@Dashrender said:

@BBigford said:

@Dashrender said:

The obscurity that you're going to is the move to Linux and the fact that the malware writers haven't bothered to write malware for Linux yet.

MAC users could say the same thing, until they couldn't. It's been several months or more now since a MAC variant of ransomware has been available.

See, you could have previously just as easily said - I want to move everyone to a MAD because there's no ransomware there, well that would have worked until it didn't... the same WILL happen to Linux.

But you can skip the entire concern of this specific avenue of problem by moving to SharePoint or ownCloud.

I'm not saying move to Linux because only Windows gets viruses. I'm saying I want to move to Linux because I hate Windows. Maybe that was too subtle...

oh, yeah it was too subtle, because hating windows has nothing to do with the security hole we were talking about.

I'm just trying to find any good excuse to switch, give me a break! If I can twist the subject into a justified transition, you bet I will.

@Dashrender said:

The obscurity that you're going to is the move to Linux and the fact that the malware writers haven't bothered to write malware for Linux yet.

MAC users could say the same thing, until they couldn't. It's been several months or more now since a MAC variant of ransomware has been available.

See, you could have previously just as easily said - I want to move everyone to a MAD because there's no ransomware there, well that would have worked until it didn't... the same WILL happen to Linux.

But you can skip the entire concern of this specific avenue of problem by moving to SharePoint or ownCloud.

I'm not saying move to Linux because only Windows gets viruses. I'm saying I want to move to Linux because I hate Windows. Maybe that was too subtle...

@Dashrender said:

The obscurity that you're going to is the move to Linux and the fact that the malware writers haven't bothered to write malware for Linux yet.

MAC users could say the same thing, until they couldn't. It's been several months or more now since a MAC variant of ransomware has been available.

See, you could have previously just as easily said - I want to move everyone to a MAD because there's no ransomware there, well that would have worked until it didn't... the same WILL happen to Linux.

But you can skip the entire concern of this specific avenue of problem by moving to SharePoint or ownCloud.

No, no no. I'm not saying that at all about moving to Linux. Case in point, you already pointed out Mac users. We already use SharePoint, we just happen to use a split environment where we have a DFS share and SharePoint. SP being only used for collaboration.

@scottalanmiller said:

@BBigford said:

@scottalanmiller said:

@BBigford said:

If I could, I would move us all to Linux workstations. The length of time it takes to restore a file server because one user got a share encrypted (possibly due to security not being tight enough, my fault there), way too much time. Haven't gotten hit with any yet, in two networks, but I have OCD when it comes to security (or I'm just lucky... I'll go with lucky and eat my humble pie).

While there isn't so much risk on Linux, it will come. I am totally for going to Linux desktops, trust me. But the REAL solution here isn't Linux, it's not using network shares. That's the actual point of risk, not Windows.

The future is unknowable. Though something might only work for now, I'll shift accordingly with infections. I don't have to future-proof our whole network by migrating to a different OS or different way of sharing drives, because there's no determination that will actually work indefinitely. But for now, that would work and staying just ahead of the curve is my goal. As technology and attack techniques evolve, so shall our best practices. Just an opinion.

True, but the difference is that one approaches closes a known security hole and the other does not. One is avoiding known implementations while the other is eliminating the problem.

In the future will things like ownCloud be attacked like shares are today? Maybe. But currently there is no attack against them, no one has invented that yet. But the existing Windows attacks can be used on Linux, just because they are not being used doesn't change the fact that they exist.

Very different things... closing a known security hole versus leaving it open and just placing the hole where people tend not to try to get in through it.

I didn't mean completely avoid the problem by transitioning to a different platform or (if possible) completely transitioning to cloud. Especially not being obscure about anything... I can close up a security loophole now, but what's to say it won't get bypassed? That's unknowable, so I do the best I can now by constantly shifting how we operate (whether that is redesigning our shares/security/etc).

@scottalanmiller said:

@BBigford said:

If I could, I would move us all to Linux workstations. The length of time it takes to restore a file server because one user got a share encrypted (possibly due to security not being tight enough, my fault there), way too much time. Haven't gotten hit with any yet, in two networks, but I have OCD when it comes to security (or I'm just lucky... I'll go with lucky and eat my humble pie).

While there isn't so much risk on Linux, it will come. I am totally for going to Linux desktops, trust me. But the REAL solution here isn't Linux, it's not using network shares. That's the actual point of risk, not Windows.

The future is unknowable. Though something might only work for now, I'll shift accordingly with infections. I don't have to future-proof our whole network by migrating to a different OS or different way of sharing drives, because there's no determination that will actually work indefinitely. But for now, that would work and staying just ahead of the curve is my goal. As technology and attack techniques evolve, so shall our best practices. Just an opinion.

