@annalynnetech said in Helpdesk - PC replacement routines:

Being newly appointed administrative head of a PC support team I must firstly stress that I am out on a limb here, not being technical at all.

However I have noticed that my team (yes short on resources and we are hiring) spend a lot of time on PC installations and replacements, helping the users settling in on their new device.

All new PCs are preinstalled at our PC vendor and with the most common SW already in place. However it is not unusual for our supporters spending at least an hour helping the users with configuring mail etc..

My management finds it in order as they argue it saves time for the end users. I am just wondering/hoping there were a better/faster way to get the users settled in. Note that this is not related to data but all the local UI and application settings, shortcuts etc.

Again I apologize if this is not the right forum to ask. Any directions most appreciated.

I think you should have two different procedures.

The first for installing and configuring the users computer. That should be done before the users even sees it. It's now 100% ready to go.

This should be done with automation, meaning scripts that does things automatically so you don't have to do the same work over and over again.

The second is for hand holding the user.

Here you could save some time by making making a few introduction videos that shows the things that users usually ask about or need to know.

@scottalanmiller said in Proxmox hates security:

@Pete-S said in Proxmox hates security:

@scottalanmiller said in Proxmox hates security:

@Pete-S said in Proxmox hates security:

I'm not saying Proxmox is insecure, I'm just saying it wasn't designed with security as it's primary focus.
KVM by default for instance is managed by libvirt and by default doesn't open any tcp ports at all. That gives the administrator the option to decide what level of security versus convenience they want.

Ignoring "by default" in that, ProxMox can be the same. You can close everything up and only manage however you like. You don't have to use the web interface on it, it can be totally shut down. Obviously defeating lots of the purpose, but plausible.

I spend far more time on ProxMox via command line via MeshCentral than via the web interface and the web interface, while we don't lock it down from the LAN in most cases (we run a LOT of ProxMox these days) we primarily access it from the PM host itself from a jump box running on top of it for the cases when the web interface is needed. So while we don't go to the degree of locking it off from the LAN, we could and we wouldn't notice the difference most of the time.

That's not a default, so obviously totally different. But it's a really simple setting.

That's good to know.

We don't use gui anymore either but we're moving away from pre-packaged hypervisors and to pure KVM with libvirt compatible management tools.

We have found that to be the best solution for our use case (high degree of automation and customization).

I'd like to see that for sure. There's a lot of benefit to that, potentially at least.

We're automating a lot.

But the real problem is not the automation itself. The real problem is that automation and standardization is time consuming.

@Danp said in How to use different accounts on the same website/service with profiles:

With Firefox, you also have the option of using the Multi-Account Containers extension.

That's good to know. Seems to be a Mozilla extension as well, so not 3rd party.

Could be a good alternative to profiles in Firefox since profiles is a somewhat hidden feature.

@scottalanmiller said in Bind Linux Process to Well Known Web Ports When Not Root:

If you have ever tried to run a user space program on Linux with a port below 1024 you know that this is a security problem and you are not allowed to do so. There is a simple fix for this, but it is not well known.

Once you know the binary that you will be using to open the low number (well known) port you can use this command to grant it permission to use these ports without otherwise compromising security.

setcap cap_net_bind_service+ep /my/binary/file

Now you can run your application. This is most commonly used for user space web applications that want to use port 80 or 443 without requiring that you run a reverse proxy in front of them.

Good to know!

I found this as an example of how to use it and also commands to remove the permission:
https://cwiki.apache.org/confluence/display/HTTPD/NonRootPortBinding

The setcap utility seems to be available in the libcap2-bin package on debian distros.

I haven't checked if it's installed by default.

@scottalanmiller said in WordPress Site Lost Its Mind - Ten Minutes of Maintenance Over and Over Again:

@PhlipElder said in WordPress Site Lost Its Mind - Ten Minutes of Maintenance Over and Over Again:

@scottalanmiller If the timing is regular then look for a chron job running at that time. Or, is it "cron"? Meh ... *NIX skillset is pretty green.

We found it. Basically what it was was....

A PHP cycle job for a plugin to auto-update. But the plugin had some problem and couldn't update and would fail. So it never stopped attempting to update and it went into this death spiral that every ~12 hours or so, it would do this thing, kill the site for 9 minutes, and give up and return to normal.

So cron-like job, but seems to have been PHP-Cron or similar.

It WP-cron that I also linked to in an earlier post.

Basically it's WP's version of the system cron job.

