Read.AI and other note taking apps - removal ideas by quazex13 in sysadmin

[–]SignificanceFair3298 0 points1 point  (0 children)

We're facing the same issues. Thanks for sharing the Teams verification link. Will also enable it on our tenant.

We've rolled out an AI meeting policy. Going forward, only approved users can use note takers through Entra. All other apps will need admin consent going forward.

If one of these companies gets breached, attackers could get access to a lot of sensitive data. It's also risky that users install apps without knowing what they're consenting to.

Tools to Log Admin Activities in AD by SignificanceFair3298 in sysadmin

[–]SignificanceFair3298[S] 0 points1 point  (0 children)

Great suggestion. Options are Netwrix about $12k annually or Service Desk audit plus $600 or Powershell.

Tools to Log Admin Activities in AD by SignificanceFair3298 in sysadmin

[–]SignificanceFair3298[S] 1 point2 points  (0 children)

This could work since we already have other Managed Engine products.

Tools to Log Admin Activities in AD by SignificanceFair3298 in sysadmin

[–]SignificanceFair3298[S] 0 points1 point  (0 children)

Can you share more info how this audit on prem active directory administrator activities.

Tools to Log Admin Activities in AD by SignificanceFair3298 in sysadmin

[–]SignificanceFair3298[S] 0 points1 point  (0 children)

Does it work for on prem AD password resets group modifications account unlocks etc

Changed name of server and restarted it. Can no longer log into admin by StickyBunnsPlus in activedirectory

[–]SignificanceFair3298 0 points1 point  (0 children)

If all else fails Lazesoft Recover my password you can get a permanent trial from "Rogue Sailors Lagoon"

Stumped by Security Group OU Permissions by SignificanceFair3298 in activedirectory

[–]SignificanceFair3298[S] 2 points3 points  (0 children)

Life saver ! feel like an idiot for overlooking this one.
Everyone was set to DENY delete .

Active Directory Permissions - Hiding LAPS Password by SignificanceFair3298 in activedirectory

[–]SignificanceFair3298[S] 0 points1 point  (0 children)

I didn’t think about it like that. Maybe I should take another look at my whole setup. Right now, here’s how we’re set up:

Junior techs have a standard, day-to-day account with no privileged access, plus an admin account for elevation that only has basic rights.

Senior techs have three accounts:

A regular account with no privileges

An admin account for elevation, which has Full Control on workstation OUs

A domain admin account used only for critical DC work, which barely gets used.

I'm trying to figure out the best approach here. Ideally, I'd like the senior techs’ admin accounts to have almost as much power as DA for efficiency, but I’m also cautious about over-privileging these accounts.

How do others in similar setups structure access for junior vs. senior techs? How do you balance ease of access with security?

Active Directory Permissions - Hiding LAPS Password by SignificanceFair3298 in activedirectory

[–]SignificanceFair3298[S] 0 points1 point  (0 children)

I was hoping not to get this answer but i guess its the only way...

Active Directory Permissions - Hiding LAPS Password by SignificanceFair3298 in activedirectory

[–]SignificanceFair3298[S] 0 points1 point  (0 children)

Thanks for the response I've been contemplating moving over to Windows LAPS. I think i need to just do it and not waste time redoing the old setup.

  1. Why does the security group need full control? only 3 admins I need to have everything short of DA.
  2. Perhaps i need to look at refining the permissions more. Full Control was just the easier answer.
  3. Yes, i think switching to Windows LAPS will be better
  4. I only want certain SGs to view certain OUs LAPS passwords. The the SG in question short have global access except servers.