@pete-s said in Is XYZ considered secure?:

But if compliance is required, don't you have to abide and make decision based on both real security as well as compliance?

Nothing makes you abide by good security other than the risk of being sued over it. So no, you don't have to abide by both. Is it best to, sure of course, if you value you company.

@travisdh1 said in Microsoft Dynamics, do not use:

@dashrender said in Microsoft Dynamics, do not use:

@jaredbusch said in Microsoft Dynamics, do not use:

@dashrender said in Microsoft Dynamics, do not use:

why isn't there a M365 version of this

There is

is it as flexible as on prem? and if it is - then why is the OP having this problem? I'd be curious to see the justification of not using SAAS.

If I had any say in it, they would be. Nobody asks me when they're in the planning process tho, I'm just the "do this" man in this case.

yeah, with my new boss - I'm really trying to impress upon her how important it is for IT to be involved with nearly any project - if for nothing else to say - IT doesn't need to be involved in that project, but more often to consider things exactly like this - moving to SAAS, etc.

@travisdh1 said in hot potato workers:

@dashrender said in hot potato workers:

@pete-s said in hot potato workers:

@dashrender said in hot potato workers:

I have a front desk area of 10 workstations that I need to allow these 10 workers and about 20 others to randomly log into any of these 10 stations and have full function.

Each station has an insurance card scanner - software will only load for one profile at a time. I.e. if person 1 is logged in, then person 2 logs in while suspending (not logging off) person 1, the scanner won't work.

The printers are based on front desk location, so it's workstation based, regardless of who logs in.

Lastpass needs to be installed into Chrome and ready to go regardless of who logs into the PC.

As already mentioned - as backup to sick front desk staff, a group of 20 or so can be assigned to fill in as needed, and they need the ability to do all functions from these computers as well.

Because it's a medical shop - my users need the ability to lock their computers when they go to the bathroom - so I'm thinking a shared account likely isn't going to work.

Just an idea but why not use scanners that support network scanning and don't need a PC?

Having USB scanners is like having USB printers. Not great in a workgroup situation.

Our EMR only supports USB based scanning today. We've begged them to enable network based TWAIN - but they currently intentionally disable it.

yep.. we've had two workgroup calls with them.. and about 20 people all begging them to turn it on.. stop manually blocking it!

111

the OP also mentioned sending the tapes off-site.

So my question is - how often are they sending off-site? daily? in that case a library might make sense to cover those vacation, sick, etc situations... but if it's weekly or even less, then a library makes less and less sense.

@eleceng Interesting, I would think it would be better to create an internal structure that you can use to do updates from allowing that single machine access to the Internet to pull those updates.

@jaredbusch said in Microsoft Dynamics, do not use:

@dashrender said in Microsoft Dynamics, do not use:

why isn't there a M365 version of this

There is

is it as flexible as on prem? and if it is - then why is the OP having this problem? I'd be curious to see the justification of not using SAAS.

@dafyre I still have a WSUS server today. They still suck to manage. If there are new Microsoft recommendations on clean up etc. I guess I need to dig into those. I am using an old script from SW before the guy decided to try to make money off of it.

@dafyre said in WSUS Location:

@dashrender said in WSUS Location:

@dafyre said in WSUS Location:

Umm... if DHCP is running on the AD server that went tits up, then yes it does. Especially if everything is completely AD integrated.

If AD itself goes tits up, but the box stays running - DHCP will stay running

NB: My current AD servers are not tied in to AD

What? how are AD servers not tied to AD - unless you're talking about the physical hosts (i.e. the Hypervisor level)

Argh... The typos. I'll fix it It should be :

NB: My current DHCP servers are not tied in to AD

And what do you gain from that?

In my migration to M365, I've run across several accounts that still have delegations provided to users who no longer work here. I haven't dug in deeply enough yet to understand why/how these are still attached to Exchange objects, but for now I just need them gone.

