/
Monthly Meeting Agenda and Notes 2/22-2/23

Monthly Meeting Agenda and Notes 2/22-2/23

Owned by Jim Woods
Last updated: Jul 21, 2023
6 min read

Meeting overview

Monthly meeting for the Microsoft Admins User Group. The purpose of this user group is knowledge sharing between various IT experts around campus. The group is open to all campus IT staff who have an interest in talking and learning about administration of the Microsoft Ecosystem.

Some sample topics to get the conversations started:

  • Active Directory & Identity Integration

  • How-to: Creating a Campus Active Directory Trust

  • Splunk Logs for Active Directory

  • Firewalls with Group Policy

  • Account Creation Workflows

  • Server Core

  • Introduction to security technical implementation guide (STIG). Based on Department of Defense (DoD) policy and security controls.

The sessions will be an open format, so feel free to stop in just to listen or stick around with questions and conversation about the various topics.

Open action items

Running List of tasks or open action item discussed over the previous meetings.

@John Echeveste (Unlicensed) publish the STIG GPOs that the campus AD team came up with
Action Item: add custom Splunk AD dashboards to Github Repo
Action Item: Could we create a shared AD Dashboard?

Meeting minutes

Date

Host

Agenda

Notes, decisions and action items

Date

Host

Agenda

Notes, decisions and action items

Jul 21, 2023

@Jim Woods

Open Discussion - Office Hours Style

Topics

  • General Active Directory questions

    • Inheriting an existing AD? How best to manage?

    • How best to manage independent ADs / Forests?

  • Recommended versions of Windows Server

    • How do folks upgrade/replace to new versions?

  • Cloud based options / solutions

    • Azure

      • Azure-based Solutions vs Azure Cloud

    • AWS

  • Network File Share options

    • What does google storage limits mean

    • POC - File Servers to AWS File Gateway S3

    • POC - AWS FsX file server - Local Zones?

Mar 17, 2023

 

  • What are people using/doing for imaging/provisioning?

    • Build on top of OS supplied by vendor?

    • Wipe machines and full reimage?

    • MECM? MDT? Other?

    • What issues are people running into?

 

Feb 17, 2023

@John Echeveste (Unlicensed)

  • Dell not shipping machines with Windows 10 starting June.

    • Pushing Windows 11 with Datto.

  • Using Identity API for NetID name mapping script

    • Can then be used to “sync” user status with identity, account lifecycle stuff.

    • Reminder about Powershell and MAUG github repos

  • Windows Server 2012/2012 R2 EoL - Sam

    • What issues are people facing?

Jan 20, 2023

@Andrew Espinoza

  • @Alex Mook described ARIT' current remote workstation solution. Uses mixture of Citrix, VPN, etc.

    • Wants one solution.

    • Looking at netscaler (citrix), splashtop (datto), RDP proxy

  • @Mehrshad Moghimi provided this doc about AWS workspaces and gave a setup demo

    • AWS_Workspaces - Google Docs

    • Using retail pricing for an estimate is advised as it gives you the higher threshold of cost, but there is a discount for campus cloud

  • While not remote workstation, Library uses Azure Lab Services for remote classroom labs. Ask @Andrew Espinoza if interested.

  • SOC has Guacamole as an RD gateway solution, best-effort service.

  • Appstream is also an option if a full desktop environment is not needed.

  • ITS offers screenconnect as a service. Usage increased during the pandemic.

    • Site license. Tom Howard in ITS is the person to contact.

  • On-prem Windows Remote Desktop Service is possible, but not compatible with campus AD.

    • NPS in a one-way trust would need to setup and managed in the netid.ucsb.edu domain.

Nov 18, 2022

@John Echeveste (Unlicensed)

Endpoint Topics:

  • Tenable/Nessus client deployment for all endpoints.

  • FireEye Agent client deployments for all endpoints

  • Bitlocker

  • LAPS and local account password management

  • Kerberos hardening patches / roadmap

  • @Roger Padilla Kerberos and netlogin updates and roadmap

    • Blog post for Kerberos and Netlogon

    • currently in phase 1 of deployment

    • patch tuesday updates did include an issue

    • some current clients (ex, linux) will be affected

    • also some legacy Windows Operating Systems will be affected

    • @Alex Mook will check with @Mike Franklin about rules to put in place for Splunk to assist with Auditing

  • @John Echeveste (Unlicensed) Nessus endpoint deployments. Who has started deploying?

    • Ken (ARIT?) has deployed to over 1000 endpoints

    • @Alex Mook and his team have been dealing with the reports. It’s a bit overwhelming

    • @Don Kileen is happy to report back to SOC for better reporting

      • are rreports coming daily or monthly

      • is it possible to get access to tenable dashboard/interface?

    • deploying for endpoints is trickier due to the installer wanting to use network security contact (at home host, or on wireless)

      • @John Echeveste (Unlicensed) solution using OU? willing to share scripts

  • FireEye agent deployment

    • Time to start deploying

    • No plans to renew the Sophos licenses at this time

  • Bitlocker - built in full disk encryption.

