After all that, why doesn’t the company work on something like an RDS or Terminal to Server system that way the data and application is not on the user’s machine? Or even better think about a web app or anything that doesn’t depend on your hardware.

Also you might be able to disable tamper protection on the client for Sophos however the best thing for someone using Sophos Central is to have the MDM to allow the wipe of the computer, it will wipe the minute that computer hits the internet. Also the Sophos lockdown with the agent is very annoying but I have gotten it to work for the reasons this topic started but HR took care of getting the laptop back and not IT.

@Pete-S said in sftp without ssh shell access?:

Thanks guys.

To summarize the link above, it's these lines in sshd_config that does the magic.

Match User sftpuser
     ForceCommand internal-sftp
     <snip>

The first line will tell sshd what user(s) the rest of the settings apply to.
The second line tells it to go straight into sftp mode. So this will only apply to the users that match the rule above.

Just make sure to test SSH after you do the changes ok a new session otherwise you might just have broken SSH access.

I use AWS WAF with Cloudfront, Terraform, Cognito and any functions for the applications so it is very powerful.

You can do an RD Gateway that would be the best.

@BRRABill said in Moving from Physical AD/Data Server to Office365:

I guess the question is ... do we just scrap our AD, and use our Office365 accounts to log in. Do we really need anything more than that?

Yeah scrap it and no need anything else... unless you want to have Intune as your MDM and manage policies to your computers.

@PhlipElder said in Moving from Physical AD/Data Server to Office365:

tattooed to Azure AD. One cannot join a local AD anymore (IIRC).

But they will be all working remote, not need to be tied to AD anymore.

@scottalanmiller But you gotta provide the option of an RMM Or agent correct? Because yes you can do scripting but you still need something to deliver it and not doing it manually. While GP can be used without AD, I would say that using GPOs manually is way more PITA than GPO on an AD. That is a discussion for another topic.

@Dashrender said in Moving from Physical AD/Data Server to Office365:

@PhlipElder said in Moving from Physical AD/Data Server to Office365:

Catch #1: User will not be able to remote into that PC using RDP. Third party yes, but not RDP.

Are you sure? Have you tried this?

Catch #2: The PC is tattooed to Azure AD. One cannot join a local AD anymore (IIRC).

Are you sure? I have had machines that are in AD first and then AAD joined and never had an issue. Now I've never AAD joined first, then added to AD, no clue what would happen there, though I see no reason why it wouldn't work.

As Scott mentioned - there are many options for managing machines today Salt or Intune are examples.

Yeah, that he is right. If you join to AAD Join first you cannot join AD after that. So if they need both I do the hybrid join on some customers (big ones)

https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-manual

@Pete-S said in Is it possibe to remove local admin on Windows Server?:

ve the local admin account on Windows Server that belongs to a domain? Or prevent logins.
Or is always possible to login as local admin (if you know the name/passwd)?

I wouldn't disable the local admin of a server, it would come handy if you need to restore stuff or remove and add from the domain. LAPS works but beware

@Grey said in Is it possibe to remove local admin on Windows Server?:

@pmoncho said in Is it possibe to remove local admin on Windows Server?:

@dbeato said in Is it possibe to remove local admin on Windows Server?:

@Pete-S said in Is it possibe to remove local admin on Windows Server?:

ve the local admin account on Windows Server that belongs to a domain? Or prevent logins.
Or is always possible to login as local admin (if you know the name/passwd)?

I wouldn't disable the local admin of a server, it would come handy if you need to restore stuff or remove and add from the domain. LAPS works but beware

I agree with @dbeato. When sh$% hits the fan with the server, no networking or no cached credentials, you will long for a local admin account.

I do disable the Administrator account after creating my own local admin with 20+ char strong password. Less worries on both the security and DR front.

Yes, but if you have physical or kvm access, even virtual, you can use linux ntpass to turn on the admin account and reset the password. This would be the last resort if you really lost the admin access, which is rare.

Not since UEFI... At least it doesn't work with Windows 10 and subsequent kernels.

@dbeato supposedly this is a workaround
https://social.technet.microsoft.com/Forums/en-US/a93b2214-48da-4dbd-89cd-a6b5ef77369f/resetting-device-profiles-without-retiring-device?forum=microsoftintuneprod

While helping a customer add their email account to Gmail to be able to send emails we got the error as below:

Background on how to Setup External account to send
https://support.google.com/mail/answer/22370?hl=en

Error
"TLS Negotiation Failed. The certificated doesn't match the host., code: 0"

Resolution
The email server had the correct SSL Certificate but still was having an issue. In this case this was an Exim server and it had a correct SSL Certificate. For the heck of it ran the SSL Checker on https://www.sslshopper.com/ and it came all good with the whole SSL Chain.

However when I ran the scan with https://www.checktls.com/TestReceiver and found an issue with the SSL Chain.

Once I fixed the SSL Certificate (By adding the Intermediate and Root Chain) it worked. The Dovecot SSL on the same server had the chain so that was easy.

Found also this https://gucia.pl/2020/04/tls-negotiation-failed-the-certificate-doesnt-match-the-host-solved/

I have used the HA PRoxy stats on port 9000
https://www.haproxy.com/blog/exploring-the-haproxy-stats-page/

@brianinca said in Integrate Rocketchat with Jitsi:

@dbeato if you set this option:

Then you SHOULD get a slideout video window when you select video call from the menu:

So that would be nice to keep it in the context of RocketChat, it just doesn't fly. /jitsi <name> is more than our safety guys can handle, apparently!

I set it as you but I couldn't get any video chat as you show. I will test it out.

Based on the documentation it does not work in the local rocketchat app
https://rocket.chat/docs/user-guides/voice-and-video-conferencing/

@WLS-ITGuy said in Office 365 Licensing sanity check:

Look at Tech Soup. Great tool for Non-Profits. When we were figuring out what we needed for our move to O365 they were very helpful in assisting us with the right licensing and not getting things we didn't need.

One thing about Tech Soup, they don't sell the Azure AD premium licenses.

You can also use Nmap
https://nmap.org/book/man-port-scanning-basics.html
I use Angry IP Scanner for that but a lot of tools use NMAP
https://angryip.org/

@notverypunny said in OpenManage Enterprise Gotcha:

@dbeato said in OpenManage Enterprise Gotcha:

@notverypunny said in OpenManage Enterprise Gotcha:

OpenManage Enterprise

That's why we put it on a VM.

Yep, it's a vm.... but the VM and the iDRAC were set to share the same NIC on the host (whoever did the initial hardware setup didn't want to / couldn't use the iDRAC's dedicated NIC)

Weird, We use dedicated iDRAC all the time.

Had to fix this today to get users locked out of their profile with network user profiles with an RDS Server.

Updated a PowershellScript to match my use:

$UPDSharePath="\\server\PublicShare\Profiles"
$username="username
 
#Get's User SID
$strSID = (New-Object System.Security.Principal.NTAccount($username)).Translate([System.Security.Principal.SecurityIdentifier]).value
 
#Creates UPD path String
$diskname=$UPDSharePath+"\UVHD-"+$strsid+".vhdx"
 
#Finds the disk and dismounts it
Get-DiskImage $diskname | Dismount-DiskImage

If the user can't connect still moving forward then recreate the user profile (Without renaming the User Profile Disk.

Go in the registry to the following key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Then find the SID of your user and rename the key to .old then have the user login again.

@Texkonc said in Exchange Database and User Login Report Marriage:

@dbeato said in Exchange Database and User Login Report Marriage:

I will get you something tomorrow, dealing with something important this week.

If it works, Beer is on me!
Second thought, I will let SAM pay....

Lol Ship it