Posts made by Mike Davis

Start with the tour. See what he has questions on, or what causes blank stares. See what he's interested in. See if you can find a project that works with his interests.

The backstory: I have a VMware horizion/View environment in place for remote access and for our training room. The company has downsized and I don't think it's practical to support anymore.

The users all have physical machines they can RDP to for remote access. (I'm planning on setting up RD web access and RD Gateway)

They had a training room with 12 Wyse P20 Zero clients. If I downgrade the firmware to v 3.x they support RDP. Without the user editing the settings on the P20, how can I have them log in and then RDP back to their desktop? I guess I'm looking for a connection manager that will let me specify the default machine for each user. Can someone point me in the right direction?

I haven't used Bitlocker before. Has anyone rolled it out on Windows 10? For those that have deployed it in a domain environment, is it pretty straight forward? Does it work like it should or is there the 1 in 10 laptop that won't run the .vbs script to turn it on?

@JaredBusch said:

As an outsourced IT Service Provider, we cannot be always available to clients to handle this need in as timely a fashion as needed at times (i.e. the owner says he needs his cat pics screensaver installed now).

The compromise we have come up with is a domain account that is added to the local administrators group in AD.

I'm in the boat and also use group policy to push a local admin account to the machines through group policy. If a machine (esp laptops) decides it doesn't want to log in to the domain, you can just log in with the local account and get it going.

Actually I just looked at my install folder, and you don't get a .msi from that. But you can install office without having to go through the portal. Will it fix your click to run install thing? I'm not sure. I just used that tool when I didn't want to log in to the portal manually on every machine I wanted to put office on. I was searching for a .msi and never found it.

You need the Office 2016 Deployment tool to get a .msi:
https://www.microsoft.com/en-us/download/details.aspx?id=49117
You set up a folder on your server, configure the .xlm file, run the command line to download the install, and then run it again with a different switch to install Office on the client.

So if the form is submitted and then the receiver prints it out and deletes it, the information moves across the internet and is protected by SSL, but the data isn't sitting in a google account that can get hacked. (forcing 2 factor would be even better)

@Jason I'm just looking for a secure way to get their SSN across the internet.

Would a google doc form be a viable alternative? I'm in the process of helping them sign up for Google Docs for Non Profits.

@scottalanmiller said:

I use encrypted PDF all the time and don't even have any Adobe products at all. On Linux, Encrypted PDFs open natively. I know that my CPA uses them and they don't have issues with clients opening them or responding in them.

On Linux, I can fill in a form and return it encrypted, I believe, just by default.

Searching on the web it seems that on a Mac there is native support, but not on Windows...

I already created the form and "extended it" so that it's a fill in form and saveable. Something that only an actual Adobe product will let you do. I can encrypt it with a password there, but it seems that the person opening it would need the password to open it. Then they would fill it out, save it, and send it back. At that point I would open it with the password. Since the password would have to be sent with the form (I suppose it could be sent out of band, but this isn't practical for our group) it defeats the point of encrypting it.

I'm looking for a way to allow the person to encrypt it automatically when they save it with my public key so that I'm the only one that can open it when they are done filling it out.

As far as liability, the organization has a background company and the checks are completed by that company, but we have to have the forms on file for the auditors.

MaxFocus and ScreenConnect both offer remote control, but MaxFocus also offers patch management and system checks, and I haven't found those in ScreenConnect. I could be missing somethig since I've only been using ScreenConnect for a couple weeks and I've used Max Focus for a couple years.

I have a client that has a background check form (created with Acrobat Pro as a fillable & saveable form) they want to be encrypted after the end user fills it out so that it's encrypted when they send it back. From what little I've read, you have to have Acrobat Standard or better (not reader) to encrypt a .pdf, and that's just to open it, not to let some one fill it in and then encrypt it with your key and send it back.

If the forms were purely electronic, it would seem that a secure website form would be the better way to go, but some people choose to print the form, fill it in by hand, and mail it.

Can anyone recommend a solution?

To see if I could reproduce the error by moving the account from the default Users folder back to the OU where it was I discovered that when I moved it to the Users folder the error went away. I put the user back in the OU where it came from and the error won't come back. I agree - weird indeed.

In summary, I guess if I move those users to the Users folder and back where they came from, the problem should be resolved. I'll have to test on a couple other users.

Regarding the scope of the RDS license server, the only scope options are entire domain or entire forest.
https://technet.microsoft.com/en-us/library/cc725729.aspx

I just went and looked at some other domains I set up and I did create real OUs outside of the Users folder and everything is working right. I'll look in to the scope of the RDS server and see if it can be changed. It might be the only app that doesn't like the users in other OUs.

After doing everything the articles said and rebooting the server, when it still wasn't working, I wondered if it had something to do with not being able to write to those attributes, so I created a test account in the users OU, and it worked. Checking the license log, I noticed that the server had been giving out licenses properly, but not for all accounts. Then I went through the log again and discovered that all the 4105 errors were generated by accounts that were not in the default Users OU.

Has anyone had any issues with user accounts being outside the default User OU in Active Directory? I've run in to this a couple of times. This last time was with a RDS license server. (see http://mangolassi.it/topic/8338/rds-license-server-remove-temp-licenses) I can't remember what the other issues were, but generally I just create folders under the Users OU if I feel there is a need to break things up for delegation or tasks like that.

I figured out what was triggering the 4105 error. It was only triggering that error when the user account that was logging in was not in the default Users OU. If the user account was in another OU outside of Users, it would allow them to login, but trigger that error, and not increment them in the user report. Basically switching the server licensing mode from device to user and making sure the AD attributes for terminal server had been give write delegation by the terminal server license server took care of the original issue.

@Breffni-Potter said:

https://www.ubnt.com/edgemax/edgerouter-pro/

Watch the video, skip ahead to 30 seconds in to watch "Cysco" sales reps being beat up...

That was the best commercial I've seen in a long time.