• A
    Adam Gordon

    Nicholas,

    When you are using an on-premise AD infrastructure that you manage and maintain and then use Azure AD Connect to synch your user accounts into the Azure cloud, you are traditionally doing so in order to leverage the Single Sign-On capabilities that Azure provides for SaaS solutions like Office 365, Salesforce, Workday, Concur, DocuSign, Google Apps, Box, ServiceNow, Dropbox, etc...

    There are three versions of the Azure AD solution that can be deployed, depending on the choices that you/your company have made and the "pay-as-you-go" addition of features that you may be consuming, as noted below:

    1. Azure Active Directory Basic - Designed for task workers with cloud-first needs, this edition provides cloud-centric application access and self-service identity management solutions. You get features like group-based access management, self-service password reset for cloud applications, and Azure Active Directory Application Proxy (to publish on-premises web applications using Azure Active Directory), all backed by an enterprise-level SLA of 99.9 percent uptime.

    2. Azure Active Directory Premium P1 - adds feature-rich enterprise-level identity management capabilities and enables hybrid users to seamlessly access on-premises and cloud capabilities. This edition includes everything you need for information worker and identity administrators in hybrid environments across application access, self-service identity, and access management (IAM), identity protection, and security in the cloud. It supports advanced administration and delegation resources like dynamic groups and self-service group management. It includes Microsoft Identity Manager (an on-premises identity and access management suite) and provides cloud write-back capabilities enabling solutions like self-service password reset for your on-premises users.

    3. Azure Active Directory Premium P2 - includes all the capabilities in Azure AD Premium P1 as well as Identity Protection and Privileged Identity Management. Azure Active Directory Identity Protection leverages billions of signals to provide risk-based conditional access to your applications and critical company data. Helps you manage and protect privileged accounts with Azure Active Directory Privileged Identity Management so you can discover, restrict, and monitor administrators and their access to resources and provide just-in-time access when needed.

    Regardless of the Azure AD option that your company is using, you DO NOT use Group Policies to manage and control users and / or devices directly within Azure. The way that we accomplish access control to resources is via Group Membership and the use of Security Groups. Take a look at the following URL for a high level discussion of the basic concepts and then you can follow the links on the left hand column of the page to examine more topics as necessary to better understand your options:

    "Manage access to resources with Azure Active Directory groups":

    https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-manage-groups

    You will also want to pay attention to the distinctions for how devices are managed and whether they are Domain Joined or Domain Registered. The following article will give you an overview and again, look to the left hand column navigation area for additional topics as necessary to further refine and understand what you may want to do, and how to accomplish it.

    "Introduction to device management in Azure Active Directory":

    https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction

    Hopefully these articles will help you to start figuring out what you would like to do. Please let me know if I can be of any additional assistance to further clarify, or answer any questions as you continue your research.

    Good Luck !!!

    Cheers,

    Adam

    posted in Microsoft read more
  • A
    Adam Gordon

    Nagayya,

    I hope all is well. Mike was out of the office on Friday, and may not respond to you till he returns, so I thought that I would quickly jump in and answer you in the mean time. The highlighted area above that you are asking about is what Mike was referring to.

    DO NOT use the link in the highlighted area to do the post-configuration of WSUS, or you will break the WSUS / SCCM integration and it will not function correctly.

    As Mike was indicating, the remaining configuration of WSUS will be done from within the SCCM management interface.

    You can go and take a look at the shows in the library that I did on "System Center 2012 Configuration Manager - 70-243" I walk through the complete installation, setup, configuration and management through update deployment of the WSUS and SCCM integration.

    Look for the episodes under the title "Deploy applications and software updates".

    Please let us know if you have any other questions. Good Luck !!!

    Cheers,

    Adam

    posted in Microsoft read more
  • A
    Adam Gordon

    Nicholas,

    I hope all is well. You are right on the on-prem hybrid sync, policies DO NOT sync up from your environment into Azure.

    You DEFINATELY CAN DO what you would like however, as long as you are using a managed Active Directory instance hosted fully in Azure. Take a look at the following, as it will explain everything that you need to know, and how to go about it:

    "Administer Group Policy on an Azure AD Domain Services managed domain" :

    https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-administer-group-policy

    Let me know if I can be of more help, or if you need any clarification(s) once you have had a chance to go through the material.

    Good Luck !!!

    Cheers,

    Adam

    posted in Microsoft read more
  • A
    Adam Gordon

    James (et al,)

    I hope all is well. I am back in the studio starting this week, July 10th, and we are shooting the remaining CISSP domain content to finalize the show.

    The week of July 10th we are shooting and finishing up Domain 4 and starting on Domain 6.

    The week of July 17th we are finishing Domain 6 and starting Domain 7.

    The weeks of July 24th and July 31st we will be finishing up Domain 7 and Domain 3.

    If you have any additional questions, or need anything else vis-à-vis CISSP, please let me know.

    Cheers,

    Adam

    posted in Security read more
  • A
    Adam Gordon

    Michael,

    I hope all is well, It comes down to planning, as so many things do. Take a look at this blog post to address your first question, as it walks you through the step by step to perform the upgrade, along with setting up and using the CodeIT Repos, which will get you around some of the issues associated with install/upgrades and ensure that you have the latest updates.

    https://crosp.net/blog/administration/install-latest-apache-server-centos-7/

    For Question #2, take a look here, as this is the CentOS MAN file for ACls, and has links to all of the sub items that you will want to examine. There are two types of ACLs you will have to figure out and use:

    1. access ACLs - the access control list for a specific file or directory
    2. default ACLs - can only be associated with a directory; if a file within the directory does not have an access ACL, it uses the rules of the default ACL for the directory.

    https://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-acls.html

    Good Luck ... Let me know if you need anything else. :)

    Cheers,

    Adam

    posted in General Discussion read more
  • A
    Adam Gordon

    Waqkas,

    My apologies for not being more specific initially. So two things will potentially impact your ability to do this as noted below:

    1. What version of Server are you running/targeting?

    Based on the answer to the question above, you may be able to use the template found here to modify permissions via group policy:

    https://www.microsoft.com/en-us/download/details.aspx?id=36991

    The template is supported on Servers up to 2012. I am not sure if it will work on 2016 or not, but you can try it.

    If the template is not serviceable as an option due to versioning issues, then I would suggest that you look at the delegation of control wizard as discussed in the article below:

    https://serverfault.com/questions/336723/grant-permission-in-active-directory-to-add-users-modify-changed-password

    See if one, or both of those may help. :)

    Cheers,

    Adam

    posted in General Discussion read more
  • A
    Adam Gordon

    Waqkas,

    Take a look at the following, and make sure that you are familiar with it in case you ever need it:

    https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/set-localuser?view=powershell-5.1

    :)

    posted in General Discussion read more
  • A
    Adam Gordon

    Waqkas,

    Take a look at the following:

    www.pwrusr.com/system-administration/3-ways-to-grant-local-admin-permissions-to-domain-users

    It will offer you several different approaches which should allow you to accomplish your goal.

    Cheers,

    Adam

    posted in General Discussion read more
  • A
    Adam Gordon

    Waqkas,

    I hope all is well. Prompting for a credential via powershell is actually relatively straightforward. You will need to use the get-credential cmdlet.

    Take a look at the help file here:

    https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-credential?view=powershell-6

    If you need anything else, let me know.

    Cheers,

    Adam

    posted in General Discussion read more