Permanent event monitoring

[Hammer, Erich F]

I have an interest/need to set up some permanent event monitoring items which I only recently learned even existed, and I am struggling to find good current information. It seems like a really useful and powerful tool -- especially if it could be mixed with PowerShell scripts.

There is some older (7-15 year-old) information out there, but it seems to mostly focused on VBscript and/or MOF files. I strongly dislike VBscript and know nothing about MOFs. When I ask questions about using PowerShell with events, I get a mix of "it's designed for VBscript, not PowerShell", and when I ask about using VBscript, I get "VBscript is outdated, use PowerShell". Neither is particularly useful, and it feels like it is somewhat of a "lost art".

There is MS development documentation, but I am not a programmer so that only helps give me a sense of some options. I need a little bit of hand-holding, I guess. Are Event Monitors only used by developers and not sysadmins? The most useful pages I've found are:

https://learn-powershell.net/2013/08/02/powershell-and-events-wmi-temporary-event-subscriptions/
https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/
https://www.scriptrunner.com/en/blog/events-powershell-wmi/

But the examples there only deal with logging. I need to understand options around using scripts that take action in relation to the event being monitored. In particular, I can't seem to find anything on how to use the properties of the event within the script that gets started when the event trips.

Does anyone here have a good, more current resource (online or not) for creating functional, permanent, event monitors that utilize PowerShell?

Thanks,
Erich

[Michael B. Smith]

Please give me an example of what you want to do.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/BY5PR04MB64059FD98E3EF848EA807A39CC4B9%40BY5PR04MB6405.namprd04.prod.outlook.com.

[Hammer, Erich F]

I can imagine lots of useful future things, but what I'm trying to do at the moment is monitor a particular "drop box" for PDFs so they can be immediately printed. (I won't explain the why unless someone is desperate to go to sleep.)

I have a working Event Filter, but I can't figure out how to pass the filename to the Consumer (script) that actually kicks off the print job. My preference is to use a CommandLineEventConsumer to run a PowerShell script, but I can probably scratch together a VBscript to embed in an ActiveScriptEventConsumer if that is the only option. (I would actually prefer to embed PowerShell as the ActiveScriptEventConsumer ScriptText, but apparently that is not possible despite MS's documentation that it "runs a predefined script in an arbitrary scripting language".)

Thanks,
Erich


On Wednesday, January 5, 2022 at 08:50, Michael Smith eloquently inscribed:

[Michael B. Smith]

The blogs you quote are very very old and I don't think that's the way I would pursue things right now.

"...in an arbitrary scripting language supported by the Windows Scripting Host..."

You want something like this?

$folder = 'C:\Scripts\Test'
$filter = '*.*'
$destination = 'C:\Scripts\Test2'
$fsw = New-Object IO.FileSystemWatcher $folder, $filter -Property @{
IncludeSubdirectories = $true
NotifyFilter = [IO.NotifyFilters]'FileName, LastWrite'
}

$onCreated = Register-ObjectEvent $fsw Created -SourceIdentifier FileCreated -Action {
$path = $Event.SourceEventArgs.FullPath
$name = $Event.SourceEventArgs.Name
$changeType = $Event.SourceEventArgs.ChangeType
$timeStamp = $Event.TimeGenerated
Write-Host "The file '$name' was $changeType at $timeStamp"
Write-Host "Moving $path to $destination"
Move-Item -LiteralPath $path -Destination $destination -Force -Verbose

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/BY5PR04MB64059E7CB72CD7A22BD8F334CC4B9%40BY5PR04MB6405.namprd04.prod.outlook.com.

[Hammer, Erich F]

Michael,

Thank you for looking at this. I do realize that those blogs are downright "ancient", but those are the best ones for *permanent* event watchers.

The sample code utilizing .NET functions that you provided is very much like my first foray into this. I also built a second mini-script that uses Register-CimIndicationEvent. The problem both of those are temporary. Once the console closes, it ends. It doesn't survive a reboot. Boe Prox talks about that in the second link of my original email. This "paleolithic" blog (discussing VBscript and MOF language) explains the more troublesome disadvantages of temporary event monitoring:

https://www.codeproject.com/articles/28226/creating-wmi-permanent-event-subscriptions-using-m#5.TemporaryEventConsumers4

TLDR: The event consumer can be easily stopped, but the event notifications continue until the Winmgmt service is halted.

