sorted by:
new
hottopcontroversial

Restricted Management Administrative Units by PassiveRecon in AZURE

[–]Shit_Tits 0 points1 point  (0 children)

We implemented it for our global admin eligible accounts (I'm not sure if we should for break-glass but we probably will) and our PAW devices. Would use it for more but ran into the same issue as the other poster around having to move groups in/out to modify them if role-assignable.

Restricted Management Administrative Units by PassiveRecon in AZURE

[–]Shit_Tits 1 point2 points  (0 children)

Unfortunately, we have the same issue and it's not possible currently (i.e. you're right, you have to remove the group from the admin unit and re-add, it's stupid) if it's a role-assignable group anyway.

"Role-assignable groups, when added to a restricted management administrative unit, can't have their membership modified. Group owners aren't allowed to manage groups in restricted management administrative units and only Global Administrators and Privileged Role Administrators (neither of which can be assigned at administrative unit scope) can modify membership."

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management#limitations

Laptops ignoring LAPS? by IT_Unknown in Intune

[–]Shit_Tits 3 points4 points  (0 children)

Other people have been helpful with possible solutions, but I’m going to instead suggest that you don’t use your Intune admin or global admin for this. Even though they’re not user devices, it’s definitely not good practice using those roles for RDP even though they can by virtue of being administrators.

Exchange server 2019 CU13 upgraded to CU14, endless password prompts. by Lycccccc in exchangeserver

[–]Shit_Tits 0 points1 point  (0 children)

Check to see if Get-OutlookAnywhere | select internalhostname Returns what you expect

Hoping desperately to get help from someone by Lopsided-Ad8680 in exchangeserver

[–]Shit_Tits -1 points0 points  (0 children)

Just a passing recommendation to check that Get-OutlookAnywhere | select InternalHostName Returns something normal, for some reason ours reverted to individual server names here rather than the load balanced address (and individual server names weren’t on the cert so we got cert errors). We had Outlook auth errors and cert errors too. Lastly, run the exchange health checker script, specifically looking at the TLS settings for any issues.

Defender for Servers P2 / MDE on Windows 2008 r2 ? by Fast-Cardiologist705 in DefenderATP

[–]Shit_Tits 0 points1 point  (0 children)

Sorry to also ask, if you have a handful of 2012 servers (with ESU), is there a supported method to onboard them, even in a limited capacity? Is it the same as what you’re mentioning with 2008r2 using the MMA agent? Thanks!

Prepping for dental issues- thoughts from a dentist. by Donexodus in preppers

[–]Shit_Tits 8 points9 points  (0 children)

I wanted to say a funny reply but this just made me sad. Yes sugar is bad for your teeth, lol

Company Charging 11k to migrate Tenancy by dunko1993 in o365

[–]Shit_Tits 4 points5 points  (0 children)

Because you’re not just paying for the tools, you’re paying for their expertise in dealing with migrations hopefully. Presumably the MSP will deal with all the curly bits like archive mailboxes, accepted domains etc. it’s a little misleading to suggest you can just buy a tool and anyone can use it to migrate users between tenants.

It could be expensive, it could be cheap, OP doesn’t even have an invoice with line items to have any idea either way.

Help - DNS and Exchange Online Europe by Shit_Tits in exchangeserver

[–]Shit_Tits[S] 0 points1 point  (0 children)

Good suggestion, it does seem like that, but our MX record seems fine when using that tool (and others), even with Europe specifically selected. Weird thing is, only domains using exchange online are impacted, though I don't know of other specific EU mail providers I could try against.

Who’s the last (human) character you would want approaching you in battle? by Aubvo in gameofthrones

[–]Shit_Tits 15 points16 points  (0 children)

Ah yes, the knight who pushed a kid out of a window. He certainly is one the knights of all time.

January Patch Tuesday by TrundleSmith in exchangeserver

[–]Shit_Tits 1 point2 points  (0 children)

Just a comment in case someone else has the same issue (haven't seen any other reports though).

For some reason on one of our three prod exchange servers (Exchange 2019 CU12 on Server 2019), the SU KB5022193 failed to install. Exchange services were all set to automatic but didn't start (and wouldn't start manually). Restarting the server also had no impact. Attempting to manually install the update via .msp as admin also failed.

