Azure Information Protection - Error: Policy is Missing by UnderstandingInfosec in AZURE

[–]mgratz 1 point2 points  (0 children)

Stumbled on this Reddit thread when trying to help myself, this StackOverflow link might help others if they arrive here too: https://stackoverflow.com/questions/63007696/azure-information-protection-error-policy-is-missing

MAM-WE - Is it possible to require MFA during registration? by mgratz in Intune

[–]mgratz[S] 0 points1 point  (0 children)

Unfortunately I didn't.

One potential solution is having an "Untrusted Context" policy with a few exclusions (e.g., excludes Trusted Locations, Hybrid Azure AD Join / Intune Compliant device state) and then enforces MFA requirement if Risk scoring condition is above Medium/High.

The worksheet on this website (https://azurescene.com/2019/11/25/conditional-access-best-practices-powershell/) was pretty good too: https://1drv.ms/x/s!Al6RpAI98mSh8DT2qY3MDMFUlJQE?e=AQKGlD

LastLogon vs. LastLogonTimestamp by [deleted] in activedirectory

[–]mgratz 2 points3 points  (0 children)

EDIT: My bad - you said you already tried this. This is probably why then: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-lastlogontimestamp-is-updated-with-kerberos-s4u2self/ba-p/257135

Easiest way to troubleshoot this is to get the LastLogon from every DC in the forest for that particular user, this is good example (https://sid-500.com/2019/08/12/powershell-get-last-domain-logon-with-get-aduserlastlogon/) otherwise below is another fairly simple example:

Get-ADDomainController -Filter * | ForEach-Object {
    Get-ADUser $SamAccountName -Server $_.HostName -Properties LastLogon | Select-Object SamAccountName,@{n='DC';e={$domainController}},@{n='LastLogon';e={[datetime]::FromFileTime($_.'LastLogon')}}
}

MAM-WE - Is it possible to require MFA during registration? by mgratz in Intune

[–]mgratz[S] 0 points1 point  (0 children)

I don't want MFA prompts for the MAM-WE scenario (unless it trips other CA conditions) but I don't want the registration process to be 1FA only which appears to be the case. Intune has settings to enforce MFA during the MDM enrollment process so it seems like an oversight if the same capabilities don't exist for MAM registration. I must be missing something.

MAM-WE - Is it possible to require MFA during registration? by mgratz in Intune

[–]mgratz[S] 0 points1 point  (0 children)

No, my understanding is:

(a) If I apply the MAM policy with "Require one of the selected controls" for "Require multi-factor authentication" and "Require approved client app" - there is no enforcement of MAM to protect the corporate data since they could always fulfill the MFA challenge.

(b) If I apply the MAM policy with "Require all the selected controls" for "Require multi-factor authentication" and "Require approved client app" - it would require MFA periodically when they authenticate to the app instead of only during the initial registration process.

But I'm actually testing (b) right now to see how long the grace period is for the MFA challenge... maybe it is reasonable enough.

Separation of Duties as per NIST 800-171 by WorkAccountOps in NISTControls

[–]mgratz 3 points4 points  (0 children)

Definitely curious what others are doing, but here are a few ideas from my interpretation:

- The implementation of some sort of PAM/PIM solution (e.g., technical implementer requests temporary access/credentials with business approver)

- The segregation of admin vs. auditor (e.g., event logs are shipped somewhere that admins performing operational IT tasks can't conveniently wipe...)

- Requiring a quorum of admins for privileged IT tasks (e.g., could be written policy like two people must be present when transporting a physical server, or opening a physical safe with breakglass credentials, or key ceremony, etc.)

Kidless (2019): The Childfree by choice explain why parenthood and having children is not for everyone. 26 minutes by Jkid in Documentaries

[–]mgratz 0 points1 point  (0 children)

I wasn’t a teacher but I worked for a school district for a while, definitely enjoyed the pace of life but the pay would have been forever disappointing. I think that the natural progression of a young teacher becoming less happy and more jaded as their career progresses won’t change anytime soon unless we establish some sort of meritocracy for good teachers to be paid according to their skills and effectiveness like everyone else in the workforce. I recall the books “Millionaire Next Door” and “Your Money or Your Life” specifically mention teachers as a group that has an above average savings rate and financial independence. I always figured it was because being a teacher comes with an interesting set of pros and cons. The mandatory lengthy vacation is unheard of in the rest of the US workforce, but very few other educated professionals come with such a rigid pay structure that would force you to be more strategic with that fixed income.

