyre said in ZeroTier rules to limit freelancer access:
@Pete-S said in ZeroTier rules to limit freelancer access:
@JaredBusch said in ZeroTier rules to limit freelancer access:
Because once a user is in said server, via any secure method, you need to have a solution inside the network to prevent access to any other server from inside.
That makes sense.
However that can be as simple as using each servers firewall to block rdp/ssh from everything but zerotier.
That prevents moving horizontally from one server to another.Again after I've connected to SERVER5 via ZT, how do you prevent me from accessing SERVER1-4 and SERVER6-15 -- or any other internal resource since the server I'm connecting to is already inside your network's main firewall?
Let's call zerotier a VPN for simplicity and let's say we want to control ssh network access.
You prevent network access on ssh from SERVER1 to SERVER2 by setting the OS firewall on SERVER 2 to only allow ssh from IPs on the VPN subnet.
That means you can reach each servers ssh port from VPN, but not from anywhere else. So if you ssh into one server through VPN, you can't ssh from there to the next server.
@JaredBusch said in ZeroTier rules to limit freelancer access:
Because once a user is in said server, via any secure method, you need to have a solution inside the network to prevent access to any other server from inside.
That makes sense.
However that can be as simple as using each servers firewall to block rdp/ssh from everything but zerotier.
That prevents moving horizontally from one server to another.
That being said, I know little about zerotier. I would however also look at cloudflare access solution. They have some very interesting solutions for managing users and access to internal resources. Some of them are free as well. I've been trying to give it a go but haven't had the time yet.
https://www.cloudflare.com/products/zero-trust/access/
@BraswellJay said in Local Storage vs SAN ...:
We are planning a server upgrade and I find myself faced with the question of whether a SAN is necessary.
No, a SAN will not be needed.
What SAN provides is shared storage. Today the preferred solution for shared storage is a vSAN. vSAN is basically local storage from several hosts networked together and replicated. It provides shared storage for the hosts. DRBD, Gluster and Ceph are simply technologies used to build a vSAN.
But maybe you don't need that either. Most don't.
The real question is: what are the business requirements and budget for the applications you run?
@Dashrender said in User migration to azure:
@Pete-S said in User migration to azure:
@Dashrender said in User migration to azure:
@Pete-S said in User migration to azure:
@lilyleiden said in User migration to azure:
We just tested migrating a small batch of test users to our new Azure tenant.
While migrating the PC/user account was no problem, the fact that people get a completely blank user profile, certainly was a showstopper!!
Many of our users has had their AD profile for years, even a decade and has a lot of individual settings, ways to work, shortcuts, quick links, favorites/browser cached passwords etc. and they loose all that.
Management has currently halted the process due to the protests.So I am on the lookout for a way to link/migrate the old profile/profile settings, when Azure joining the PC?
I would use this as an opportunity to remove unneeded customizations and old ways of doing things and introduce new ways of working instead.
For instance is it really wise to rely on browser cached passwords? To me that's a signal that you need to look over you password management policy. Maybe your users need a real password manager or setup SSO to apps they're using.
I'm really on board with this! We don't migrate when people get new machines, that said - we have few users that do much customization to their setup...
Yes and it's also question of setting the right expectations. For instance saying: IT allows users to customize their desktops but will not provide support for it. New machines, reimaged desktops etc will be reset to company default.
I do this - I don't support end user shortcuts to their desktop. If you figure out how to get it - or get others around you to do it for you, fine... but IT does not support your shortcuts.
I think it makes the most sense. I've never myself received a new replacement PC that had any settings retained from my previous one.
Also any kind of serious problem with the PC and it would have been reimaged with nothing retained.
@Dashrender said in User migration to azure:
@Pete-S said in User migration to azure:
@lilyleiden said in User migration to azure:
We just tested migrating a small batch of test users to our new Azure tenant.
While migrating the PC/user account was no problem, the fact that people get a completely blank user profile, certainly was a showstopper!!
Many of our users has had their AD profile for years, even a decade and has a lot of individual settings, ways to work, shortcuts, quick links, favorites/browser cached passwords etc. and they loose all that.
Management has currently halted the process due to the protests.So I am on the lookout for a way to link/migrate the old profile/profile settings, when Azure joining the PC?
I would use this as an opportunity to remove unneeded customizations and old ways of doing things and introduce new ways of working instead.
For instance is it really wise to rely on browser cached passwords? To me that's a signal that you need to look over you password management policy. Maybe your users need a real password manager or setup SSO to apps they're using.
I'm really on board with this! We don't migrate when people get new machines, that said - we have few users that do much customization to their setup...
Yes and it's also question of setting the right expectations. For instance saying: IT allows users to customize their desktops but will not provide support for it. New machines, reimaged desktops, upgrades etc will be reset everything to company default.
@scottalanmiller said in WordPress Site Lost Its Mind - Ten Minutes of Maintenance Over and Over Again:
@PhlipElder said in WordPress Site Lost Its Mind - Ten Minutes of Maintenance Over and Over Again:
@scottalanmiller If the timing is regular then look for a chron job running at that time. Or, is it "cron"? Meh ... *NIX skillset is pretty green.
