Author Archive

Problem Description:

  1. [FSM:FAILED]: Cap the power consumption of chassis 1(FSM:sam:dme:EquipmentChassisPowerCap). Remote-Invocation-Error: Error in setting power cap budget-MC Error(-5): Error Executing Command
  2. Warning: there are pending management I/O errors on one or more devices, failover may not complete.

UCS-FI-M-6324

UCSM:Package-Vers: 3.1(3a)A

Action Taken:

+ Tried changing the power cap policy from Chassis level to blade level and back to chassis level, fault did not clear.

 

Rebooted FI-IOM B, all faults are cleared.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Server 2008 and prior domain controllers create two Domain Admin accounts with permissions on the GPOs.  We could not see both in the GUI but when we ran icacls {GPO UID} on the Server 2008 domain controller you see both Domain Admin accounts.

Server 2012 and newer domain controllers only create a single Domain Admin account with access.  In the 2018.6C (June 21 Rollup, links below) patch for 2016 and 2012R2, a new function was introduced to remove duplicate ACEs in order to reduce the NTFS Security Descriptor stream size. Machines with this patch will no longer write that duplicate ACE, thereby making them inconsistent with the unpatched ones.

To fix we logged into the Server 2008 domain controller and ran the following command against all the GPOs to remove both domain admin account

icacls “{GPO UID}” /remove:g “<localdomain>\Domain Admins”

Then the following command to add a single Domain Admin account back to the GPO

icacls “{GPO UID}” /grant “<localdomain>\Domain Admins”:(OI)(CI)(F)

We then we forced replication again with these two commands

repadmin /syncall

repadmin /syncall /AdePq

After that we re-ran the Detect Now on the server 2016 and all servers were green.

IMPORTANT NOTE:

If you create a new policy on Server 2008 it will get the second domain admin account again.  So to prevent it from happening going forward you should create the GPOs on Server 2016.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

After enabling Mimecast for Inbound routing , Threat Protection Re-Writes the URLs for Safety. When this is enabled with the following 365 Spam Check : Image links to remote sites

Which : Messages that contain <Img> HTML tag links to remote sites (for example, using http) are marked as spam.

All Inbound emails with Images with Hyperlinks get marked as Spam by Office365. Make sure this is turned off!

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

The compact is the recommendation from iManage Support. Ideally, you can stop connector and the ingestion due to it not being used anymore and start the services after DRECOMPACT

You will need 30% free disk space to run DRECompact Successfully.

 

STEPS TO RESOLVE

  1. Stop Worksite Connector and Work Ingestion Server services
  2. Expand Content Engine disks to a point that there is more than 30% capacity free 
  3. Run a DRECOMPACT task against both engines

    http://127.0.0.1:11001/DRECOMPACT
    http://127.0.0.1:12001/DRECOMPACT

    Make a note of the INDEXID number returned to your browser.
  4. Wait until completed

    YOU CANNOT STOP THIS PROCESS AND IT MAY TAKE A CONSIDERABLE AMOUNT OF TIME


  5. You can monitor the status from the IndexerBrowser

    “The compaction is complete when the IndexerGetStatus action reports that the job (INDEXID number) is finished (status=-1, description = Finished).”

 

  1. Restart the Connector and Ingestion Server services once the job has completed and the content engine disks are looking a little emptier

 

To set up a schedule for compaction

  1. Open the Content server configuration file in a text editor.
  2. Find the [Schedule] section. If the configuration file does not contain a [Schedule] section, add one.
  3. Set the following parameters in the [Schedule] section:

 

Compact:                         

Type true to enable a compacting schedule.

 

CompactTime:                

The time (hh:mm) when you want the Compact operation to start.

 

CompactInterval:           

The number of hours between DRECOMPACT operations. Specify the time in the 24-hour clock and the format hh:mm. When you start WorkSite Indexer, the specified CompactInterval must elapse (after the specified CompactTime) before the first  DRECOMPACT

operation takes place. Type 0 to schedule daily compactions.

 

For example:

[Schedule]

Compact=true

CompactTime=01:00

CompactInterval=168

 

This configures a compaction every 168 hours (once a week) at 1:00 a.m.

 

      1. Save and close the configuration file.
      2. Restart the Content server for your changes to take effect.
      3. Repeat Step 1 to Step 5 for all your Content servers.