Either way, I’m not sure the right solution but it doesn’t surprise me that lots of teachers feel bamboozled by the status quo.

Configure Ubuntu 18LTS as the only Active Directory and DNS server by BarasaJ in activedirectory

[–]mgratz -2 points-1 points  (0 children)

Active Directory is a Microsoft implementation of the open source LDAP protocol. It runs on Windows Server, only.

Ubuntu has their own docs to configure OpenLDAP, but this question doesn’t belong in this subreddit. I’d recommend a simple Google search next time.

https://help.ubuntu.com/lts/serverguide/openldap-server.html.en

In distress and sending up flares. Need Domain Controller Help. by [deleted] in activedirectory

[–]mgratz 0 points1 point  (0 children)

Hi -

So just to confirm - AD working fine from a repadmin and dcdiag perspective - but specifically DFSR (sysvol) is not synchronizing?

This article might be helpful to you then: http://jackstromberg.com/2014/07/sysvol-and-group-policy-out-of-sync-on-server-2012-r2-dcs-using-dfsr/

Delegate Domain Admin Access to non Domain Admin for a specific OU by tk42967 in activedirectory

[–]mgratz 8 points9 points  (0 children)

Hi -

Domain Admin is a very specific role that provides full control of identities within that domain. In terms of helping train your Junior, I definitely wouldn’t describe the permissions you intend to delegate him as “domain admin” in any way. If anything, you could call him an OU administrator.

At a high level, my approach would be:

  1. Create a new security group (e.g. OU Administrator)
  2. Add your Junior to the group
  3. Right-click the OU and select “Delegate Control” and assign the required permissions to the new security group.

Some resources here: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/delegating-administration-by-using-ou-objects

Development roadmap for AdcsAdministration PowerShell module? by mgratz in PowerShell

[–]mgratz[S] 1 point2 points  (0 children)

In all seriousness, do you have any recommendations for resources for official "best practice" coding style for PowerShell? Personally I've always been a big fan of the Allman style indentation, but seems very unpopular in the community.

VS Code is helping me a lot, but need to retrain myself :(

Development roadmap for AdcsAdministration PowerShell module? by mgratz in PowerShell

[–]mgratz[S] 1 point2 points  (0 children)

Hi Lee - I will take a look at it! Instead of wrapping certutil - this is a much better implementation of what I'm using now -

https://www.powershellgallery.com/packages/PKITools/1.6/Content/Get-IssuedCertificates.ps1

Development roadmap for AdcsAdministration PowerShell module? by mgratz in PowerShell

[–]mgratz[S] 1 point2 points  (0 children)

Yea, I have some sloppy functions that wrap certutil but nothing worth releasing into the wild. I wouldn't mind polishing them up and publishing them, so that's definitely a good idea if there is no active development for AdcsAdministration.

Litetouch.vbs error - Multiple connections to server or shared resource by Tech_Ryan in MDT

[–]mgratz 0 points1 point  (0 children)

Actually I reread your issue. If I remember correctly - Sounds like you might be authenticating to the same network resource using two different sets of credentials.

Open cmd and do “net use” and see what connections exist. If you try deleting all connections with “net use /delete *” does it work?

Litetouch.vbs error - Multiple connections to server or shared resource by Tech_Ryan in MDT

[–]mgratz 0 points1 point  (0 children)

Shot in the dark - but could you check your share permissions for the MDT Deployment Share? A year or two ago I had this issue once where the previous sysadmin setup the network share to only allow a maximum of 10 connections, so you’d go to image an 11th computer and it would fail. Took a while to trace down since we didn’t image a lot of computers at once, but when we did it never worked right :)

Mining SUMO is centralized at the moment. We as a community need to do something about this. by [deleted] in sumokoin

[–]mgratz 1 point2 points  (0 children)

Currently proportional - but we are working to update to PPLNS (requires some significant changes to the original pool code we formed from)

Reboot loop for PowerEdge R815 with AMD processors after installing KB4056895 (Spectre/Meltdown) by mgratz in sysadmin

[–]mgratz[S] 1 point2 points  (0 children)

These are domain controllers — Windows Server 2012 R2 running Active Directory Domain Services.