Difference is that WP was made to run on shared servers without having access to the underlaying OS. So for each web page access WP will check if it also has to run some scheduled job as well.

After it has done that it waits 12 hours by default until next time. WP can only run you have a web page request executing it so you can't predict exactly when it's going to happen.

The real solution is to invoke scheduled jobs from the OS and only do so during the night or whenever it is suitable since WP shuts down the site when doing upgrades.

This is how you do that:
https://developer.wordpress.org/plugins/cron/hooking-wp-cron-into-the-system-task-scheduler/

@Dashrender said in User migration to azure:

@Pete-S said in User migration to azure:

@lilyleiden said in User migration to azure:

We just tested migrating a small batch of test users to our new Azure tenant.

While migrating the PC/user account was no problem, the fact that people get a completely blank user profile, certainly was a showstopper!!

Many of our users has had their AD profile for years, even a decade and has a lot of individual settings, ways to work, shortcuts, quick links, favorites/browser cached passwords etc. and they loose all that.
Management has currently halted the process due to the protests.

So I am on the lookout for a way to link/migrate the old profile/profile settings, when Azure joining the PC?

I would use this as an opportunity to remove unneeded customizations and old ways of doing things and introduce new ways of working instead.

For instance is it really wise to rely on browser cached passwords? To me that's a signal that you need to look over you password management policy. Maybe your users need a real password manager or setup SSO to apps they're using.

I'm really on board with this! We don't migrate when people get new machines, that said - we have few users that do much customization to their setup...

Yes and it's also question of setting the right expectations. For instance saying: IT allows users to customize their desktops but will not provide support for it. New machines, reimaged desktops, upgrades etc will be reset everything to company default.

@JaredBusch said in ZeroTier rules to limit freelancer access:

Because once a user is in said server, via any secure method, you need to have a solution inside the network to prevent access to any other server from inside.

That makes sense.

However that can be as simple as using each servers firewall to block rdp/ssh from everything but zerotier.
That prevents moving horizontally from one server to another.

That being said, I know little about zerotier. I would however also look at cloudflare access solution. They have some very interesting solutions for managing users and access to internal resources. Some of them are free as well. I've been trying to give it a go but haven't had the time yet.
https://www.cloudflare.com/products/zero-trust/access/

@dafyre said in ZeroTier rules to limit freelancer access:

@Pete-S said in ZeroTier rules to limit freelancer access:

@JaredBusch said in ZeroTier rules to limit freelancer access:

Because once a user is in said server, via any secure method, you need to have a solution inside the network to prevent access to any other server from inside.

That makes sense.

However that can be as simple as using each servers firewall to block rdp/ssh from everything but zerotier.
That prevents moving horizontally from one server to another.

Again after I've connected to SERVER5 via ZT, how do you prevent me from accessing SERVER1-4 and SERVER6-15 -- or any other internal resource since the server I'm connecting to is already inside your network's main firewall?

Let's call zerotier a VPN for simplicity and let's say we want to control ssh network access.

You prevent network access on ssh from SERVER1 to SERVER2 by setting the OS firewall on SERVER 2 to only allow ssh from IPs on the VPN subnet.

That means you can reach each servers ssh port from VPN, but not from anywhere else. So if you ssh into one server through VPN, you can't ssh from there to the next server.

@scottalanmiller said in ZeroTier rules to limit freelancer access:

@Pete-S said in ZeroTier rules to limit freelancer access:

You prevent network access on ssh from SERVER1 to SERVER2 by setting the OS firewall on SERVER 2 to only allow ssh from IPs on the VPN subnet.
That means you can reach each servers ssh port from VPN, but not from anywhere else. So if you ssh into one server through VPN, you can't ssh from there to the next server.

That might not work. Two problems that I can think of...

1. Each devices is on the VPN and has a VPN IP address. So server to server communications can happen via VPN IPs. So it would potentially end up being allowed. ZT is specifically a VPN designed to be used for local, as well as distant, communications so we expect even local server to server traffic to still traverse the VPN, just not the router.

2. There might be a need for other users to SSH between servers or the servers themselves to communicate over SSH. This isn't stated, so it is only a possibility. But we have to consider that we might be blocking more than requested if we get this behaviour to work.

It's very easy to make it work. Zerotier makes it slightly more complicated than a perimeter firewall with VPN because every server becomes dual homed. So you have to firewall zerotier as well or rely on the stateless zerotier flow rules.

Or you can just rely on authentication and authorization for every service and have no network segmentation. More risky but less work.

