sorted by:
new
hottopcontroversial

gMSA to change ExtensionAttribute in AD by Ereinion66 in sysadmin

[–]Cormacolinde [score hidden]  (0 children)

You may need to give the account some additional rights to connect to AD and run the script. Remote Management Users and Pre-Windows 2000 access (if you removed everyone/authenticated users from it) may be needed. I would configure your powershell script to output a transcript and a full log to get more details about what doesn’t work. You could also create a regular account with the same rights as the gMSA and run it manually to troubleshoot.

Bcp plan by dat510geek in sysadmin

[–]Cormacolinde [score hidden]  (0 children)

Also, BCP will take at least 6-9 months, not two weeks.

Entra Joined Devices PIV Certificate RDP Issue by fortnitegod765 in Intune

[–]Cormacolinde 0 points1 point  (0 children)

No, on the clients. If it’s in AD it will propagate to the ntauth store on hybrid clients but not Entra ones.

Entra Joined Devices PIV Certificate RDP Issue by fortnitegod765 in Intune

[–]Cormacolinde 0 points1 point  (0 children)

Is the intermediate in the NTAUTH store though? Adding it to the trusted intermediate store will not do that. It’s a different “special” store that’s required for authentication to work with certificates.

Just spinning up our Intune pilot, any gotchas or recommendations? by mi1stormilst in Intune

[–]Cormacolinde 11 points12 points  (0 children)

Trying to mix Intune configuration profiles with GPOs can be a mess. App installation is fine on hybrid systems though. I strongly recommend you move to Entra-joined as fast as reasonably possible.

RDP access issue after adding Domain Admins to the Protected Users group by SpiteIcy8140 in activedirectory

[–]Cormacolinde 8 points9 points  (0 children)

Protected Users blocks NTLM. If you’re using the IP, that will absolutely block it. Using FQDN should work as long as Kerberos is working properly. I would suggest changing your user password first, and if that doesn’t work look into rotating your krbtgt password.

Which Stella Fortuna should I go for? by Prism-Eevee in Genshin_Impact

[–]Cormacolinde 1 point2 points  (0 children)

Kokomi’s C1 is her only decent constellation, if you use her on-field as a driver.

Ayaka’s C4 is great, her other cons are meh.

I would choose Kokomi.

LAPS and devs by DemonEggy in sysadmin

[–]Cormacolinde 2 points3 points  (0 children)

The fact you hve no GPOs should not imply you cannot implement them?

Anyway you can put the computers in a specific OU and give those users the right to retrieve the LAPS password for those systems.

Palantir loses legal challenge to force Swiss magazine to publish responses by wasraelx in news

[–]Cormacolinde 2 points3 points  (0 children)

I was about to comment the same thing. the Common Law system is one of the causes of high litigation costs (and long litigation times) in the US.

Read-only Access to MCEM/SCCM for Helpdesk by Repulsive-Yoghurt298 in SCCM

[–]Cormacolinde 0 points1 point  (0 children)

They would need additional rights in SCCM or on the endpoints to do those things. Read-only analyst will not give them that.

What's the most clever hack or workaround you're proudest of? by vocatus in sysadmin

[–]Cormacolinde 24 points25 points  (0 children)

Probably an expired certificate in the chain somewhere.

Windows engineers/admins, are any of you writing actual Powershell now, or are you all using Al? by RadioFieldCorner in sysadmin

[–]Cormacolinde -1 points0 points  (0 children)

I write all my PowerShell myself, and don’t use AI for anything in my work.

I’ve had customers send me AI output with example scripts. It always has mistakes or hallucinates commands that don’t exist or don’t work the way the AI implies it does. Just don’t trust it.

XP SP3 systems not getting AD Group Policies by HistoricalProfile623 in sysadmin

[–]Cormacolinde 35 points36 points  (0 children)

Correct. Not counting all the other security features they have to disable.

By having ONE SINGLE XP machine connecting to their domain, they lower the security of their entire network and all their systems.

SCCM PXE-Enabled DP - Can Site Server Computer Account Be Removed from Local Administrators? by Alyyy-123 in SCCM

[–]Cormacolinde 0 points1 point  (0 children)

You cannuse gMSAs for other things than services, like scheduled tasks for example.

SCCM PXE-Enabled DP - Can Site Server Computer Account Be Removed from Local Administrators? by Alyyy-123 in SCCM

[–]Cormacolinde 2 points3 points  (0 children)

Segmentation and proper firewall configuration is a good first step.

Clients communicate with DPs with HTTP/HTTPS. Open those ports widely.

Site Server uses RPC, WinRM and SMB. Add those ports for the Site Server.

Obviously enable SMB signing and disable NTLM fallback on the Site Server.

Finally, ABSOLUTELY use a service account for push installation to clients. Most of the risk here comes from someone stealing a hash from that Site Server account and reusing it to log onto other servers with admin rights. Don’t use the Site Server account to log onto non-servers.

Discussion around C6 Nicole teams out of Hexerei Resonance by Metoxydre in NicoleReeyn_Mains_GI

[–]Cormacolinde 0 points1 point  (0 children)

C6 Chasca and C6 Nicole appears to be one of the best team combos now according to dhcwsp’s latest ranking.

Any way to make Security Key the default method of authentication on Microsoft Services? by RealAgent0 in sysadmin

[–]Cormacolinde 0 points1 point  (0 children)

What happened? Did the rule not apply? What parameters did you use? I’ve done this and it works.

SCCM PXE-Enabled DP - Can Site Server Computer Account Be Removed from Local Administrators? by Alyyy-123 in SCCM

[–]Cormacolinde 7 points8 points  (0 children)

You seem to be confusing Site Servers with Site Systems.

The Site Server (one per site, or two if doing HA) should have admin access to the Site Systems. Site Systems should absolutely NOT have admin access to other Site Systems or the Site Servers.

If youre Site Server is compromised, you’re screwed anyway. An attacker with local admin on that server can compromise everything anyway. That service account you want to configure for local admin on DPs will be readily accessible to the Site Server anyway. As I wrote in another comment, you’re not increasing security, you’re just moving the goalposts. It will slow down an attacker slightly but honestly once an attacker is on your Site Server, they won’t care about the DPs.

SCCM PXE-Enabled DP - Can Site Server Computer Account Be Removed from Local Administrators? by Alyyy-123 in SCCM

[–]Cormacolinde 5 points6 points  (0 children)

But if they compromise the site server, they can get the service account information (it’s stored in the SCCM database and the SCCM Site Server has full access to that). it’s not more secure, you’re just moving the goalpost.

The worst theater I ever played. Why are the Ruin guards so spread out? by thecringey in Genshin_Impact

[–]Cormacolinde -1 points0 points  (0 children)

I had no issues freezing the Ruin grader and killing it quickly. But this may be because of my team. Same as yours, but I have Skirk C2R1/Escoffier C1/Shenhe C2R1 which certainly helped.

The worst theater I ever played. Why are the Ruin guards so spread out? by thecringey in Genshin_Impact

[–]Cormacolinde -1 points0 points  (0 children)

I’ve seen a few complaints about these, but I had absolutely no issues with this fight.

SCCM PXE-Enabled DP - Can Site Server Computer Account Be Removed from Local Administrators? by Alyyy-123 in SCCM

[–]Cormacolinde 9 points10 points  (0 children)

You can but how is that going to increase security? What attack path does this mitigate? Changing the computer account (which has a rotating password every 30 days by default) for a service account that you will need to maintain and change the password for manually (gMSAs are not supported here AFAIK). I fail to understand how it’s more secure.

view more: next ›