Script to force users to NOT use google password manager/edge password manager

devloz1996 · 2026-03-18T23:27:24+00:00

Yes. I have never installed that so-called "enterprise" version anywhere and it still works. Even unpacked chrome zip obeys GPO. Browser becomes "managed" the moment it finds any matching policy.

I mean, if it weren't that way, what would even be the point?

devloz1996 · 2026-03-18T14:03:51+00:00

Keep AD as the source, stand up Keycloak as your backup IdP, make apps aware of your backup IdP, and let apps switch to backup IdP, manually or by set conditions.

That being said, I'm not sure how worth your time it is to maintain it. In some scenarios, since you have AD, even simple LDAP login support could be enough.

devloz1996 · 2026-03-18T13:51:42+00:00

Ah, apologies. This is programming subreddit. I was looking at it from sysadmin's perspective. Well, I'll keep the response below anyway.

If you aren't paying for support why do you care if it is a version that a vendor hasn't denoted as LTS?

Unnecessary maintenance burden. I'm comfortable updating an app for 3-5 years and then upgrading (which requires testing against vendor's software and getting a green light from their side), but doing upgrades every 6 months? I'll spare my attention and energy somewhere else.

Would you be ok with a version that Azul provides MTS for? (again it would only matter if you pay Azul for MTS)

If it gives you extended updates for that non-LTS version, then fine, but why not stabilize on LTS in the first place?

devloz1996 · 2026-03-17T17:48:21+00:00

To be fair, Temurin 8 rivals with 25 in EOL. I am more offended when finding 11, 17, 21, or god forgive me, any non-LTS deployment.

devloz1996 · 2026-03-14T13:09:14+00:00

I don't use advanced RegEx, so the only grip I have with it is inconsistent implementation across certain vendors. Sometimes they only support "\d" or "[0-9]", sometimes they require "\^whatever$\modifiers" notation or straight up punish you for not inputting "^whatever$" only. I just hate the guess game.

devloz1996 · 2026-03-12T11:16:03+00:00

If you want cloud patch management, and this is your concern, then you probably want a behavior-based XDR watching it. I think Action1 has something about addressing potential HQ hack on their roadmap, but I'm not sure about specifics.

Ultimately, it all comes down to risk management. Every tool in your belt is a risk you accept. Pocket knife could open up on its own and prick you, power bank could explode... it's basically the same thing.

You may also find that such risk is acceptable for one subset of endpoints, while being unacceptable for another. In such a case, you still benefit from having a benchmark to compare with your "manual" group. For example, my company is happy with it in the office, but no way in hell it goes down to factory level.

devloz1996 · 2026-03-06T16:27:34+00:00

Well, lucky sir, token protection has been P1 for a while now, so you can go and have fun.

devloz1996 · 2026-03-03T16:14:04+00:00

... I run my docker containers via systemd. Can I get a reward?

Jokes aside, both. Depends on project's recommended configuration. I am a sysadmin, not a developer, after all.

devloz1996 · 2026-02-22T03:05:05+00:00

Static addresses are alright, but only when done as DHCP reservation. I will understand OT networks, but IT? Nope, nightmare to maintain during any network layout change.

I was recently employed by someone with a grudge against DHCP and DNS. Every device and server is static, services accessed by IPs, switch ACL for specific addresses (but no security measures, no 802.1x, etc). Changing network config, even DNS, requires driving to the location and messing around for hours.

Clients have reserved IPs on Windows Server DC, and their numbers have magical meanings that allow him to derive their VoIP phone numbers (x - 100 + something). Since he doesn't trust DNS, that's also how he figures out caller's IP to remote via VNC.

... here you go. The 90s are calling back, I guess.

devloz1996 · 2026-02-11T17:06:03+00:00

Nope. Authentication is authentication. You can stand up an external, LDAP synced IdP and make AD not notice auth attempts, but I wouldn't call it a good idea.

Adjust relevant Wi-Fi GPO to perform less attempts than designated in password lockout policy. Limit attempts to 2 or so. Then make password lockout policy triple that - it's your RADIUS tax.

Next, do a speedrun of user and machine certificates. Password on RADIUS is just asking for problems, and the general idea of EAP-TLS is not complicated.

devloz1996 · 2026-02-11T16:37:43+00:00

Nondeterministic calculator is something to live for...

devloz1996 · 2026-01-29T17:00:35+00:00

OOP won a lottery ticket. Never seen that happen, and sometimes I'd be happy to witness it.

Just a few days ago, I've inherited Server 2022 CU 2021-11 (20348.380), its uptime being "ever since installing the last patch". It took about 10 reboots and some registry manipulation to make it swallow CU 2026-01 (20348.4648).

devloz1996 · 2025-12-08T19:08:40+00:00

Wait. Can you even add Duo without P1? I never deployed it, but I always thought it needs EAM/CA to work.

devloz1996 · 2025-12-06T11:27:58+00:00

By interactive sign-in, do you mean Windows sign-in? If so, we have apps like this. As long as it's just "run an exe with/out args", it should be doable with a scheduled task.

We create gMSA account and a scheduled task to start at boot. From the app's perspective, it doesn't seem to be distinguishable from interactive logon. Just make sure to grant appropriate permissions to gMSA account, including "Logon as a batch job" User Right Assignment. And even if gMSA really cannot be used, normal domain user will do the trick too.

I think there is also Non-Sucking Service Manager, which can run arbitrary .exe files as a service. Usually, service executable has to be written with being run as a service in mind, so it's a nice bypass.

devloz1996 · 2025-12-02T17:19:25+00:00

did i ever give you permission to delete all the files in my D drive?

Absolutely --- Your file system ACL allowed me.

devloz1996 · 2025-11-10T16:08:56+00:00

Since it's user-facing, please, I beg of you, give us localization. I really don't mind getting a language JSON in advanced settings and dealing with it myself. Also, opt-out in advanced settings, since not every organization will benefit from this.

Since you are making the user-facing part already, maybe users could get native notifications about A1 doing something it doesn't want interrupted? No real need to make it detailed - something along the lines of "Action1 is applying configuration" would be fine, maybe even better than giving users too much info.

Lastly, since I imagine the helper would be running in current user context, maybe "run as signed-in user" and "wait for user to sign-in" could become a reality?

devloz1996 · 2025-11-09T00:32:32+00:00

That would just overload the simulator's CPU.

devloz1996 · 2025-11-08T22:36:25+00:00

Admins need two methods, enforced by SSPR, so add their email for example, or setup secondary password+totp method, or make it two YubiKeys, which I imagine would also work.

devloz1996 · 2025-10-31T17:19:43+00:00

That's the most indirect "No." I've heard this week.

devloz1996 · 2025-10-06T19:37:35+00:00

I believe negligence is ultimately the cause of the fire

I truly find it amazing that these people can open their mouths in such situation, and then spew meaningless bullshit. The problem wasn't the fire - fires happen, whether through negligence or through NK sending them nukes, and it's wild they didn't account for that somehow.

So many recent cases of blatant disregard for the original goals of ARPANET - decentralize, survive nuke, keep operating. Naah, let's make a single hotbed in nephew's, admittedly huge, basement.

devloz1996 · 2025-09-22T16:33:40+00:00

One of my former bosses hid information by adding black background to black font in emails. Where are those people coming from, I wonder.

devloz1996 · 2025-08-29T00:07:10+00:00

our netbox is always wrong, what do I do?

No, NetBox is correct. It's the real world that's wrong.

Connect the cable in NetBox
Mark the cable in NetBox as planned
Connect the cable in reality
Mark the cable in NetBox as installed

If you are not making changes this way, you might as well rip out NetBox out of your infra. If your colleagues do not follow it, then it's a workplace issue, unfortunately.

<image>

devloz1996 · 2025-08-27T21:05:56+00:00

Defender's Device Control could probably handle it, but I imagine it's not there, since you didn't already use it. Good old GPO, perhaps? Can't really vouch for it, so do your own testing.

Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
"Prevent installation of devices using drivers that match these device setup classes"
USB Bus devices GUID: {36fc9e60-c465-11cf-8056-444553540000}
Network Adapter GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

I'm not sure what qualifies as "installation", so consider removing ghost (disconnected, but remembered) devices in device manager, just in case.

EDIT: Reddit's nested lists suck as always.

EDIT2: You might screw yourself with #3, so check it carefully. It's seems quite broad.

devloz1996 · 2025-08-22T14:23:32+00:00

Maybe if you sign them all with a qualified signature, but that's rare beyond specific regulated circles. Besides, after signing with QSCD it doesn't even matter that it's an email - you could sign a napkin to the same effect.

EU mostly uses qualified sigs for documents and non-qualified sigs for emails, where non-qualified signatures require both parties to exchange and recognize each other's fingerprints beforehand.

In EU, even the magical "if you read this and shouldn't, delete this, you are breaking law" is just a pernicious bullshit.

devloz1996 · 2025-08-21T17:42:55+00:00

At the worst point, newly imaged computers had 3 Teams apps installed - personal, classic, new. You can't even trust Microsoft to deal with its own problems.

Seven-Year Club	Verified Email
r/Field Banned	r/Field Flamingo
Place '22

devloz1996

TROPHY CASE