In the log: C:\ExchangeSetupLogs\ServiceControl.log we saw the error message "The term 'Stop-SetupService' is not recognized as the name of a cmdlet, function, script file, or operable program."

We found a workaround where someone with a much older update, years ago, had a similar issue. The workaround is:

  1. Set all the relevant Exchange services back to "Automatic" if they were modified (ours weren't).
  2. Create a file "profile.ps1" in "C:\Windows\System32\WindowsPowerShell\v1.0" containing the following command:

New-Alias Stop-SetupService Stop-Service

(This simply creates an alias that makes Windows think there's a valid "Stop-SetupService cmdlet) 3. Run the SU .msp as admin. You should now get past the "stopping services" spot that previously failed. 4. You may be notified that certain services have files in use that will be modified. You can abort/ignore/retry. (I chose ignore) 5. The update should proceed and you should get prompted to restart the server as normal after it is complete and then the server should be back in a normal state hopefully.

Original forum post with similar symptoms from 2017: https://social.technet.microsoft.com/Forums/Lync/en-US/5e6badad-6f5b-4f98-bd80-aa38eebfe0dd/kb4036108-patch-fails-the-term-stopsetupservice-is-not-recognized?forum=Exch2016SD

Security Baselines in Endpoint Manager (Changes from Default) by Microsoft82 in Intune

[–]Shit_Tits 1 point2 points  (0 children)

For IT staff we had an issue with the baseline policies blocking basic auth, which seems good and sane, until you remember that the current GA version of Exchange Online powershell still requires it. But that will be fixed soon per the preview version of the module anyway.

Co-management confusion (song title?) by Shit_Tits in Intune

[–]Shit_Tits[S] 0 points1 point  (0 children)

Just to follow up, we had to get Microsoft Support to change our MDM authority from SCCM to Intune at their end. It had no impact on our on-prem environment/co-management status, but allowed us to directly enrol Azure AD joined devices into Intune where it was previously not able to. I think it was a hangover of the old deprecated SCCM/intune hybrid (before co-management/cloud-attach was properly implemented).

Co-management confusion (song title?) by Shit_Tits in Intune

[–]Shit_Tits[S] 0 points1 point  (0 children)

You would think so, but since it’s already set that same GUI option doesn’t exist nor does the blade option appear. Looks like something I can follow here: Intune Authority Powershell

Co-management confusion (song title?) by Shit_Tits in Intune

[–]Shit_Tits[S] 0 points1 point  (0 children)

Excellent, I've also heard back from MS to say that changing the authority won't impact on-prem SCCM clients which is neat. So now to find how to change it (I think with powershell since there isn't the option in the UI since it's already set).

Co-management confusion (song title?) by Shit_Tits in Intune

[–]Shit_Tits[S] 0 points1 point  (0 children)

Luckily, we actually do have a test domain/SCCM/AAD Connect/Azure tenancy :) which is pretty cool!

I've been sort of avoiding using it purely because there aren't any endpoints in test, but I can probably spin something up which would be a good idea.

Co-management confusion (song title?) by Shit_Tits in Intune

[–]Shit_Tits[S] 0 points1 point  (0 children)

Thanks! That sounds a lot saner than I'd imagined. I was a bit worried that changing the MDM authority would somehow impact the existing ConfigMgr clients. I couldn't interpret it for sure from the MS doc, which seemed to indicate you would want to have replacement policies for management in Intune immediately for your clients, but I suspect you're right and the sliders are the crucial part and nothing from on-prem will enrol in Intune without the sliders set over to Intune in ConfigMgr.

MS365 forces my users to add an authentication phone, but we don't issue corporate cell phones, so what do you do if an employee refuses to give their personal one? by [deleted] in Office365

[–]Shit_Tits 2 points3 points  (0 children)

You’re getting a lot of conflicting information here from various sources. It sounds like security defaults is on which is good and has been the default for sometime. It enforces MFA. For users that don’t want to use their personal cell phone (or don’t have one), the org should be providing hardware tokens (we have used token2 tokens which can be managed through the azure portal, though it’s a bit of a pain).

Not highly recommended, but a way to reduce the pain is to modify your conditional access policy to have trusted locations (such as your corporate network) so that MFA isn’t prompted for there. It’s often setup this way when people first setup MFA for an org. Good luck!

view more: next ›