The Consolidated B&EC "Quick Question" Thread.

Discussion in 'Business & Enterprise Computing' started by looktall, Jun 6, 2015.

  1. EvilGenius

    EvilGenius Member

    Joined:
    Apr 26, 2005
    Messages:
    10,804
    Location:
    elsewhere
    Sorry for the delayed reply, yesterday got out of hand and today hasn't been much better.

    Yup.

    I think I've got this working at least part way. Originally the users had login scripts adding the mapped drives persistently. I changed that to a non-persistent group policy, but for some reason the drive maps were still persistent. After manually removing them and letting group policy re-apply them, the login is back to normal. This means the users don't have mapped drives when they take their machines home, so as a work around I've just given them a shortcut to batch script to manually map the drives after connecting to VPN. Messy, but it works for the moment.

    Tried this early on in the piece, no go. Default unconfigured is only a 30 second wait anyway so I don't think it could account for the 5+minute wait.

    I had this thought, but I haven't figured out what to do about it.
     
  2. kjparker

    kjparker Member

    Joined:
    Jun 28, 2001
    Messages:
    1,486
    Location:
    Sydney

    Had you tried Elvis's suggestion?
     
  3. randomman

    randomman Member

    Joined:
    Oct 21, 2007
    Messages:
    4,976
    Location:
    Vancouver, BC
    Can you have WireShark run before login?
     
  4. tobes

    tobes Member

    Joined:
    Dec 23, 2001
    Messages:
    4,099
    Location:
    Melbourne
    Mirror a switch port...
     
  5. randomman

    randomman Member

    Joined:
    Oct 21, 2007
    Messages:
    4,976
    Location:
    Vancouver, BC
    Oh I like that. This will come in handy when I have to troubleshoot shitty OSD issues. Why must all the network admins I know be reclusive people who keep all their knowledge to themselves? Perhaps I'm a little to blame for taking little interest in enterprise networking...

    Anyone know any free enterprise networking intro courses maybe with some quizzes thrown in? You know, the kind that don't make me want to rip my eyes out in boredom.
     
    Last edited: Mar 2, 2021
  6. wazza

    wazza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,721
    Location:
    NSW
    A benefit of GPO drive mappings is they will reapply every ~30mins or so when on the domain vs a logon script that only applies once. If they need their drives pretty much immediately after connecting to the VPN see if your VPN software allows you to configure a run after connect command, and have it do a gpupdate /force, else have the batch script run the gpupdate /force rather than the drive mappings directly, to save yourself having to change batch files on every computer if a mapping changes/user gets permissions to a new mapped drive etc.

    You could run it via task scheduler set to trigger on startup, or run it as another user then use the switch user to log on as the problematic profile, as long as windows doesn't put it to sleep when you do switch user.

    Not sure what level of knowledge you have but Cisco do a free packet tracer course. Fortinet also have a fairly comprehensive free training site (at least some is available without a purchase, unsure if it's all free even if you don't have fortinet gear), and given they have products in all areas of networking it would likely be very helpful.
     
  7. OP
    OP
    looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    26,605
    Assuming by OSD you mean Operating system deployment, I find issues are usually one (or more) of 3 things.
    Network wrong (check DNS, dhcp etc)
    Network not allowed (check authentication)
    Network missing (plug the cable in)
     
    Last edited: Mar 2, 2021
  8. EvilGenius

    EvilGenius Member

    Joined:
    Apr 26, 2005
    Messages:
    10,804
    Location:
    elsewhere
    Thankyou that's helpful. I've been struggling a bit with problems at this site because I only get a couple of hours a day to work on any issues, amongst taking care of any other support issues they have. I'm really struggling in this new MSP role not being able to focus on any one issue until it's actually solved.

    I've been trying to clean up their active directory and group policies etc, but it's been difficult. This site is shared with another MSP and I'm limited in the changes I can make without breaking their stuff. I'd work with them on it, but they'd rather we didn't exist and ignore us. Fun times.
     
  9. wazza

    wazza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,721
    Location:
    NSW
    No worries. Thats one of the biggest issues in MSP land IMO - you don't get time to properly investigate/fix issues, and by and large the management of the MSP don't care so much if it's a bandaid fix as that leads to future billings. Why is there another MSP involved? Is the company looking to change MSPs? If so maybe you can convince your boss that giving them some extra care may get them over the line (or keep them with you) so fixing some of these things that may not be huge issues in the overall scheme of things but definitely get noticed by users may have some added value in it.
     