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Exempting the App means the app will allow to be able to access and share company data 

Get-AppLockerFileInformation -Path "C:\Program Files\Windows NT\Accessories\wordpad.exe"

Name : Firefox

Product Name : O=MOZILLA CORPORATION, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US

Publisher : *

File : firefox.exe

Min Verison : *

Max Version : *

 

Name : Chrome

Product Name : O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US

Publisher : *

File : chrome.exe

Min Verison : *

Max Version : *

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Currently, there is no way to use the Regex filter to capture “Everything” is not allowed in Microsoft 365 environment. This is by design.

A bit annoying when you want to tag a sensitivity label to all files

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Something went wrong. Here are some possible reasons.
Device already connected to org
Couldnt auto discover a management endpoint assigned to username. If you know your endpoint please enter it.\
mdm server URL: blank     > https://wip.mam.manage.microsoft.com/Enroll didnt work

 

  1. Checked existing connections, if so disconnect and reconnect again.  There wasn’t.
  2. Backup and delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments
  3. Try again.. existing connection popped up, disconnect and reconnect working now
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
  • Needs a specific PDF Reader

https://docs.microsoft.com/en-us/azure/information-protection/rms-client/protected-pdf-readers

Nitro PDF at the time of writing this does not work! Remember this will be for Internal and External People reading a protected document

  • Deployment of Microsoft Azure Information Protection Viewer ( There is no Mac OSX client for Azure Information Protection.)
    To read-protected Txt files and image files, think of files that will be protected without a reader.

  • Authorized Workflow or Users to Remove the Sensitivity Label
    If you want the send the document out of the organization to a user who is not setup in your company’s Azure AD ( e.g Guess Access ) you will need a Workflow that automates and logs this removal for Compliance/Auditing of a User with these permissions
  • Sensitivity Labelling
  1. Enable Sensitivity on a Teams or Sharepoint Library  Does not set Files underneath it
  2. You can set a Default Document Label however you will still need to encrypt old documents ( see below ) 
  3. Auto-Labelling Technology to do this needs License and is still in Preview License needed ( Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 E5/A5 Information Protection and Governance, Office 365 E5, Office 365 Advanced Compliance, Enterprise Mobility + Security E5, and AIP Plan 2 provide the rights for a user to benefit from automatic sensitivity labeling. ) 
  4. Use the Microsoft Cloud App Security dashboard with File Policy to Tag the files ( still needs above license ) 
  • Breaks CoAuthoring
    Can only use the web version of Office for Document CoAuthorign

  • Needs the latest version of Office 365 for Client-Side Labelling Modifications 
    Remember any external people you are sharing with will need this as well to open

 

 

 
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

A WNDAP360 can be in Standalone mode , or it can be managed by a Wireless Controller. 

If you want to change the type ( Managed to Standalone mode ) you need to flash the device firmware. Performing a Factory Reset ( Holding down Reset Button ) just resets the WebGui Login password.

 Firmware upgrade sequence for WNDAP360 from 2.x:
  V2.1.11 -> V2.1.12 -> V3.5.20.0 – Correct sequence.

Download the Firmwares from here : 

https://www.netgear.com/support/product/WNDAP360.aspx#download

See – View Previous Versions

Once Download . UnZip the .tar files !

Login to the webportal of the managed WNDAP360 and upload the first  V2.1.11 Firmware (.tar )  ( I used Chrome ) 

What you will see in the console serial cable connection , is the device restart straight away then wait on the below , Leave the webbrowser open

######################### Start SysMon Entity [30] #########################
# Name=RFID Mgr, Path=/ft/bin/rfid_mgr, Type=0
######################### Start SysMon Entity [31] #########################
# Name=RFID Serial Comm, Path=/ft/bin/rfid_serial_comm, Type=0
Executing file /FT_CONF/prepare_upgrade
********* Waiting for Upgrade file *********

Wait on this screen for a few minutes 

Netgear mips #1 Tue Dec 6 11:52:49 IST 2016 (none)
Netgear login:
FACDEF_DRV: Disabling watchdog
TERM

You should then see it formating the file system and rebooting again

Once ready you can go upload V2.1.12 ( takes a while as it has to encrypt the filesystem ) 

Then V3.5.20.0 and whatever’s the latest!

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently working on a Proof Of Concept enabling a MAM policy to lockdown and protect an application (Teams) on a device that not enrolled in Intune, and the File Ownership prompt in guides was not appearing.

The Intune License was applied to the user and the user was enabled for  MAM User Scope , and the MAM policy was applied to the User  

However no file ownership still and no encryption of files. Turns out the device has to be joined to the companys Azure AD ( or Local AD and Hybrid ) for this to happen and display the info box

This will show you its enrolled in MAM ( not MDM ) 

After this File Ownership is displayed !

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)