Best posts made by anthonyh

Can someone change the category to "IT Discussion", pretty please? I thought that's what I selected, but obviously not.

Ha, ok, I found a workaround. I can simply cat the message back into the mail spool.

cat $msgFile >> $mailSpool

Boom, message is back in the mail spool and my process re-consumes it.

Taking a look at this now: https://support.citrix.com/article/CTX139224

I suspect those hidden guys are what I want to get rid of...

@dustinb3403 said in XenServer 6.5 - Clean Up Storage Repository:

@anthonyh did this work out for you?

Haven't done it yet. Probably won't until mid March (possibly the weekend of the 16th). I'll update the thread when I do.

OK! I think I threw together something that will do what I want!

import-module activedirectory
$disableList = @(get-adgroupmember 'DisableMeNao' | select -expandproperty SamAccountName)

$expiration = (get-date).adddays(-30)

foreach ($acct in $disableList) {
    $lastLogon = get-aduser $acct -properties lastlogondate | select -expandproperty lastlogondate
    if ($lastLogon -lt $expiration) {
        echo "$acct's last logon was more than 30 days ago. Account has been disabled."
        disable-adaccount -identity $acct
    }
}

I've been playing around hard with my home lab Asterisk build the past few months and have been testing various SIP trunk providers. My preferred provider is Flowroute with VoIP.ms coming in as a close second.

What I like about Flowroute is that they pass you the media stream from the media gateway that is terminating the call. So, in theory, you have the most direct audio path possible. In my testing, this seems to be true. When comparing latency with Flowroute vs VoIP.ms. In most cases Flowroute's latency is lower. In cases where it's not lower, it's unnoticeable equal to VoIP.ms (to my ear at any rate).

Pricing wise they are pretty similar. Flowroute is slightly cheaper outbound, but their inbound rate and monthly DID rates are higher (not by much, but depending on your usage could be exponential). Also, VoIP.ms has a lot more rate centers to choose from when buying DIDs via the web portal. Flowroute's can be limited depending on the NPA you desire, but I haven't reached out to their support (which is really good, as is VoIP.ms') to see if you can request rate centers in NPAs not listed on the portal.

I ported my home number to Flowroute and the process went without a hiccup. Was completed on the date and within the time window they provided.

A decent provider to play around with if you want something cheap and/or as backup is DID Logic. Their inbound/outbound rates are around $0.005/min and the cal quality/latency is good. However establishing an account is tough as they have this "anti fraud" process you have to hoop through.

To add:

When using the Effective Access feature of Advanced Security Settings for the share, if I specify the user/group of "Authenticated Users", it shows success for the various execute and read permissions. If I do the same for "Domain Computers", it shows no access at all. Though my understanding is that "Authenticated Users" is supposed to encompass computer accounts as well and supersede "Domain Computers", but it is odd nonetheless since I explicitly give "Domain Computers" read/execute just like "Authenticated Users".

@dbeato said in GPO Software Deployment Woes:

@anthonyh said in GPO Software Deployment Woes:

@dbeato said in GPO Software Deployment Woes:

@anthonyh said in GPO Software Deployment Woes:

@dbeato said in GPO Software Deployment Woes:

@anthonyh said in GPO Software Deployment Woes:

Alright, for the heck of it, I re-created the share on my new DC (it assumed the same name as the DC it replaced, which was the DC originally hosting these files). And, guess what? All of the software installation policies applied successfully.

So even though I'm changing the msiFileList in ADSI Edit, it's not applying somewere. Even though looking at the Deployment Information of the GPOs shows the modified path, and running gpresult shows the modified path.

What the heck?!

I may just kick this can down the road a bit and re-visit it later unless anyone has any ideas?

For the heck of it, do you get to access the share while on Windows Explorer?

Yes. I think the problem is somewhere in the bowels of the GPOs the path isn't updating.

Yes, I was typing this before:

“
Just for my own sanity reading this Thread, did you actually import each software back again from the new share? Because sometimes that is what it takes”

No, I haven't tried that. Can you delete and re-add software packages to the GPO without it triggering an attempt to re-install them? I want to avoid triggering all of my clients to re-install everything and then wig out because it's all already installed...if that makes sense.

You can do this
https://support.microsoft.com/en-us/help/2395088/how-to-change-the-msi-file-location-in-the-software-deployment-gpo-mut

Or redploy the application, I assume you have set the Package to uninstall when it falls out of the scope?

That link is the exact article I followed.

Some are set to uninstall when out of scope, some are not.

@notverypunny said in GPO Software Deployment Woes:

Is your filesrv02 the actual name of the machine? I remember seeing a mention of using a DNS record... I may be wrong but IIRC DNS redirection and modern SMB don't always work together very well because Kerberos. Like I said, might be completely out to lunch on this one, still working on my 1st coffee of the day.

Yes, that is the actual name of the host I have moved the files to. @Dashrender was the one that suggested to use a CNAME in the future, which I will experiment with since if it works would make future moves (though years out likely) much easier.

The original host was dc01, and the desire was to move the files to filesrv02. I had followed the article @dbeato posted (https://support.microsoft.com/en-us/help/2395088/how-to-change-the-msi-file-location-in-the-software-deployment-gpo-mut) before starting this post here.

I re-created the share on the "new" dc01, even after re-pointing the msiFileList on all of my Software Install GPOs to filesrv02. This satisfied the GPOs and on my test VM they all ran and installed without fuss.

This tells me that even though I updated the msiFileList property (removed the old value and replaced it with new, which was simply changing the server. The share name and all permissions were identical), and even though gpresult was reflecting the new path, somewhere somehow things were not truly obeying this.