I've been assuming that because this ability to establish a custom, low-level monitoring solution with a world of possible actions could be so useful that more people were using it, and I was just not smart enough to either find their discussions/work or figure it out myself. I guess I am wrong (yet again).

Thanks,
Erich


On Wednesday, January 5, 2022 at 17:24, Michael Smith eloquently inscribed:

[Michael B. Smith]

Now I understand.

I do this with scripts I start in Task Scheduler at reboot and that I check if they are still running every 5 minutes.

Because I couldn't solve the problems you are trying to solve now. Perhaps I could now (it's been at least 5 years since I last looked at this in detail), but I couldn't before.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/MN2PR04MB64167A2994CBE946BE579ECACC4C9%40MN2PR04MB6416.namprd04.prod.outlook.com.

[Markus Klocker]

Ever thought on creating a task that is triggered by an event?
Would this help?

    Markus

[Kurt Buff]

Does WEF and a centralized logging system meet your need? Setting up alerting on that shouldn't be too hard (sez I, with few programming chops).

For instance, this is for threat hunting, but uses WEF, sysmon and PowerBI and such - perhaps it could be repurposed for your needs:

https://github.com/jepayneMSFT/WEFFLES

Unfortunately, the blog she refers to on that page has disappeared, but you find info on it scattered here and there.

Kurt

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/BY5PR04MB64059FD98E3EF848EA807A39CC4B9%40BY5PR04MB6405.namprd04.prod.outlook.com.

[Hammer, Erich F]

If I could use a scheduled task that would be fine, but I how would I configure an event trigger for a PDF file created in a particular directory? Even then, I'd be in the same boat of trying to pass the file name to the script that would run.

Thanks for the comment though.

Erich

On Monday, January 10, 2022 at 01:38, Markus Klocker eloquently inscribed:

[Jim Kennedy]

Auditing on the directory would give you an event to trigger on. This looks promising:

https://cloudrobots.net/2014/08/24/trigger-a-powershell-script-from-a-windows-event/

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/MN2PR04MB641691CE16AD7E38AA46D123CC509%40MN2PR04MB6416.namprd04.prod.outlook.com.

[Michael B. Smith]

Yep, I use this extensively (and so does WEFFLES that Kurt mentioned previously).

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/MN2PR11MB3821C4B187B4380E9F7DB882F6509%40MN2PR11MB3821.namprd11.prod.outlook.com.

[Michael B. Smith]

Use the Register-ObjectEvent with a "sleep 300" or whatever. Or file auditing. Or wrap the PS in a service.

-----Original Message-----
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Hammer, Erich F

Sent: Monday, January 10, 2022 10:06 AM
To: ntsys...@googlegroups.com

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/MN2PR04MB641691CE16AD7E38AA46D123CC509%40MN2PR04MB6416.namprd04.prod.outlook.com.

[Bill Zielinski]

I use this https://www.nodesoft.com/foldermonitor
It will watch a folder for changes with an include or exclude filter and perform an action or just a popup.

-----Original Message-----
From: 'Jim Kennedy' via ntsysadmin <ntsys...@googlegroups.com>

Sent: Monday, January 10, 2022 10:22 AM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] RE: Permanent event monitoring

Auditing on the directory would give you an event to trigger on. This looks promising:

https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcloudrobots.net%2F2014%2F08%2F24%2Ftrigger-a-powershell-script-from-a-windows-event%2F&amp;data=04%7C01%7Cbzielinski%40dcecu.org%7C12291b3896a44fc4c58708d9d44ceaa5%7C592da82ee36341e29e653ea245d7eb1a%7C0%7C0%7C637774250100929211%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=6vBGvOpRWAj3X0Ods385mddq9h22Vq9T2bsEhyIqkd4%3D&amp;reserved=0

>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
>> .codeproject.com%2Farticles%2F28226%2Fcreating-wmi-permanent-&amp;dat
>> a=04%7C01%7Cbzielinski%40dcecu.org%7C12291b3896a44fc4c58708d9d44ceaa5
>> %7C592da82ee36341e29e653ea245d7eb1a%7C0%7C0%7C637774250100939203%7CUn
>> known%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1ha
>> WwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=i9pp0PxNeJt7uSZQ%2BfM5mfhhqoCMAseA
>> 8Hd0xsCw8AM%3D&amp;reserved=0