It's likely not ssh the OP is trying to do access control on though. I just used it as an example.

@Obsolesce said in DISM /Remove-ProvisionedAppxpackage vs Remove-AppxPackage?:

@Pete-S said in DISM /Remove-ProvisionedAppxpackage vs Remove-AppxPackage?:

I'm trying to clean up some unneeded Windows 10 apps. But I'm not sure about what method to use.

Does anyone know the difference between using:

DISM /Online /Remove-ProvisionedAppxPackage /PackageName:Microsoft.WindowsCamera_2018.826.98.0...

versus using:

Get-AppxPackage *camera* | Remove-AppxPackage

Dism is an exe, the other is a PowerShell cmdlet.

I don't recall which one, but I think the verb-appxprovisionedpackage is more similar to dism?

I don't remember anymore, it's been like 6 years now since I dove I to it when I wrote the Win10 crApp Remover.

But here's the docs

https://learn.microsoft.com/en-us/powershell/module/appx/remove-appxpackage?view=windowsserver2022-ps

https://learn.microsoft.com/en-us/powershell/module/dism/remove-appxprovisionedpackage?view=windowsserver2022-ps

Awesome thanks!

Links are great, it looks like there is all the information I need.

I can see that you've put in an impressive amount of work making your Win10 crApp remover. I'll take a closer look at how you disable and uninstall things in your code.

...

...

Is there are Microsoft blog post, tech article or whatever place of authority that I can send to IT support people?

I need it for those that doesn't know that you can't force users to change their passwords on first login (or after password reset) when they connect over RDP only.

Users get this error:

As far as I know there is no reasonable workaround around this catch-22 problem.
Except don't force users to change password on first login...

@NashBrydges said in Dell Server Not Recognizing Memory:

@Pete-S That's what I also thought. I will have to spend some more time digging all the module numbers out tomorrow once I'm back there. There has to be something mismatched somewhere. Can't imagine anything else at this point.

If possible you should be prepared to swap the CPUs.

What kind of CPUs are in there? E5-26xx V2 something perhaps? V1 is probably more likely.

---

Troubleshooting quickly adds up so it might be time to consider what to do if the problem can't be solved easily. Like looking at the RAM and reseating it.

R720 is well over it's expected life span at this point. It's very much a possibility that the server is on the verge of catastrophic failure and this is the first sign.

@Laksh1999

Why are you using email for this?

This problem has already been solved in a number of better ways and basically all helpdesk systems have this:

• HTML code or web forms you can paste into your site that will allow you to create a ticket from your web site.
• Support portal where the users can see their tickets, write new ones and reply to tickets.
• API integration that allows you to submit tickets directly from other places, like a website.

Pick one of those ways instead and you'll have a much better, cleaner and more reliable solution.

@Laksh1999 said in HTML Form filling Integrating through GCP Serverless:

@Pete-S said in HTML Form filling Integrating through GCP Serverless:

API integration that allows you to submit tickets directly from other places, like a website.

How to create an api to send the email to the helpdesk email from the google form?
Here the user send an email to helpdesk email to create a ticket for their daily issue

API is the last resort and only needed in special cases.

And you don't need google forms at all.

Helpdesks like zendesk, freshdesk, zoho desk etc have widgets. It's some html/javascript you insert into your web site and a customizable form will appear.

When the user submits the form a ticket will be created with all the right information in the proper fields.

Search for the name of your helpdesk and widget and you'll find it.

@WLS-ITGuy said in Debian 11 & php8:

One of the applications we use just released a new version and the update requires php8.0 or above.

So right now the best approach is to wait until Debian 12 is released officially and then install Debian 12 with the new version of the application.
If the application is supported on Debian they have likely tested it with Debian 12.

@WLS-ITGuy said in Debian 11 & php8:

One of the applications we use just released a new version and the update requires php8.0 or above.

We're using Debian 11 and since 11.7 was just released, which doesn't have php8 in the release. I was wondering how do I find out when things like php. Mariadb, Apache, NGNIX, etc get applied to distros?

You are running debian stable which means that packages have stable versions.

So when Debain 11 was released with php version 7.4.x it will keep having that version forever. It will never become php 8.
It's because php8 is not 100% backward compatible with 7.x so if Debian would automatically upgrade to php8 then applications will break. That is not a stable approach.

This goes for all packages, not just php. Updates will only be minor releases with bugfixes and security issues fixed.

Every 2 years or so you get a new Debian stable version and then you get newer versions of all 50,000+ packages as well.