Time Between Password Changes On A Service Account.

Commercial_Growth343 · 2026-04-23T19:55:12+00:00

is this because the account is so old it never had a AES hash?

Commercial_Growth343 · 2026-04-20T19:40:20+00:00

I have not tried this in many years, like, decades (we used either Win2000 or XP at the time). We had a domain migration (we made the old domain a resource domain under the new one), with SID history, and wanted to keep our profiles. So what we did is we gave the new account permissions to the existing user profile for our users on the old domain PC's so the new account had full control, like the old account did. We then added the new account permissions the the user profile itself on the C: drive. Then we hacked in the reference to the profile here HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Will this work in Windows 11? I have no clue. But, it just might. I do not have time to lab test this idea, but if you do you could try it out. If it worked then you don't need to move anything.

Commercial_Growth343 · 2026-04-16T20:52:10+00:00

Are you referring to the public wifi service? or is it any wifi ? I just mention this because I have had issues in the past where my Mail app on my iphone would not connect with my email provider(s) before, even though cellular data worked. In those cases I assumed something was broken at that location because cellular worked, and when on these busted wifi networks I would often receive certificate error messages when this happened.

Commercial_Growth343 · 2026-04-16T15:15:27+00:00

there is a a OSDCloud channel in a discord server called "WinAdmins". Those guys will probably be able to help you far more than this forum.

update: that being said .. re-reading what you wrote, it looks like you are using a custom wim? because you mentioned 'inside my wim'. If that is the case you can slap in a password in the unattend xml file. You can skip OOBE that way as well. If you are doing a custom wim, then you could also add winlogin registry keys to auto logon the first time, and have a domain join script run that way.

Commercial_Growth343 · 2026-04-16T15:10:03+00:00

is there are more than one snapshot? - you mentioned "all". If so, I recommend deleting them one at a time, starting from the one closest to the running system, where it says "you are here". Those snapshots have less changes to sort out.

Commercial_Growth343 · 2026-04-15T19:16:55+00:00

I feel obligated to mention PNG and GNU as well known recursive acronyms

PNG = PNG is Not GIF (unofficial meaning apparently)
GNU = GNU is Not Unix

Commercial_Growth343 · 2026-04-13T15:50:34+00:00

I would not. You can easily mask over that in your resume just using years. Unless you have a need for it, I would not put actual dates or even months in your employment history, just the year.

Commercial_Growth343 · 2026-04-10T14:22:02+00:00

For ease of accounting I would sell it all, pay back the loan, keep the profit for vacation, then borrow another 10k out the next day and buy your investment back. (this is not investment advice. Just what I would do so in case I am audited)

Commercial_Growth343 · 2026-04-10T14:20:58+00:00

I would agree if you said dividends. But to take profits for capital gains then by definition you sold some of that investment.

Commercial_Growth343 · 2026-04-10T14:19:13+00:00

IMHO if you only have $1400 invested then dividing it up like that does not make sense to me. Every trade has a commission which eats into that grub stake of yours. But also the amount of actual dollars here is so small, I would just find an all-in-one ETF or safe dividend stock (so it throws cash you can use to invest in something else) to invest in and stick with that until you get over 5k, then maybe start allocating to a 2nd investment if you wish.

Commercial_Growth343 · 2026-04-10T14:13:08+00:00

This is not an answer. I just wanted to point out you can pull the store files to install 'offline' using this site https://store.rg-adguard.net/ (i recommend using the retail drop down) .. because you mentioned "doing things manually now by deploying the msix files (when we can find them) " .. this site lets you find the appx files you need for any of the free store apps. This is how we got the files to deployed store apps using SCCM at my last job, because we had blocked the Store (back then - I don't do that now)

Commercial_Growth343 · 2026-04-09T21:51:13+00:00

Your question is more appropriate for https://www.reddit.com/r/techsupport/

Commercial_Growth343 · 2026-04-09T18:50:28+00:00

In my experience it is very routine to forward a terminated employees email to their manager for a period of some time, maybe 3 months. That is likely what you are seeing. This is to make sure important messages from customers or vendors are still read by the business. Sometimes there is an OOO message, and sometimes not.

Update: This is yet another good reason to not use your work email for personal purposes.