>>>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fl
>>>> earn-powershell.net%2F2013%2F08%2F02%2Fpowershell-and-events-wmi-&a
>>>> mp;data=04%7C01%7Cbzielinski%40dcecu.org%7C12291b3896a44fc4c58708d9
>>>> d44ceaa5%7C592da82ee36341e29e653ea245d7eb1a%7C0%7C0%7C6377742501009
>>>> 39203%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL
>>>> CJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=OHSMjX5RRgtNxumujvs0
>>>> xJS4Sc5uxaIaS3qbjgOCHQk%3D&amp;reserved=0
>>>> temporary-event-subscriptions/
>>>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fl
>>>> earn-powershell.net%2F2013%2F08%2F14%2Fpowershell-and-events-&amp;d
>>>> ata=04%7C01%7Cbzielinski%40dcecu.org%7C12291b3896a44fc4c58708d9d44c
>>>> eaa5%7C592da82ee36341e29e653ea245d7eb1a%7C0%7C0%7C63777425010093920
>>>> 3%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBT
>>>> iI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=mYnTnEeJb60N6sqPYRd1KkSA
>>>> hx5mqjALN4ZHf4lQw2Y%3D&amp;reserved=0
>>>> permanent-wmi-event-subscriptions/
>>>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw
>>>> ww.scriptrunner.com%2Fen%2Fblog%2Fevents-powershell-wmi%2F&amp;data
>>>> =04%7C01%7Cbzielinski%40dcecu.org%7C12291b3896a44fc4c58708d9d44ceaa
>>>> 5%7C592da82ee36341e29e653ea245d7eb1a%7C0%7C0%7C637774250100939203%7
>>>> CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6
>>>> Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=8TWHj1aDFq845qP0fbxSO26xaED
>>>> uXo4WwSmt9s4XFiI%3D&amp;reserved=0

>>>>
>>>> But the examples there only deal with logging. I need to
>>>> understand options around using scripts that take action in
>>>> relation to the event being monitored. In particular, I can't seem
>>>> to find anything on how to use the properties of the event within
>>>> the script that gets started when the event trips.
>>>>
>>>> Does anyone here have a good, more current resource (online or not)
>>>> for creating functional, permanent, event monitors that utilize
>>>> PowerShell?
>>>>
>>>> Thanks,
>>>> Erich
>>>>
>>>>
>>>
>>
>


--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fntsysadmin%2FMN2PR04MB641691CE16AD7E38AA46D123CC509%2540MN2PR04MB6416.namprd04.prod.outlook.com&amp;data=04%7C01%7Cbzielinski%40dcecu.org%7C12291b3896a44fc4c58708d9d44ceaa5%7C592da82ee36341e29e653ea245d7eb1a%7C0%7C0%7C637774250100939203%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=ksjnLvMlyKnlHUN58fDOZoT8%2FTmlnJoK8NyW7rN35XE%3D&amp;reserved=0.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fntsysadmin%2FMN2PR11MB3821C4B187B4380E9F7DB882F6509%2540MN2PR11MB3821.namprd11.prod.outlook.com&amp;data=04%7C01%7Cbzielinski%40dcecu.org%7C12291b3896a44fc4c58708d9d44ceaa5%7C592da82ee36341e29e653ea245d7eb1a%7C0%7C0%7C637774250100939203%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=hKxuyCYRly1jTFfrGLlfwE7rdTRO%2FWY5H%2F7Sw2iWr9g%3D&amp;reserved=0.
________________________________
The information contained in this email is confidential and is intended solely for the use of the person identified and intended as the recipient. If you are not the intended recipient, any disclosure, copying, distribution, or taking of any action in reliance on the contents is prohibited. If you receive this message in error, contact the sender immediately and delete it from your computer. Personal e-mails are restricted by DCECU policy. As such, DCECU specifically disclaims any responsibility or liability for any personal information or opinions of the author expressed in this email. Dow Chemical Employees' Credit Union

[Hammer, Erich F]

That is monitoring logged events. I suppose if I set up a permanent event monitor to log the file creation and then use Scheduled Tasks to trigger on the event. (which is basically all this is), I could "Rube Goldberg" this (even more than it already is).

Maybe I'm going about this all wrong and there is a better solution to the ultimate problem...