I found this post: https://answers.microsoft.com/en-us/msoffice/forum/all/a-corrupted-item-was-encountered-folder-acl-during/1c9c38ca-1b6e-4b2b-8588-facfa547cc92

Unfortunately it doesn't work - seems to assume there's only ever one user with permissions on an object/folder, plus it set's a counter to 0 and then doesn't run if the counter is 0, with nothing possibly changing it until after the first run through, meaning it skips running a list of only one folder.

Here's my modified version of that script (the delete script):

$mbuser = "agrabowski"  # Mailbox User Name to Fix

$fldList= Get-MailboxFolderStatistics $mbuser -FolderScope tasks | Select-Object -Property identity | % { $mbuser+":"+$_.Identity.tostring().trimstart($mbuser) }
write-output 'found list'
$fldList
#Read-Host -Prompt "Press any key to continue"

$remUser='NT User:UROLOGY\ljforehead’   # Name of user to remove

$fnumber=0

ForEach ($folder in $fldList) {
    $folder = $folder -replace "","/" # Fix special charactor
    write-output 'folder name'
    $folder
    $zout=" $fnumber Checking Folder:  $folder "
    Write-output $zout
    if ($fnumber -ne 1){
         $fuser=Get-MailboxFolderPermission $folder
         Get-MailboxFolderPermission $folder
         ForEach ($User10 in $fuser) {
            $Output1 = "test '$User10.User.displayname'"
            write-host "display: " $User10.User.displayname
            $output = "does the above match this user:: $remUser"
            write-output $output
            if ($User10.User.displayname -eq $remUser) {
                $zout = "Removeing user:: '$remUser'"
                $zout
                remove-MailboxFolderPermission -Identity $folder -user $remUser -Confirm:$False 
                }
             }
        $zout = "Verifying Folder: '$folder'"
        $zout
        $fuser=Get-MailboxFolderPermission $folder
        ForEach ($user2 in $fuser){
            $user2.user
            }
   }     
    $fnumber++
}

The posted find script works fine:

#These commands will list all the mailbox folder permissions look for users that are gone or disabled.

$mbuser = "BObama" # <<< Mailbox name to check

$fldList= Get-MailboxFolderStatistics $mbuser -FolderScope Inbox | Select-Object -Property identity | % { $mbuser+":\inbox"+$_.Identity.tostring().trimstart($mbuser) }

# Note this will error out on the inbox\inbox and any folder names with special characters

$fldList|Get-MailboxFolderPermission

In Windows the original Administrator account is apparently a pretty special account (so I've read).

To that end, the advice I've seen is to rename that Admin account to something else. The bad thing about that - if it still holds true - the Administrators account always has the same SAM, so not sure how helpful this is.

@jaredbusch said in MFP Scanning to ODfB:

@pete-s said in MFP Scanning to ODfB:

And then the attachment is saved where you want.

Except, you have no way to save to a users ODfB space.

It is easy to do this to non user locations or a user home folder on a server, but not the user's ODfB.

I am sure it can be done with all kinds of delegation or something setup. But in @Dashrender's case, I would assume some of the stuff is PHI that potentially shouldn't be able to be accessed by an account like that.

Yeah - I'm guessing that each person would need to create their own PA for this to work without having to worry about delegations, etc.

@pete-s said in MFP Scanning to ODfB:

This is how power automate would work:
https://medium.com/@arturl/saving-email-attachments-fully-automated-to-onedrive-1e8cc967b6ca

Basically you scan to email from the mfp. You create a flow that gets triggers when a new email arrives. And then the attachment is saved where you want.

Set it up so that it will only trigger on emails from the mfp.

There are probably a bunch of automation/integration tools that could work. Zapier for example. Similar tools is Zoho Flow that we use to generate notifications and what not, but we're on Zoho, not M365, so it wouldn't apply in your case.

This is more or less exactly what we do for our scans. The MFP scans to an email box, PA runs strips the attachments and places them - in my case - in SharePoint. This SP folder is mapped in ODfB for all users who need access - i.e. it's a shared resource.

From there my users use the EMR upload feature to pick a file from this shared inside ODfB folder and continue with the workflow.

I'm migrating from on-premise Exchange to M365. I'm doing a cutover process.

One of issues I've run into is M365 doesn't work well with group permissions to get users to access other people's calendars. As such I need to remove all the new useless groups from my select users, then script in access for all the users.

These scripts require you to made modifications for your own use.

First script here is listing all the permissions on a list of mailboxes in a give group.

$Group = 'name of your group here'
ForEach ($User_Mailbox in (get-azureadgroup -Filter "Displayname eq '$Group'" | get-azureadgroupmember -All $true))
{
 Get-MailboxFolderPermission -Identity "$($User_Mailbox.Displayname):\Calendar"
}

Next is deleting a specific user/group from the calendar permission

$Group = 'your group name here'
ForEach ($User_Mailbox in (get-azureadgroup -Filter "Displayname eq '$Group'" | get-azureadgroupmember -All $true))
{
 Remove-MailboxFolderPermission -Identity "$($User_Mailbox.Displayname):\Calendar" -User "name of user/group to remove"
}

With the remove command, you can add -Confirm:$false to have it skip confirming each removal.

Export a full list of users from Azure AD

$FilePath = 'the path where you want your CSV file saved'
get-azureaduser -All $true | Select-Object -Property UserPrincipalName,Displayname | Export-Csv -Path $FilePath

@jaredbusch said in M365 Migration - helpful scripts:

@dashrender said in M365 Migration - helpful scripts:

@jaredbusch said in M365 Migration - helpful scripts:

@dashrender You used $group but did not define it in your first example.

it's not defined on purpose - several of these have undefined, it's expected that you will define/replace them yourself.

That is a very poor guide. You posted a script. I expect to copy and paste it and see something work.

Jared is right to a point.

I've now gone back and added variables to all of my scripts making it easier for someone using these to see that they need to enter their own information into the variables to make it work.
I could take it a step further and prompt for that data - but one thing at a time.

@scottalanmiller said in ESXI VM Backup:

@jaredbusch said in ESXI VM Backup:

@eleceng said in ESXI VM Backup:

What's the easiest and cheapest backup to employ on ESXI to backup VM's once they are configured?

I have vSphere essentials and not essentials plus so I don't have the built-in backup.

Is there something that will auto backup all the ESXI host settings / config also?

Veeam B&R is free for 10 or less VM's, while not horribly expensive if you have more.

This is the solution that my customer went in blindly with and got burned because it didn't have an agent to talk to their applications and their systems were corrupted in a totally predictable way. It's an amazing product, but no product can bypass the system admin's need to know their workloads.

Also shows they never did a restore to understand that full process.

@dustinb3403 said in script to download and extract MicroSip portable:

I don't think you understood what I was saying, why don't you become the maintenaner of the choco package.

It's something I've considered because it will force me to learn the parts needed to make it work - which would be good.

But I don't the time time right now to do that. Perhaps in 3 months.

@scottalanmiller said in CAL Counting:

@eleceng said in CAL Counting:

Its has 5 thin clients so I know I will need 5 device cals.

If those are the ONLY devices that will EVER connect, then yes. But I've never yet encountered a real world system where device CALs were reasonably the option.

Agreed - I've never seen this in practice - it's likely better to just forget about device CALs.

Good luck.

I just copy them to USB sticks and plug them directly into the tv and play.

@siringo said in Is it authentication?? Slow response.:

My laptop, isn't joined to any of the domains.

Pretty sure it can't be a domain related thing then.

Is the laptop part of Azure AD? - have you installed any O365 apps, like Teams and logged in using an Azure AD account? If so, by default Azure does try to take over the PC. Could be related this that....