  10. randomman

    randomman Member

    Joined:
    Oct 21, 2007
    Messages:
    4,976
    Location:
    Vancouver, BC
    I'm in Task Scheduler pretty regularly and it completely slipped my mind...

    I'd say I'm on the higher end of intermediate for home networks and lower end of it for enterprise. I'll check out Fortinet, thanks!

    +WinPE network drivers missing
    +FullOS network drivers missing

    We still have user authentication required for internet access and our wifi won't auto-connect because Windows can't access msftconnecttest with the computer account. It's going to be fun when everyone goes back to the office and they ask me why it's still not fixed and I get to tell them the Network team let my ticket auto-close with no action.
     
  11. EvilGenius

    EvilGenius Member

    Joined:
    Apr 26, 2005
    Messages:
    10,804
    Location:
    elsewhere
    I'm not sure how it came about, but the other MSP owns the network stack and the hardware side of the servers along with some specialised telephony stuff, where as we have the day to day site support and maintenance side of things. The other guys have been pushing hard to have one of their people become the on site support, but have been rebuffed by the site, they like things how they are. It's lead to some annoying issues. AD is a big one, they were just using the default "my business" OU for users and groups etc along with the default computers container that had everything in it. At some point in the past some muppet applied a no windows update GPO for some static sign in kiosks and pinned it right at the root of the forest, meaning nothing was getting updated.. for years as best I can tell. There's a bunch of other outdated or downright pointless GPOs haphazardly applied, so I thought screw this I'll rebuild this into something sensible, only to discover they've filtered all new OUs out of AzureAD integration for o365, so I can't do anything but polish the turd.
     
  12. OP
    OP
    looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    26,605
    That fits under network missing.
    The msftconnecttest page would be trying to connect using the user creds wouldn't it?
    Do you use a proxy that requires authentication?
     
  13. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    15,066
    Location:
    Canberra
    unfortunately it's common in very large organisations for multiple MSPs to be involved in different areas.

    one I know of, has different MSPs for each of the following (broad scopes)
    - LAN networks
    - WAN networks
    - Servers/DCs
    - Desktop support/helpdesk

    then of course multiple various vendors/MSPs doing application development and support etc.

    yes it's a horrible mess, and getting anything done that involves more than one of the MSPs turns into a contractual battle with the technical problem forgotten about as setting up a multi-party project and figuring out who is going to pay is more important than actually getting anything done.
     
  14. randomman

    randomman Member

    Joined:
    Oct 21, 2007
    Messages:
    4,976
    Location:
    Vancouver, BC
    So... if you click "Connect" it will use the user's creds (and works fine), if you let it auto-connect I think it's using the computer account. I've been told the firewall requires user authentication for internet access, I don't believe we use a proxy.
     
  15. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,538
    Add the computer accounts to the group that is allowed internet access.
    or get msftconnect added to exceptions :).
     
  16. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    15,066
    Location:
    Canberra
    hello data exfiltration!
     
    looktall likes this.
  17. OP
    OP
    looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    26,605
    If I join wifi using my daily driver account it connects.
    If I join wifi using my admin account (which does not have internet access) it fails to connect.
     
  18. randomman

    randomman Member

    Joined:
    Oct 21, 2007
    Messages:
    4,976
    Location:
    Vancouver, BC
    Tried:

     
  19. colmaz

    colmaz Member

    Joined:
    Jan 8, 2007
    Messages:
    431
    Location:
    Perth, WA
    AFAIK, msftconnect.com is only used by the Network Location Awareness service (NLASvc) to confirm that you have internet access. The easiest way to dupe this is to point to an internal web server that your computers and admin accounts can access and host your own copy of http://www.msftconnecttest.com/connecttest.txt. There are some reg keys that you can edit, but the DNS hijack and small text file seem the simpler of the solutions to me. This solution is in place at all public schools in WA with the file being hosted on a local server.
     
  20. randomman

    randomman Member

    Joined:
    Oct 21, 2007
    Messages:
    4,976
    Location:
    Vancouver, BC
    If I remember correctly there's actually a GPO that lets you redirect it to your own server. I don't want to get involved in hosting more shit so I'd rather they just bypass the user authentication requirement for the URL.
     

Share This Page

Advertisement: