@Pete-S using your little snippet did not clean up the pinned start menu of the initial admin user that ran it, nor the non admin user account that I subsequently created.

f2e6d053-0b72-4407-9ba8-b1d9dd3d75c8-image.png

It xbox was still in the start menu, but the rest looked gone.
da69b05a-32c4-40e7-ba6d-03ae78e2b092-image.png

@PhlipElder said in Rack LCD Console with Digital KVM:

SIP = Server endpoint?

Server Interface Pod

Taking over a location from an MSP and I found that there were two accounts that were created in 2019 with only one login on that date in 2019, and the password was listed in the account description field..... Luckily this domain will only exist for about a week under our control before we move them to our domain.

Drafted an email for my management to review before I email the CEO of that MSP. Just to make sure it doesn't backfire on me. CYA since I am about to call out an MSP at horrible security.

@NashBrydges Did you try switching the positions of existing CPUs?

@Pete-S said in Force password change on first login over RDP:

Great, so it works if you use RDWeb.

But if you RDP directly to any Windows server or workstation it won't.

Nope. It won't. There's no way around that.

We also have Exchange on-premises so OWA works for that password change.

@PhlipElder 67f0f91e-9123-4f6d-b388-cac7b787e704-image.png
Don't forget to ground that sucker.

...

@Pete-S said in Bookstack - Line break instead of Paragraph:

@dafyre said in Bookstack - Line break instead of Paragraph:

@pmoncho Does SHIFT+ENTER work?

Ctrl+Enter is otherwise the usual key combo.

Thanks. This is to used to save the page.

@Dashrender said in PS to download latest microsip version:

@JaredBusch said in PS to download latest microsip version:

@Dashrender said in PS to download latest microsip version:

I just installed it on a test machine with chocolatey - it installed it into the local admin profile - so any normal non admin user can't use it.

You can run chocolatey without admin rights just fine.

It warns you, but that is because most software is designed to be installed with admin rights in the windows world.

It seems that Microsip does not require that, so run chocolatey as the user itself.

interesting - something else to test then.

will the choco update scripts catch both admin and non admin installed items?

It depends on whether or not it was installed with elevated privileges and whether or not a given software is installed to a location that requires elevated privileges to modify.

@JaredBusch I have a file that exports the username and password in the script, so I am using a password. Sadly this error just fixed itself with no changes and everything is working as intended now so I won't know what the root cause of this was. Thanks for replying though.

Examples in known open source worlds...

If you run ProxMox with DRBD on the Debian (host) layer, it's RLS assuming ProxMox has local disks.

If you then make that block storage available over the network, it becomes a SAN (a traditional / physical SAN.) A SAN with replication for resiliency.

If you run ProxMox and make a VM of Ubuntu and in that VM install DRBD it may or may not be RLS depending on where the host is getting its storage from for that VM. To the VM it will appear as if it is RLS, but we really don't know unless we check the stack. It's just the replication piece here.

If you then make that DRBD block layer in the VM available over the network, it becomes a vSAN.

@scottalanmiller said in ZeroTier rules to limit freelancer access:

@Pete-S said in ZeroTier rules to limit freelancer access:

Or you can just rely on authentication and authorization for every service and have no network segmentation. More risky but less work.

To me this is what makes more sense. I get the value is DOUBLE protection. But at a minimum this should be there first, ZT only as a completely additional layer of protection.

I agree. Network access control and segmentation is just to make it freakishly hard to traverse for malicious actors and software.

@dagors said in Configure ZTE F670L for NAT on LAN Ethernet Ports:

This was it. What a dumb way to have that worded!!

Sorry, google translate.
But it's good that it was fixed.

I mean dumb way that ZTE worded it.

We find that if we rename the PC, then allow more than a day to go by before restarting, this can happen.

Also, if we rename a PC, then the user allows the PC to go into Lock mode (screen saver timeout with login required to return) they will encounter this upon wake up/re-logon.

In the above two cases a reboot usually resolves it, when it doesn't, we go in as local admin and disjoin then rejoin the domain to resolve it.

Also, in the above two cases, we did not lose the computer in active directory, so after the disjoin/rejoin you'd want to remove the orphan computer from AD.

There's an article online somewhere about why you should NOT disjoin and rejoin the domain in this case, but we have always done it this way and have never experienced ill effects.

@Pete-S said in WordPress Site Lost Its Mind - Ten Minutes of Maintenance Over and Over Again:

This is how you do that:
https://developer.wordpress.org/plugins/cron/hooking-wp-cron-into-the-system-task-scheduler/

Nice, good info. Thanks.

@scottalanmiller said in Bind Linux Process to Well Known Web Ports When Not Root:

If you have ever tried to run a user space program on Linux with a port below 1024 you know that this is a security problem and you are not allowed to do so. There is a simple fix for this, but it is not well known.

Once you know the binary that you will be using to open the low number (well known) port you can use this command to grant it permission to use these ports without otherwise compromising security.

setcap cap_net_bind_service+ep /my/binary/file

Now you can run your application. This is most commonly used for user space web applications that want to use port 80 or 443 without requiring that you run a reverse proxy in front of them.

Good to know!

I found this as an example of how to use it and also commands to remove the permission:
https://cwiki.apache.org/confluence/display/HTTPD/NonRootPortBinding

The setcap utility seems to be available in the libcap2-bin package on debian distros.

I haven't checked if it's installed by default.

@IRJ said in Helpdesk - PC replacement routines:

@scottalanmiller said in Helpdesk - PC replacement routines:

@IRJ said in Helpdesk - PC replacement routines:

The Helpdesk team exists to be a human shield for users. Your main job is keep users away from the rest of IT. Customer service and user support is the job. Since your Helpdesk should be made up of entry level with fair turnover, I'm not sure you're gonna ever be efficient nor is that really the goal.

I started in Helpdesk as did many others I've met in higher IT positions. The employees that you have that are really good are not meant to stay there too long. If your company doesn't have the foresite to promote top performers, they will just leave and go somewhere else.

The TLDR is Helpdesk is supposed to be a a human shield for IT. It should be a starting place for aspiring IT professionals, and if they are knowledgeable enough to improve these processes they won't be around long (one way or another).

That said, some people like the interaction and choose to stay there. But that's not the norm. But even then, it's a customer service role for sure and "performance" will always be difficult. In fact, you might dislike performance if it means less human interactions with end users.

Yep. I've seen it. There's one guy that I worked with that just loved everything about Helpdesk. Far more capable than the desk. He could be working with servers, cloud, etc. He just decided he loved what he was doing and stayed there for many years. I kept in touch for many years beyond us working together and he was always there. Big fish in little pond so to speak, and I think he likes that.

We've had staff like that. Pure gold if you find them. Someone actually happy with "what they are doing."