We found it. Basically what it was was....
A PHP cycle job for a plugin to auto-update. But the plugin had some problem and couldn't update and would fail. So it never stopped attempting to update and it went into this death spiral that every ~12 hours or so, it would do this thing, kill the site for 9 minutes, and give up and return to normal.
So cron-like job, but seems to have been PHP-Cron or similar.
It WP-cron that I also linked to in an earlier post.
Basically it's WP's version of the system cron job.
Difference is that WP was made to run on shared servers without having access to the underlaying OS. So for each web page access WP will check if it also has to run some scheduled job as well.
After it has done that it waits 12 hours by default until next time. WP can only run you have a web page request executing it so you can't predict exactly when it's going to happen.
The real solution is to invoke scheduled jobs from the OS and only do so during the night or whenever it is suitable since WP shuts down the site when doing upgrades.
This is how you do that:
https://developer.wordpress.org/plugins/cron/hooking-wp-cron-into-the-system-task-scheduler/
@lilyleiden said in User migration to azure:
We just tested migrating a small batch of test users to our new Azure tenant.
While migrating the PC/user account was no problem, the fact that people get a completely blank user profile, certainly was a showstopper!!
Many of our users has had their AD profile for years, even a decade and has a lot of individual settings, ways to work, shortcuts, quick links, favorites/browser cached passwords etc. and they loose all that.
Management has currently halted the process due to the protests.So I am on the lookout for a way to link/migrate the old profile/profile settings, when Azure joining the PC?
I would use this as an opportunity to remove unneeded customizations and old ways of doing things and introduce new ways of working instead.
For instance is it really wise to rely on browser cached passwords? To me that's a signal that you need to look over you password management policy. Maybe your users need a real password manager or setup SSO to apps they're using.
That being said, Microsoft have User State Migration Tool, USMT, for moving user data.
https://learn.microsoft.com/en-us/windows/deployment/usmt/usmt-overview
Maybe you solved the problem by now, but every time wordpress runs a scheduled update check it will display this notification.
You should be able to trigger the update manually from the site. Or change so it runs at a known time (or just look for a file in the web root for a file called .maintenance).
I don't know if the update process has a log file (doesn't look like it has) but otherwise run tcpdump/wireshark to look at the traffic when it does it's update.
Since it takes 10 minutes every time there is probably something that fails and timeout.
@scottalanmiller said in Bind Linux Process to Well Known Web Ports When Not Root:
If you have ever tried to run a user space program on Linux with a port below 1024 you know that this is a security problem and you are not allowed to do so. There is a simple fix for this, but it is not well known.
Once you know the binary that you will be using to open the low number (well known) port you can use this command to grant it permission to use these ports without otherwise compromising security.
setcap cap_net_bind_service+ep /my/binary/fileNow you can run your application. This is most commonly used for user space web applications that want to use port 80 or 443 without requiring that you run a reverse proxy in front of them.
Good to know!
I found this as an example of how to use it and also commands to remove the permission:
https://cwiki.apache.org/confluence/display/HTTPD/NonRootPortBinding
The setcap utility seems to be available in the libcap2-bin package on debian distros.
I haven't checked if it's installed by default.
@IRJ said in Helpdesk - PC replacement routines:
The Helpdesk team exists to be a human shield for users. Your main job is keep users away from the rest of IT. Customer service and user support is the job. Since your Helpdesk should be made up of entry level with fair turnover, I'm not sure you're gonna ever be efficient nor is that really the goal.
I started in Helpdesk as did many others I've met in higher IT positions. The employees that you have that are really good are not meant to stay there too long. If your company doesn't have the foresite to promote top performers, they will just leave and go somewhere else.
The TLDR is Helpdesk is supposed to be a a human shield for IT. It should be a starting place for aspiring IT professionals, and if they are knowledgeable enough to improve these processes they won't be around long (one way or another).
@IRJ What you say makes perfect sense.
Wouldn't you agree that replacing a PC is at least a two stage process? One where you get the new computer and get it 100% ready for the user. And another where you would handhold the user - if they need help. And only the second one would actually be a helpdesk job.
If I understand correctly, the actual problem that @annalynnetech have is that the PC isn't ready to go when the end-user get it.
@Obsolesce said in How to use different accounts on the same website/service with profiles:
@Pete-S said in How to use different accounts on the same website/service with profiles:
Profiles in Chrome
In Chrome you can add a new profile (aka user) by clicking on the person icon (You) on the top right and select + Add.
Here you can also switch profiles. When you add a profile Chrome asks if you want to create a shortcut on the desktop (Windows).
The target will look like this:
"C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Profile 1"For those who don't use Firefox or Chrome:
Similar to Chrome...
Microsoft Edge
Target will be like this, e.g.:
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Profile 1"
Great! I added it to the original post.