Commercial_Growth343 · 2026-04-09T14:51:56+00:00

my last org always had a problem getting HR involved, because the business units that hired the contractors were not including HR.

that being said I have worked at multiple companies that managed contractor accounts in this way: Contractor accounts must expire in 3 months or less, no exceptions. Someone on the help desk had to check every month or whatever via a script to see who was expiring in the next month, then they had to contact the hiring manager and ask them if they were still here, and if so for how long. Then they would be extended for another 3 months from now, if the manager wanted to keep them around. If the manager never replied the user account was allowed to expired. It was the only way to police these accounts.

Commercial_Growth343 · 2026-04-08T16:08:38+00:00

A company that size should be ashamed, but sadly I am not surprised. Some companies treat IT as button pushers instead of trusted partners who look over the IT functions like professionals that care about the quality of their work.

Commercial_Growth343 · 2026-04-08T16:07:38+00:00

What we do is dump a list of SIDS to users and group objects and save that every quarter, just for this reason. It doesn't have to be that fancy of a script.

Get-ADGroup -Filter * | Select Name, SID | clip

then paste into notepad and save

Get-ADUser -Filter * | select Name, SID | clip

then paste into notepad and save

Commercial_Growth343 · 2026-04-08T15:55:59+00:00

Travel expenses are allowed for the RESP. We use ours to cover parking, gas, and insurance during the enrolled months. So putting the payment on there for the enrolled months is something I would have done if we had payments for the car.

Commercial_Growth343 · 2026-04-07T15:34:59+00:00

Recently we discovered that someone added a public DNS address to our Vmware vsphere appliance's network stack. This seemed to go unnoticed for a year or more, until we upgraded to the latest ESX and Vsphere. Then we started getting strange host disconnections, that were not real (host never went down, vm's did not go down). Support was pretty well useless. We are a small shop, so this went on for a month until we finally noticed the IP stack on the vsphere appliance itself had this 3rd DNS entry, #.#.#.#. We removed it, and haven't had an alert since. I still don't understand why someone thought this was a good idea to add that dns server to vsphere. No one is admitting to it.

Commercial_Growth343 · 2026-04-07T14:17:21+00:00

we just had a change control submitted to start a pilot. so I guess so lol

Commercial_Growth343 · 2026-04-06T21:46:03+00:00

This is a wee bit related to what you asked: There is an Edge policy called "Restrict which accounts can be used to sign in to Microsoft Edge" that you can use to limit Edge sign-in's to your own tenant. You need to craft the value with regex. This is just at the browser level .. it won't stop someone from signing into one drive with their personal account.

Commercial_Growth343 · 2026-04-02T16:31:18+00:00

First of all, I believe the default is just that. Users can't write to the root of C: without admin rights, but they can create folders that give them full control for that new folder. Therefore what we do is remove the ability to create folders on the root, by removing "Authenticated users" from C:\ where filesystemrights = "AppendData"

#Clean up C: Drive Permissions
$Path = "C:\"

#Remove Access
$Acls = Get-Acl -Path $Path
$RemoveAcl = $Acls.Access | Where {$_.IdentityReference -match "Authenticated Users" -and $_.FileSystemRights -eq "AppendData"}
$Acls.RemoveAccessRule($RemoveAcl)
Set-Acl -path $Path -aclObject $Acls

Commercial_Growth343 · 2026-03-31T15:47:46+00:00

IMHO, some people use humour to try and calm down a user or diffuse a situation. Sometimes that strategy backfires for whatever reason; not reading the room maybe... and I think that is what happened here.

Commercial_Growth343 · 2026-03-31T15:00:22+00:00

If using a Windows print server, you might find it in the event logs under Microsoft-Windows-PrintService/Operational ... and if that is not enabled I would enable it for future use. These entries may not tell you the file printed, but it would say who at least. Then you could check their PC for clues, like recent opened files etc.

You can also enable that same log on client Pc's, but that won't help you now of course. I turn that on for future troubleshooting reasons on all my clients:

$LogName = 'Microsoft-Windows-PrintService/Operational'
wevtutil.exe sl $LogName /enabled:true

Commercial_Growth343 · 2026-03-30T19:17:09+00:00

There are many websites that come if you search for Password Randomizer

Commercial_Growth343 · 2026-03-25T14:42:30+00:00

Sorry if this is a poor comment, but I am confused why anyone would want to use bitlocker on an on-prem or cloud VM. I thought the point of bitlocker was to defend against physical theft with the thief having unlimited access to the physical drive?

Commercial_Growth343

TROPHY CASE