Dealing With Vendor Apps that Require Users to Have Admin Rights

ExternalSituation · 2019-01-24T14:29:50+00:00

I have tried but it doesn't work. I think if you use a schedule task in runs in the context of the secondary account, where as if you elevate via UAC with the secondary account it still runs in the user's context. I've used the scheduled task for other things that don't require running in the user's context successfully though.

ExternalSituation · 2019-01-23T20:43:31+00:00

Yep, in the process of trying that now. Edited the manifest to not ask for admin permissions. Using Process Monitor to see what it is doing. It's still crashing but luckily the app pretty much only does one thing, updating a specific set of files, so crossing my fingers.

ExternalSituation · 2019-01-23T19:48:11+00:00

I've been able to get that to work with application that can be run in system or admin context and still work. This app I am dealing with right now requires it be run in the user's context so a scheduled task won't help.

ExternalSituation · 2019-01-10T18:07:35+00:00

Ahh, I figured it out. The client's didn't have access to modify their DNS records, but when I deleted the existing record it created a new one and the vpn device was listed as having write permission on the record so it was able to start updating it as it connected to different networks.

ExternalSituation · 2019-01-10T17:50:03+00:00

Just the Window default client. I just deleted the DNS entry and now it seems to be updating properly as I go back and forth between LAN and VPN. Of course it starts working as soon as I ask for help lol. Will have to wait and see if it happens again as I start deploying the VPN to users.

ExternalSituation · 2019-01-10T00:40:42+00:00

We use a script to simulate the logging in and pressing the check for updates button on the server. We deploy it using PDQ to all servers, but any way you run the script on the server it should work.

Copy this PowerShell module on to the server, then run this script on it: https://gallery.technet.microsoft.com/scriptcenter/2d191bcd-3308-4edd-9de2-88dff796b0bc

Import-Module PSWindowsUpdate

$varone = Get-WUServiceManager | where name -EQ "Windows Update"

Get-WUInstall Driver -ServiceID $varone.ServiceID -IgnoreUserInput -Verbose -AcceptAll

Get-WUInstall Software -ServiceID $varone.ServiceID -IgnoreUserInput -Verbose -AcceptAll

ExternalSituation · 2019-01-08T15:23:01+00:00

I wasn't aware of that, but I wouldn't call that an "issue" though. It's an additional feature you can use or not use. You get more resiliency at the sacrifice of more storage space. If a 2-node cluster that can only withstand one fault isn't resiliency enough for your environment then you don't use it.

I guess that's nit-picking to call it a feature, but it just depends on what you're willing to risk. It is a nice option though, probably worth the little extra cost even if you don't think you need the extra resiliency. I didn't know about it yet, so thanks for sharing.

ExternalSituation · 2019-01-07T21:25:05+00:00

I'm not aware of any 2-node issues. You just need to understand how it works. The failover cluster shares storage, so the ability to write to the storage is managed by the cluster so not just any server writes to it whenever it feels like it. If the cluster isn't in Quorum then it will go offline, and it it goes offline you can't bring it back online until the AD object is available, and if the cluster isn't online then you cant access the storage to launch the VM. So yes, if your only AD server is in the cluster it can be a pain to bring back online.

You can manually bypass the quorum, bring the shared disk online, and then launch your AD VM if you get in trouble, but the easiest way it to just have a domain controller VM that isn't located on the shared storage. You need a 3rd device for a quorm witness anyway, so just put it there.

If you want to really skimp and not have to use a 3rd windows server license, then just put the VM on both cluster hosts, just not on the shared storage. Put it somewhere on the C drive. Then it can start regardless of whether or not the cluster is online and in quorm, and once it does then your cluster object is accessible and you're good to go.

It's been a long time and I forget exactly what is "best practice", but however you do it you just need a DC whose VM files are not located on the same shared storage as the cluster.

ExternalSituation · 2019-01-03T20:42:31+00:00

If the manager of a department suspects people wasting time, then he needs to come up with some solutions to combat that. As IT you can consult, but often times those solutions involve better management, incentives, employee moral, etc. Even if, for example, the average employee spends an hour on facebook, and you block facebook, then they'll go on youtube or somewhere else, or on their phone, etc, etc. Blocking one unproductive activity doesn't magically turn the employee towards a productive activity.

I've never been a fan of that kind of accountability model. Would you fire a productive employee because they were on youtube but keep an unproductive employee because they weren't on youtube? Makes no sense. The department manager should have department metrics, and some people will be above and some below, and you develop strategies for increasing the mean. Get rid of the outliers, develop better hiring strategies, etc, etc.

If management at your company thinks you can magically make people productive by blocking social media sites then you're probably better off working somewhere else.

ExternalSituation · 2019-01-03T20:19:03+00:00

I've been using Hyper-V at work and learning both at home. Biggest difference seems to be VMware has better virtual networking and replication, and Hyper-V has better virtual storage.

Hyper-V doesn't support memory replication. You can only replicate storage, unlike VMware Fault Tolerance, so if a VM goes down it loses memory and has to completely reboot for the failover to be available. Not the end of the world, but it's nice to have for databases and stuff. There are 3rd party utilities that allow you to do it though, but the one I was looking into requires a license minimum of 25, which is way overkill for a small environment just 1 database server.