As a publicly funded library, we have a legal obligation to provide access to our resources to the public. Because so much of our resources are digital/online, we have to allow patrons unaffiliated with the University to log onto the public computers. Because the computers are domain joined and require authentication to the domain, we need to give each of these patrons a unique, temporary credential set (restricted to the public machines). To simplify the circulation desk staff's job, we have a simple web app with a "print" button that identifies the next generic user account and password and that we wanted to trigger the printing to the fast, inexpensive receipt printer of a credential set and basic instructions for using them. (Libraries are also very much into privacy, so we won't require guest patrons to give us an email address to which we could send this.) Unfortunately, the Linux web server can't print to the receipt printers directly, nor to the print queue, but it can generate a PDF of what we want to print and drop it into a restricted, SMB fileshare. That's when what I'm trying to do kicks in. The fileshare is on a Windows box with access to the printer, but I need the file to print (nearly) immediately upon the creation of the file.

This started out as one of those "this should be pretty easy" mini-projects, and it is ridiculous how complicated it has become. Is there a better solution to this entire mess?

Thanks,
Erich


On Monday, January 10, 2022 at 02:35, Kurt Buff eloquently inscribed:

> https://learn-powershell.net/2013/08/02/powershell-and-events-
> wmi-temporary-event-subscriptions/
> https://learn-powershell.net/2013/08/14/powershell-and-events-
> permanent-wmi-event-subscriptions/

> https://www.scriptrunner.com/en/blog/events-powershell-wmi/
>
> But the examples there only deal with logging. I need to understand
> options around using scripts that take action in relation to the event
> being monitored. In particular, I can't seem to find anything on how to
> use the properties of the event within the script that gets started when
> the event trips.
>
> Does anyone here have a good, more current resource (online or not) for
> creating functional, permanent, event monitors that utilize PowerShell?
>
> Thanks,
> Erich
>
> -- You received this message because you are subscribed to the Google
> Groups "ntsysadmin" group. To unsubscribe from this group and stop
> receiving emails from it, send an email to
> ntsysadmin+...@googlegroups.com

> <mailto:ntsysadmin%2Bunsu...@googlegroups.com> . To view this

[James Iversen]

I use scheduled task event monitoring to run a script adding computers to a group on domain join...

Very helpful when the buggers join after being spun up in VDI.



From:        "Hammer, Erich F" <er...@albany.edu>
To:        "ntsys...@googlegroups.com" <ntsys...@googlegroups.com>
Date:        01/10/2022 10:41 AM
Subject:        RE: [ntsysadmin] Permanent event monitoring
Sent by:        ntsys...@googlegroups.com

---

ATTENTION: This email was sent from someone outside of NYCM.

That is monitoring logged events.  I suppose if I set up a permanent event monitor to log the file creation and then use Scheduled Tasks to trigger on the event. (which is basically all this is), I could "Rube Goldberg" this (even more than it already is).  

Maybe I'm going about this all wrong and there is a better solution to the ultimate problem...

As a publicly funded library, we have a legal obligation to provide access to our resources to the public.  Because so much of our resources are digital/online, we have to allow patrons unaffiliated with the University to log onto the public computers.  Because the computers are domain joined and require authentication to the domain, we need to give each of these patrons a unique, temporary credential set (restricted to the public machines).  To simplify the circulation desk staff's job, we have a simple web app with a "print" button that identifies the next generic user account and password and that we wanted to trigger the printing to the fast, inexpensive receipt printer of a credential set and basic instructions for using them.  (Libraries are also very much into privacy, so we won't require guest patrons to give us an email address to which we could send this.)  Unfortunately, the Linux web server can't print to the receipt printers directly, nor to the print queue, but it can generate a PDF of what we want to print and drop it into a restricted, SMB fileshare.  That's when what I'm trying to do kicks in.  The fileshare is on a Windows box with access to the printer, but I need the file to print (nearly) immediately upon the creation of the file.

This started out as one of those "this should be pretty easy" mini-projects, and it is ridiculous how complicated it has become.  Is there a better solution to this entire mess?  

Thanks,
Erich


On Monday, January 10, 2022 at 02:35, Kurt Buff eloquently inscribed:

> Does WEF and a centralized logging system meet your need? Setting up
> alerting on that shouldn't be too hard (sez I, with few programming chops).
>
> For instance, this is for threat hunting, but uses WEF, sysmon and
> PowerBI and such - perhaps it could be repurposed for your needs:

> https://urldefense.com/v3/__https://github.com/jepayneMSFT/WEFFLES__;!!EepO91JVOnUi!h6kSnVeT_rb1d2vjN1rMIkqFTV0qKuaWeNCk4m_7vO4hGO9YKSD7wJnkMPMKYg$

>
> Unfortunately, the blog she refers to on that page has disappeared, but you
> find info on it scattered here and there.
>
> Kurt
>
> On Wed, Jan 5, 2022 at 6:48 AM Hammer, Erich F <er...@albany.edu
> <

mailto:er...@albany.edu> > wrote:

>
>                  I have an interest/need to set up some permanent event monitoring
> items which I only recently learned even existed, and I am struggling to find
> good current information.  It seems like a really useful and powerful tool --
> especially if it could be mixed with PowerShell scripts.
>
>                  There is some older (7-15 year-old) information out there, but it
> seems to mostly focused on VBscript and/or MOF files.  I strongly dislike
> VBscript and know nothing about MOFs.  When I ask questions about using
> PowerShell with events, I get a mix of "it's designed for VBscript, not
> PowerShell", and when I ask about using VBscript, I get "VBscript is outdated,
> use PowerShell".  Neither is particularly useful, and it feels like it is somewhat
> of a "lost art".
>
>                  There is MS development documentation, but I am not a
> programmer so that only helps give me a sense of some options.  I need a
> little bit of hand-holding, I guess.  Are Event Monitors only used by
> developers and not sysadmins?  The most useful pages I've found are:
>

>                  https://urldefense.com/v3/__https://learn-powershell.net/2013/08/02/powershell-and-events-__;!!EepO91JVOnUi!h6kSnVeT_rb1d2vjN1rMIkqFTV0qKuaWeNCk4m_7vO4hGO9YKSD7wJmQ9MCrww$
> wmi-temporary-event-subscriptions/
>                  https://urldefense.com/v3/__https://learn-powershell.net/2013/08/14/powershell-and-events-__;!!EepO91JVOnUi!h6kSnVeT_rb1d2vjN1rMIkqFTV0qKuaWeNCk4m_7vO4hGO9YKSD7wJlz-f_YeQ$
> permanent-wmi-event-subscriptions/
>                  https://urldefense.com/v3/__https://www.scriptrunner.com/en/blog/events-powershell-wmi/__;!!EepO91JVOnUi!h6kSnVeT_rb1d2vjN1rMIkqFTV0qKuaWeNCk4m_7vO4hGO9YKSD7wJmGqhIA-Q$

>
>                  But the examples there only deal with logging.  I need to understand
> options around using scripts that take action in relation to the event
> being monitored.  In particular, I can't seem to find anything on how to
> use the properties of the event within the script that gets started when
> the event trips.
>
>                  Does anyone here have a good, more current resource (online or not) for
> creating functional, permanent, event monitors that utilize PowerShell?
>
>                  Thanks,
>                  Erich
>
>                  --                  You received this message because you are subscribed to the Google
> Groups "ntsysadmin" group.                  To unsubscribe from this group and stop
> receiving emails from it, send an email to
> ntsysadmin+...@googlegroups.com
> <

mailto:ntsysadmin%2Bunsu...@googlegroups.com> .                  To view this

> discussion on the web visit

> https://urldefense.com/v3/__https://groups.google.com/d/msgid/ntsysadmin/BY5PR04MB64059FD98E3EF__;!!EepO91JVOnUi!h6kSnVeT_rb1d2vjN1rMIkqFTV0qKuaWeNCk4m_7vO4hGO9YKSD7wJmmxMx_QA$
> 848EA807A39CC4B9%40BY5PR04MB6405.namprd04.prod.outlook.com.

>
>


--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://urldefense.com/v3/__https://groups.google.com/d/msgid/ntsysadmin/MN2PR04MB6416E8D9ED68824EA9863250CC509*40MN2PR04MB6416.namprd04.prod.outlook.com__;JQ!!EepO91JVOnUi!h6kSnVeT_rb1d2vjN1rMIkqFTV0qKuaWeNCk4m_7vO4hGO9YKSD7wJlYTVTPpg$ .










Join us on Facebook at www.facebook.com/NYCMInsurance.


***CONFIDENTIALITY NOTICE***

This email and any attachments to it are confidential and intended solely for the individual or entity to whom it is addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you have received this email in error, please contact the sender by reply email and destroy all copies of the original message.

[Hammer, Erich F]

I've been poking at a few other similar tools:

https://www.foldermill.com/
https://www.4-tech-engineering.com/

and was about to purchase the latter. Your suggestion has some nice options (e.g. a configuration file) though, so maybe I'll play with it first to see about getting it working as a service via NSSM.

Thanks,
Erich


On Monday, January 10, 2022 at 10:38, Bill Zielinski eloquently inscribed:

[Melvin Backus]

Is the inability of the Linux machine to print to that device permissions related or driver related?

--
There are 10 kinds of people in the world...
         those who understand binary and those who don't.

¯\_(ツ)_/¯

-----Original Message-----
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Hammer, Erich F
Sent: Monday, January 10, 2022 10:41 AM
To: ntsys...@googlegroups.com

To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/MN2PR04MB6416E8D9ED68824EA9863250CC509%40MN2PR04MB6416.namprd04.prod.outlook.com.

[Melvin Backus]

I'm just stabbing in the dark, but this certainly sounds like it does exactly what you're trying to accomplish.

https://powershell.one/tricks/filesystem/filesystemwatcher

--
There are 10 kinds of people in the world...
         those who understand binary and those who don't.

¯\_(ツ)_/¯

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/MN2PR04MB64169FBE0EF7DD1714D640E9CC509%40MN2PR04MB6416.namprd04.prod.outlook.com.

[Hammer, Erich F]

Driver.

There is a PHP library for ESC/POS printers (https://github.com/mike42/escpos-php), but not only does it appear to not work (based on posts/requests and our testing) for the model receipt printers we have (Star TSP100III), if it were to work, the printer would need to be in a mode in which it wouldn't work for our other needs.

Erich


On Monday, January 10, 2022 at 12:14, Melvin Backus eloquently inscribed:

[Hammer, Erich F]

That is a nice writeup, but it is still discussing how to create/use temporary events, not permanent ones.


On Monday, January 10, 2022 at 12:18, Melvin Backus eloquently inscribed:

[Melvin Backus]

Then I've learned something new out of the discussion to put away for future use.

--
There are 10 kinds of people in the world...
         those who understand binary and those who don't.

¯\_(ツ)_/¯

-----Original Message-----
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Hammer, Erich F
Sent: Monday, January 10, 2022 12:36 PM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] RE: Permanent event monitoring

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/MN2PR04MB6416B8C72BC16A98D0372605CC509%40MN2PR04MB6416.namprd04.prod.outlook.com.

[Glen Johnson]

Another stab in the dark?

And I’m just throwing this out as I have never tried to do what the OP is asking.

How about File Server Resource Manager and a custom file screen for PDFs?

I see there is a run a command, so if there is a way to pass the file name to that command, maybe there is a command line switch for something other than Adobe Acrobat Reader (foxit or some other pdf reader) that will print a file.  Looks like Adobe removed the command line print switch.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/1ADD796D2529E94DB4552E7C1F12A21A01BE87140C%40ATLEXCH04.byers.local.

 

[Hammer, Erich F]

Glen,

That might work, but it seems like overkill to add the FSRM role to the server that's not serving any other files just for this little thing.

Printing PDFs from the command line is pretty easy using SumatraPDF (https://www.sumatrapdfreader.org/docs/Command-line-arguments), and it's portable.

Thanks,
Erich


On Monday, January 10, 2022 at 14:12, Glen Johnson eloquently inscribed:

> Another stab in the dark?
>
> And I’m just throwing this out as I have never tried to do what the OP
> is asking.
>
> How about File Server Resource Manager and a custom file screen for PDFs?
>
> I see there is a run a command, so if there is a way to pass the file name to
> that command, maybe there is a command line switch for something other
> than Adobe Acrobat Reader (foxit or some other pdf reader) that will print a
> file. Looks like Adobe removed the command line print switch.
>

[brett...@hotmail.com]

One of your early questions was about using the event details. I took a look at this pcgeek86/PowerEvents: PowerEvents is a PowerShell module that assists in the registration of WMI permanent event subscriptions. (github.com) and in particular the example of restarting a service, and you can see it reading arguments in this script PowerEvents/Command Line - System Resumed - Restart Windows Service.ps1 at master · pcgeek86/PowerEvents (github.com). In fact the PowerEvents is an interesting approach that helps (in my mind at least) lay out the way these interact - or at least how he had them interacting... anyway, hope you find it helpful.

But personally, while I usually like to engineer things well, for the use case discussed this seems way over complicated, and I'd just resort to a simple loop/sleep pattern. You need a script running periodically, you pick the time interval, or you need a script wrapped into a service with a sufficently small rest time - me, I'd just have a scheduled task. It needs to pick up the PDF and deal with it. Anything not already dealt with at each pass of the processing loop needs to be dealt with. Dealing with it means printing as well as moving into a completed area (or deleting as you see fit for your use case) - the order might be important, so you may also want to move to a temporary location as the first thing, then print, then delete.  In my mind I'd have the scheduled task set to run say every 20 seconds and allow multiple instances to run. As it's a task, you also get resilience from server restarts... pretty much the only thing you don't get is resilience from scripts breaking / tasks failing to run, but if a library will call if the print didn't appear in a minute then that should cover most problems.  Yes, this is the simple approach and not using some of the niceties of event based approaches (speedier resolution) but has a more linear programming feel that anyone in my team would understand and be able to debug without much external research.

[Markus Klocker]

Maybe this could help along:
https://devblogs.microsoft.com/powershell-community/a-reusable-file-system-event-watcher-for-powershell/

Find-Module -Name "FSWatcherEngineEvent"

Version    Name                                Repository Description
-------    ----                                ---------- -----------
1.2        FSWatcherEngineEvent                PSGallery Provide file
system change notifications as powe...

Sounds like a very useful module to you :)

hth Markus

[Hammer, Erich F]

Markus,

That is a useful module, but I believe it is for temporary events only. I don't know C# enough to easily dig through the code, but based on the description, it is using the .NET libraries. Based on everything I researched, I believe the only way to have a permanent event watcher is through WMI/CIM with a WQL query.

If I am wrong, and the .NET flavor can make permanent event watchers, then there is an excellent opportunity for some expert somewhere to post a great tutorial/explanation on how to more-easily leverage such a potentially useful feature of Windows.

Thanks for the feedback though.

Erich


On Tuesday, January 11, 2022 at 04:04, Markus Klocker eloquently inscribed:

>>> powerful tool - - especially if it could be mixed with PowerShell

[Hammer, Erich F]

Brett,

I did look through the PowerEvents module in my investigation. While the example to which you linked does have PoSh code that accepts arguments it is not passing event properties. Ultimately, the commandlinetemplate string must either be parsed by PowerShell at creation (when the event doesn't exist yet), or parsed by the non-PowerShell command line interpreter (cmd.exe?) that is starting PowerShell. If that interpreter has access to the event details through a variable is exactly what I'm asking.

I did create a test event consumer to look for available environmental variables by saving the output of the "set" command, and saw nothing related to the event in question. Thus, I suspect what I'm asking is not possible via the commandline consumer. I have seen one glimmer of possibility using an ActiveScript consumer and an embedded VBScript, but I have to bone up on my VBScript (yuck!) to test it first.

That said, I agree that this has gotten overly complicated. ☺ At this point, I'm leaning heavily toward using NSSM to create a service that runs the Folder Monitor app (https://www.nodesoft.com/foldermonitor) that Bill Zielinski pointed me towards. That setup is testing well so far, and finding an answer to my question now is more about looking at interesting and seemingly unexplored possibilities.

Thanks,
Erich


On Tuesday, January 11, 2022 at 00:02, Brett .. eloquently inscribed:

> One of your early questions was about using the event details. I took a
> look at this pcgeek86/PowerEvents: PowerEvents is a PowerShell module
> that assists in the registration of WMI permanent event subscriptions.

> (github.com) <https://github.com/pcgeek86/PowerEvents> and in

> particular the example of restarting a service, and you can see it
> reading arguments in this script PowerEvents/Command Line - System
> Resumed - Restart Windows Service.ps1 at master · pcgeek86/PowerEvents
> (github.com)

> <https://github.com/pcgeek86/PowerEvents/blob/master/Samples/Event%
> 20Consumers/Windows/Command%20Line%20-
> %20System%20Resumed%20-%20Restart%20Windows%20Service.ps1> . In fact the

[don.l....@gmail.com]

Sysmon EventID #11 [FileCreate] (if not mentioned/considered already)?

 

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. 

Sysmon - Windows Sysinternals | Microsoft Docs

 

DonP

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/MN2PR04MB64169FBE0EF7DD1714D640E9CC509%40MN2PR04MB6416.namprd04.prod.outlook.com.

 

[Hammer, Erich F]

Don,

I am not familiar with Sysmon, but glancing through that page, I agree that combined with a scheduled task to watch for the log entry would probably work. Good suggestion.