I even went as far as to enable file auditing on the share on filesrv02 and, sure enough, I saw zero attempts at any connections when a machine failed through the software install GPOs.

So, for now, I've left the share in both locations and have updated the msiFileList property on the software install GPOs to reflect my "preferred" location (not ideal for sure). I think I'll revisit this once the other DC has been demoted and replaced with a Server 2016 host.

Oh my lawd. You won't believe the fix.

"Run as administrator"

Why didn't I think of this sooner.

I knew I was missing something stupidly simple.

Even though the account in question is a Domain Admin...

I have an account that is being repeatedly locked out. The user recently changed their password, so I'm pretty sure there is something out there still trying to authenticate using their old credentials. I've been analyzing the Security log on both of our DCs (Server 2016), but it's not super helpful. I see Audit Failures, but these are attempts after the account has become locked. I am having a hard time finding the login event that triggers the lockout. Various articles I've read say to look for event 4740, but these don't seem to exist in the Security log on either DC. Is there some additional logon auditing I need to enable via GPO?

@dafyre I am going to go down the rabbit hole of Logstash first, actually. I can think of many other logs I'd throw at something like that. It would be a very nice add to the arsenal.

If I fail, or if folks are getting impatient, a cron job to do a simple copy will be plan B.

I personally use a Netgear LB1120 and have no complaints. It will act as a router or you can put it in bridge mode and use your own. I've used it in both configurations and it seems to work well. I've used it with AT&T, Verizon, and Ting (T-Mobile MVNO). It's integrated antennas have been fine for me, but it has the ability to connect external antennas if needed.

@stacksofplates Thanks! I started down the path of Logstash/Greylog/others and realized that it's going to take a bit more of my bandwidth than I can dedicate at the moment. So I ended up throwing together a BASH script that'll copy the current log files over to the share every minute. It works for now...

@Obsolesce said in Windows Server 2012 - Task Scheduler Issue:

@anthonyh said in Windows Server 2012 - Task Scheduler Issue:

@Obsolesce said in Windows Server 2012 - Task Scheduler Issue:

@Pete-S said in Windows Server 2012 - Task Scheduler Issue:

@anthonyh said in Windows Server 2012 - Task Scheduler Issue:

@anthonyh said in Windows Server 2012 - Task Scheduler Issue:

@Pete-S said in Windows Server 2012 - Task Scheduler Issue:

@anthonyh said in Windows Server 2012 - Task Scheduler Issue:

@Pete-S said in Windows Server 2012 - Task Scheduler Issue:

@anthonyh said in Windows Server 2012 - Task Scheduler Issue:

I am having an interesting problem with the Windows Task Scheduler under Server 2012. I have a couple dozen scheduled tasks that do various things via PowerShell scripts (mostly pull data from a SQL database then ship it off to their respective recipient). These scripts have been in place and scheduled for years. However, recently, about a half dozen of the scheduled tasks have plain stopped triggering and I have no idea why.

For example, I have a scheduled task that's set to run at 9PM every Monday, Tuesday, Wednesday, Thursday, Friday of every week. It's "Next Run Time" is tonight at 9PM. It's "Last Run Time" was 1/24/2020 at 9:01:20 PM. Whaa?? The "Last Run Result" was "The operation completed successfully. (0x0)".

I can right click the offending jobs and run them manually no problem. I've "poked" at the scheduled tasks, enabled/disabled them, the trigger, changed the time back/forth, even changed the "Configure for" option from the default "Windows Vista, Windows Server 2008" to "Windows Server 2012". One thing I have not tried exporting/importing the offending tasks.

I'm curious if any of y'all have experienced anything like this?

If the task doesn't complete, it will not run again. Also the task scheduling service have to be running for any tasks to be triggered.

Right. I have "Stop the task if it runs longer than" set to 3 days. So I should see them in the "Running" state if that were the case, no?

Depends on if they are running right now. Anyway, how long does the task take to complete? Do your scripts produce a log file?

They are all "Ready" as of this moment. They run nightly, so I should see them as "Running" right now.

Some of them do, some of them do not (I've been adding Start/Stop Transcript to them as I've needed to troubleshoot). For those that do log, the log's last modified date/time corresponds to the last time the Task Scheduler reports the task ran.

I just edited my original post to add that the script I talk about as an example does log, and the log has not been touched since Task Scheduler reported it ran successfully.

OK, post screenshot of each tab under that task's properties, including what's under the edit button on the "triggers" tab.

Just export the xml here, clean any sensitive info. Easier.

Here is the XML of the task I mentioned in my OP. I can do screenshots too if that's still desired by anyone.

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2015-12-23T13:40:10.4492565</Date>
    <Author>[REDACTED]</Author>
  </RegistrationInfo>
  <Triggers>
    <CalendarTrigger>
      <StartBoundary>2015-12-23T21:00:00</StartBoundary>
      <Enabled>true</Enabled>
      <ScheduleByWeek>
        <DaysOfWeek>
          <Monday />
          <Tuesday />
          <Wednesday />
          <Thursday />
          <Friday />
        </DaysOfWeek>
        <WeeksInterval>1</WeeksInterval>
      </ScheduleByWeek>
    </CalendarTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>S-1-5-18</UserId>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
    <UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>powershell</Command>
      <Arguments>-ExecutionPolicy Bypass -File "C:\scripts[REDACTED].ps1"</Arguments>
    </Exec>
  </Actions>
</Task>

Does it run if you right-click on the task and run it manually?

As per my OP:

"I can right click the offending jobs and run them manually no problem. "