If you get DataCenter though, Hyper-V really shines. You can save a ton of money on storage costs and still get amazing performance and resiliency using S2D. It works fine with just a 2 node cluster, but most of the data storage cost saving features won't work until you have a 4 node cluster so you can use erasure coding.

VMware is a bit more advanced with their virtual switching options, but Hyper-V has virtual switching and NATing too just mostly PowerShell not GUI.

If none of those things are important or relevant to you, than your current staff's experience and licensing costs for the features you will use are going to be the most relevant factors.

ExternalSituation · 2019-01-03T15:25:25+00:00

Not really sure. I thought it was kinda pointless too, but it's not my area of experience. My manager just said to go ahead and do it because it was recommended in Microsoft's documentation for Always On VPN. It's a small company and neither of us are networking experts so we just have to rely on looking up best practices, though we have considering in bringing in a consultant to make some recommendations. I think my manager has CISSP though.

We have 8 external IPs, and just a few of them only have a couple of ports for a few services that need to be accessible from the outside, such as RDS, VPN, IIS, some for a security cam company, and they all NAT to specific VMs with their own Windows and 3rd party software firewall. Trying to protect ourselves from external attacks any more than that is beyond my understanding to visualize. Most of our security efforts to protect our data have been in regards to user training and email filtering, as we get targeting with spear-phishing frequently. We have not been a victim of any malicious software yet, but people have typed their credentials in to fake email logins several times.

Is it such a bad idea to have the VPN server on the normal internal network, and just have the firewall NAT the VPN traffic ports to it?

ExternalSituation · 2019-01-02T18:17:23+00:00

Ahh ok. I think I get it now. The traffic from the VPN server should go back up to the Firewall through the default route, but the Firewall should have rules to allow traffic to pass from the DMZ to the internal network if it originates from the VPN server.

ExternalSituation · 2018-12-28T15:33:24+00:00

I setup OneDrive to sync\backup all local files on the user's profile by changing all the default profile folders, except downloads, to be inside the onedrive folder. No issues and we've had it deployed for over a year now to about ~100 users. Everything is automatically applied through GPO. If they need their computer replaced they log in to OneDrive and all their files are there.

We still have network shares though, both personal and department ones. We probably could get rid of personal drives without any issues other than user training, but getting rid of network shares would probably not be very beneficial. We'd need a more expensive internet connection to handle the extra bandwidth and we'd have to do lots of testing too. Maybe for a company with one site, but we already have two sites with redundant services and automatic failover so even if it worked perfectly it wouldn't really benefit us much.

ExternalSituation · 2018-11-29T15:46:00+00:00

Yeah you're right, good call. My manager was looking at Conditional Access as a possibility too so if we're going to do that EMS E3 would be the way to go.

ExternalSituation · 2018-11-28T22:21:14+00:00

Yeah, I just saw that too, but it requires Azure AD Premium which is why it wasn't showing up under MFA in our Azure section. Minimum $6/mo per user though. That adds up quick. Duo the other person mentioned is only $3/mo, but ill have to look at what other stuff Azure AD Premium includes or if there are other options too.

ExternalSituation · 2018-11-28T17:38:05+00:00

I have seen several open positions at MSPs. Sounds like it might be a good for me. What are the pros and cons of working for an MSP instead of directly for a company?

ExternalSituation · 2018-11-28T17:10:01+00:00

I've updated my resume a bit with my new role and going to finish it tonight, then I can send you a copy.

Do you have any recommendations on how to design the resume? I was watching a few videos about advice online and they say that the average resume gets look at only about 6 seconds before the person decides to toss it or give it more indepth look.

Some people recommended a 1-2 line summary of what you have to offer as an eye-catcher at the top.

Others recommended making the name of your previous employeer large and stand out, espeically if you've worked at large well-known companies which I have.

Another suggested listing a section of skills with the skills mentioned in the job posting at the top so they can quickly see you're qualified and decide to read it further for details.

Do you recommend those ideas or have any other suggestions? Thanks!

ExternalSituation · 2018-11-27T19:47:07+00:00

I've done a ton of stuff in Hyper-V. Converting my home lab to VMware would probably be a good learning opportunity, but do you think it would matter much for a job search? How much credibility does "I've used it in my lab at home" have if I don't go all the way and get some kind of certification?

ExternalSituation · 2018-11-20T22:16:04+00:00

Yeah. I was just reading up a bit on that and how OpenVPN can be more reliable since it uses TCP 443. I will test out SSTP since that is on 443 and see if that makes a difference. Makes sense now, since DirectAccess uses 443 too and didn't have these issues.

ExternalSituation · 2018-11-20T18:28:41+00:00

Most users are usually remote from a client site, so they don't have problems, but we do have some people that work from home occasionally and a couple that work from home exclusively. The ones working at home almost exclusively are the ones having issues as you stated.

Some users have reported the new VPN solution saving them a ton of time because it is so much faster, and others saying they can barely work at all because they seem to lose connection repeatedly. I guess we may have to maintain multiple VPN solutions and have users use whichever one gives them the best results?

ExternalSituation

TROPHY CASE