    • is typically required for mobile devices with sensitive information

    • @John Echeveste (Unlicensed) ITS/ETS starting to roll out for all endpoints

      • GPO requirement to have recovery key escrowed to AD

      • only on endpoints with TPM

      • so far, not performance issues for endpoints

      • also putting the recovery key with Datto RMM

      • only a solution for domain-joined computers

    • @Andrew Espinoza and @Dan O'Brien also deploying at the library

    • @Jim Woods is there an existing recovery document/KB that we could reference or point to?

  • LAPS - Local Admin Password Solution

    • Use case is for student techs accessing endpoints, and being able to restrict access and rotate quickly

    • randomize and escrow (and encrypt) your local admin passwords in your Active Directory

    • Windows LAPS overview

    • built-in to Windows 11

    • Will be built-in to AD and Windows Server (current or coming?)

      • Will need to extend your AD schema

      • Will need to add a client to your computers (endpoints? servers?)

      • Be careful about permissions

    • There is also MacOS LAPS

      • escrow keys to an MDM provider (Jamf)

Oct 19, 2022

@Jim Woods

Windows Authentication and AD horror show stories

  • Campus outage issues

    • @Andrew Espinoza Library EZ-Proxy depends on Campus LDAP

    • @Sam Hunter Campus AD was down. Secondary location for Pub Safety will be used for additional resiliency

    • DR sites in the Cloud

    • @Alex Mook Backup systems like Cohesity and Rubrik can restore to the cloud. Need the rest of the infrastructure to use that as a proper DR site.

    • @Andrew Espinoza Domain Endpoints (Client)- dependencies on on-premise DCs

    • @Hank Rayner - Storage replication between local sites

    • Is there an RCA yet for the outage? Coming soon

    • @Glen Nason (Unlicensed) - recovery of systems and the order, based on dependancies to sequence the recovery

  • SHI check-in and gripes

Sep 16, 2022

@Alex Mook

  • Infrastructure as Code

    • Configuration Management

    • Resource Deployment

    • SCCM

    • @Andrew Espinoza Terraform Demo

  • Endpoint and Helpdesk topics

    • What’s a pressing need?

    • Any tools or tricks to share?

@Jim Woods will host the next meeting
Most groups using SCCM for imaging, Datto or other tools for config
ARIT and ETS have recurring issues with SCCM, “it’s a beast”
Library, ARIT and ETS all looking to migrate or upgrade in the near future
ARIT, ETS, and SA all using SCCM for multiple domains
Get SCCM admins access to shared resource page
HelpDesk Endpoint Topics for next meeting, pressing needs and tools/tricks
Future topics:
Workspaces
Bitlocker
LAPS and local account password management
Windows 11 and infrastructure support for it
Tenable/Nessus
User onboarding/offboarding, lifecycle management

Aug 19, 2022

@John Echeveste (Unlicensed)

  • New Dell standards in Gateway, new Dell rep

  • AD Audit, complete?

  • Reminder about AD and Endpoint audits

  • DOD STIG overview from @Keith Jakobs (Deactivated)

  • Rundeck Demo from @Mark Norstedt

Windows 11 - Is anyone working on this yet?
@John Echeveste (Unlicensed) will send info about Dell updates to CSF
@Keith Jakobs (Deactivated) and @John Echeveste (Unlicensed) publish the STIG GPOs that the campus AD team came up with

Jul 15, 2022

@John Echeveste (Unlicensed)

  • PSA for EOL and EOS of Windows Server 2012 and 2012R2

  • PSA - EOL for SQL Server 2012

  • SHI issues

  • Remote Management, Patching and Software Deployment

    • Survey of what people are using now

    • DATTO Demo

  • Moving local User Ids to netid

    • Why? How? What are the drawbacks?

Action Item: Migrating Local users IDs to Campus NetIDs

Jun 17, 2022

@Sam Hunter

  • PSA for EOL and EOS of Windows Server 2012 and 2012R2

  • Splunk for Windows

    • M365/AzureAD App Demo

    • Splunk “Apps” to look at M354, InfoSec, Observability

    • @Mike Franklin has a custom Dashboard for On-premise Active Directory

    • Audit Rules shared best practices request

May 20, 2022

@John Echeveste (Unlicensed)

  • IE 11 EOL

  • Fireeye rollout

  • Monitoring Survey

    • SCOM (Systems Center Operations Manager) (no current users)

    • LogicMonitor - a few users

    • Naggios - a few users

    • Zabbix - a few users

  • Patching

    • Roger Padilla to talk about Windows patch rollouts in ETS

    • ARIT is using Datto

 

Apr 15, 2022

@Andrew Espinoza

  • Microsoft Licensing (MCCA) Information sharing

  • Encryption, Certificates, and PKI infrastructure

  • Available Lightning Talks

    • Interfacing between Campus Identity API and your local Active Directory using Powershell

 

Mar 18, 2022

@Andrew Espinoza

  • About Campus AD

  • How to set up a One-way Trust with Selective Authentication

 

Feb 18, 2022

@Jim Woods

  • Initial kickoff

  • Introductions