@Sparkum said:

@BBigford

To add more context

Its actually for employee's we just havent finished migrating them all over to exchange yet, and with so much going on it could be atleast 6 months before the transition is complete.

So we just need the shared calendar today, with the intent that they WILL all be on exchange.

Ah, I've had to deal with that before. So you have two options to make this as easy to manage as possible:

*Don't muck up your Exchange instance by adding in all the people that aren't in Exchange yet. When you can add them (whether it is for financial reasons or whatever), do the additions at that time.

*Have them use something like a Gmail account until they can make the transition. Having everyone use the same format for their email address, like [email protected] or however you want to do it. If my company was First Company of Idaho, maybe I'd do something like [email protected]

If I could, I would move us all to Linux workstations. The length of time it takes to restore a file server because one user got a share encrypted (possibly due to security not being tight enough, my fault there), way too much time. Haven't gotten hit with any yet, in two networks, but I have OCD when it comes to security (or I'm just lucky... I'll go with lucky and eat my humble pie).

I'm guessing this is for an external contact?

@Sparkum said:

Hey guys.

Can you grant read/write permission using an exchange 2013 mailbox to someone not on exchange?

I can see 100 ways to do it exchange -> exchange, but not exchange -> external

Thanks

Nope. Do not do that. That would be a security issue. Exchange is for an organization, if you're not in the organization, then you're not in Exchange. If you want to give them mailbox permissions, then you'll need to create them a mailbox, which will also create an Active Directory account by default so keep that in mind...

@brianlittlejohn said:

@BBigford

get-mailbox -database "DBNAME"

should do it

exactly what I needed, thanks. Weird that a completed mailbox is in there... Oh well, I'll figure that out later.

Am I running this right (to get a list of anyone on CorpExchange3)?

Get-Mailbox | Sort Database, CorpExchangeStore3 | format -Table Name

@scottalanmiller said:

@BBigford said:

7 users for AD? Noooo thank you.

That would be my take. I'd just manage them individually. Even MS doesn't recommend rolling it out at that size.

I managed a SBS2011 server (took over) for a user base of about 12 people and as many PCs. Came with rolled up Exchange/AD/etc. Some said it was super convenient. I thought it was a damn nightmare. When that server went down, all operations halted. Before I came, there were no UPSs either, just plugged right into the wall, no battery backup. When the power went out, the databases were guillotined. The horror!

7 users for AD? Noooo thank you.

One user is going to take all day. They have 10GB in their mailbox.

@brianlittlejohn said:

Does get-moverequest show moves that are still pending?

Two are pending... One is completed but still shows in the Get-mailbox -database "CorpExchangeStore3" -ResultSize Unlimited list...

@brianlittlejohn said:

You may be seeing mailboxes that are soft deleted from the move... not positive though.

Scanning through the mailboxes, there are 250... Most are here, some are not. Weird.

Nvm, got it with Get-Mailbox -Database "CorpExchangeStore3" -ResultSize Unlimited

Anyone know the right command to see who's in that database via the shell? Everything I'm trying from Google is showing a different database. When I did the move (there were only 3 people), I used:

Get-Mailbox -database "CorpExchangeStore3" | New-MoveRequest -TargetDatabase "CorpExchangeStore2"

Everything went fine. When I run a Get-Mailbox | Sort Database, CorpExchangeStore3 | format -Table Name, CorpExchangeStore3 then it shows TONS of names, like they are from another database. If I run that command against DB 2, it basically shows the same thing.

What I'm doing by shaving off a few, is creating a recovery database so I'm not working with a live database. I know that 2013 can work much better on the fly with individual mailboxes whereas older versions you had to bring down the whole database, and restore might screw up the whole thing. With some of those caveats, I'm definitely not trying that out without testing it first. Anyway, no way in EAC? That sucks.

@travisdh1 said:

@coliver said:

@BBigford said:

@scottalanmiller said:

@BBigford said:

I forgot to add.. preferably something that we can use to pull from Active Directory without extreme difficulty. I can allocate some time to this project, but I'm looking for something that has a fairly small footprint and doesn't require tons of time to setup (basically, the opposite of SfB).

I think that pretty much everything talks to AD these days.

Except OpenFire, right? Have to add everyone manually... Or is there a module for that now?

OpenFire can talk to AD. It is actually a really easy setup.

I don't even have AD deployed yet, but I do have an openfire server connected to a SAMBA4 DC. It makes me want to AD connect all the things.

Do you have so few users that you don't use any kind of central directory (not necessarily AD, could be openLDAP or whatever)?