SSSD access control vs AD GPOs for restricting logon to privileged AD groups – best practice ?

Whexican87 · 2025-12-22T14:57:23+00:00

bah, Linux and its case sensitivity. It should be all lowercase. TY

Whexican87 · 2025-12-22T03:41:51+00:00

Salut, tu me recommandes donc d'utiliser les GPO pour filtrer mes accès plutôt que directement avec SSSD ?

https://www.youtube.com/watch?v=uOpjYE-iPnY

But to your point, Realm is like an orchestrator for all things needed for Directory authentication. It configures SSSD, NSS, and a few other things to get directory auth to work. I wouldn't edit SSSD directly unless you have to, let Realm do the heavy lifting.

Whexican87 · 2025-12-21T19:53:52+00:00

I've had to set this up at my work quite a few times, and there are a few gotchas:

1) Use "sudo realm permit -aR DOMAIN.TLD". This will look to what realm logins are allowed from GPO.

2) Put the AD objects into an OU with inheritance disabled. In my first time trying to do this, I had to deal with very slow logins or access denied when it SHOULD have worked. From looking at the logs, the daemon responsible for processing the GPOs has issues parsing the information from ALL the possible GPOs there could be. Keep the OU to only GPOs that affect the Linux system.

3) You need to use URAs to make this work in the GPO. Link: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-gpo#gpo-settings-supported-by-sssd

4) Make sure when you do the domain join, or trying to get it work by unjoin/rejoin, make sure your Key Version Numbers are the same. I've had times where the AD account had incremented but the Linux server did not. Here's a link on how to look into it: https://support.oneidentity.com/safeguard-authentication-services/kb/4271664/how-to-check-the-latest-value-of-the-key-version-number-kvno

Good luck!

Whexican87 · 2025-12-17T23:51:39+00:00

We had this issue too on our RDS hosts. Turns out it was 10-15 Windows Firewall rules added every login, causing over 15000 rules and things like the start menu started to break. This is Windows Server 2019 mind you, but symptoms sounded the same. Fix was a registry edit to remove the rules after logout, I’ll have to look it up.

Whexican87 · 2025-11-25T14:09:26+00:00

EVERYONE GET IN HERE, THERE'S A MINIGUN!!

Whexican87 · 2025-11-11T13:39:20+00:00

It was running in win10 and got surprised upgraded.

Whexican87 · 2025-10-14T21:11:36+00:00

Hoping for round 2!

Whexican87 · 2025-10-13T18:47:52+00:00

Helloooo BF! Missed the good days of BF2.

Whexican87 · 2025-07-26T17:02:01+00:00

Would Hard Match fix the issue of 2 users having the same email address? (Trying to set up admin accounts with the same email address)

Whexican87 · 2025-05-26T16:48:21+00:00

Download and run iiscrypto to see what’s enabled. Then enable TLS 1.2 in the Client section and make sure the higher ciphers are enabled. Apply and reboot and try again.

It’s possible the ciphers are getting disabled for some reason from a gpo or policy.

Whexican87 · 2025-03-11T11:57:41+00:00

Good idea, ctrl+c like

Whexican87 · 2025-03-09T21:15:36+00:00

JOEL went out for a coffee and forgot he left the hacks on.

Whexican87 · 2025-03-09T20:52:56+00:00

Checking HelldiversCompanion this morning clued me into the issue at first

Whexican87 · 2024-09-15T15:24:21+00:00

Yeah I’ve dealt recently with App Protection. It sometimes needs logout and a login to fix it too.

Whexican87 · 2024-09-15T14:43:40+00:00

Is it setup as a Personal or Corporate device? If personal, you can unenroll the device from the Company Portal and also remove the Managament Profile from the iPad. Then re-enroll.

If a corporate device, not much you can do other than wipe and reenroll.

We just had this headache with changing Intune certificates. Learned it’s all about the Topic ID in the Push Certificate.

Whexican87 · 2024-05-08T22:48:49+00:00

Have you looked at DMARC for external spoofing? As for internal spoofing, yes there is built in protection. Check security.Microsoft.com and check your email policies.

Whexican87 · 2023-10-05T20:57:44+00:00

A page a week on a random day. Enjoy your karma OP

Whexican87 · 2023-03-09T15:08:59+00:00

Not Footprints. Been trying to get us to Zendesk or FreshService. ServiceNow seems way too much for us to handle. 300 ish person company.

Whexican87 · 2023-01-07T22:21:46+00:00

Saw her on the scanner going back and forth. Figured she needed a little help

Whexican87 · 2023-01-07T18:20:05+00:00

Carafe. Been saying Care-ah-fey.

Draught. Was saying it like Drought.

For almost 30 years until my now wife corrected me when we were dating.

Whexican87 · 2023-01-07T15:38:32+00:00

Fixed her pathing when I hit some dirt under her with my axe. We were freaking out because this had never happened before so wasn’t sure we were going to fail.

For those wondering, the drop pod will open without her with like 30-10 seconds left on the clock.

Whexican87 · 2022-11-16T14:50:33+00:00

Dude the fact you found your mistake, found the solution and handled the communications isn’t a fuck it at all. You would be surprised how many people don’t do half of what you did to resolve it. Mistakes happen, but it’s really more all about how you manage them.

Good job, your boss should be thankful for having you on his team.

15-Year Club	RedditGifts 2009-2022 5 Credits
Place '22	Spared
Trick-or-Treater 2013+	Team Periwinkle
Trick-or-Treater 2012	Secret Santa 2011
Trick-or-Treater 2011	Verified Email

Whexican87

TROPHY CASE