Do you have any recommended Sysmon tutorials? That documentation gives a good overview of what it can do, but the description of how configuration works appears (to me) to be sorely lacking.

Thanks,
Erich


On Wednesday, January 12, 2022 at 02:38, Don L.pickard eloquently inscribed:

> Sysmon EventID #11 [FileCreate] (if not mentioned/considered already)?
>
> System Monitor (Sysmon) is a Windows system service and device driver
> that, once installed on a system, remains resident across system reboots
> to monitor and log system activity to the Windows event log. It provides
> detailed information about process creations, network connections, and
> changes to file creation time.
>
> Sysmon - Windows Sysinternals | Microsoft Docs

> <https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-
> id -11-filecreate>
>
> DonP

>
> From: Hammer, Erich F <mailto:er...@albany.edu> Sent: Tuesday, 11
> January 2022 3:58 AM To: ntsys...@googlegroups.com
> <mailto:ntsys...@googlegroups.com> Subject: RE: [ntsysadmin] RE:
> Permanent event monitoring
>
> I've been poking at a few other similar tools:
>
> https://www.foldermill.com/
>
> https://www.4-tech-engineering.com/
>
> and was about to purchase the latter. Your suggestion has some nice
> options (e.g. a configuration file) though, so maybe I'll play with it
> first to see about getting it working as a service via NSSM.
>
> Thanks,
>
> Erich
>
> On Monday, January 10, 2022 at 10:38, Bill Zielinski eloquently
> inscribed:
>
>> I use this https://www.nodesoft.com/foldermonitor
>>
>> It will watch a folder for changes with an include or exclude filter
> and perform
>
>> an action or just a popup.
>>
>>
>>

> wrote on rom: 'Jim Kennedy' via ntsysadmin <ntsys...@googlegroups.com>:

>> To: ntsys...@googlegroups.com
>>
>> Subject: RE: [ntsysadmin] RE: Permanent event monitoring
>>
>>
>>
>> Auditing on the directory would give you an event to trigger on. This
>>
>> looks promising:
>>
>>
>>
>>
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fclou
>
>> drobots.net%2F2014%2F08%2F24%2Ftrigger-a-powershell-script-from-a-
>>
>> windows-
>>
>>
> event%2F&amp;data=04%7C01%7Cbzielinski%40dcecu.org%7C12291b3896a4
>
>>
> 4fc4c58708d9d44ceaa5%7C592da82ee36341e29e653ea245d7eb1a%7C0%7C0
>
>>
> %7C637774250100929211%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA
>
>>
> wMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;s
>
>>
> data=6vBGvOpRWAj3X0Ods385mddq9h22Vq9T2bsEhyIqkd4%3D&amp;reser ved=0
>
>>
>>

> wrote on rom: ntsys...@googlegroups.com <ntsys...@googlegroups.com>:

>>>> wrote on Erich F Sent::

>>>>> Subject: [ntsysadmin] RE: Permanent event monitoring
>>>>>
>>>>>
>>>>>
>>>>> I can imagine lots of useful future things, but what I'm trying to
>>>>>
>>>>> do at the moment is monitor a particular "drop box" for PDFs so
> they
>
>>>>> can be immediately printed. (I won't explain the why unless
> someone
>
>>>>> is desperate to go to sleep.)
>>>>>
>>>>>
>>>>>
>>>>> I have a working Event Filter, but I can't figure out how to pass
>>>>>
>>>>> the filename to the Consumer (script) that actually kicks off the
>>>>>
>>>>> print job. My preference is to use a CommandLineEventConsumer to
>>>>>
>>>>> run a PowerShell script, but I can probably scratch together a
>>>>>
>>>>> VBscript to embed in an ActiveScriptEventConsumer if that is the
>>>>>
>>>>> only option. (I would actually prefer to embed PowerShell as the
>>>>>
>>>>> ActiveScriptEventConsumer ScriptText, but apparently that is not
>>>>>
>>>>> possible despite MS's documentation that it "runs a predefined
>>>>>
>>>>> script in an arbitrary scripting language".)
>>>>>
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Erich
>>>>>
>>>>>
>>>>>
>>>>> On Wednesday, January 5, 2022 at 08:50, Michael Smith eloquently
>>>>>
>>>>> inscribed:
>>>>>
>>>>>
>
>>>>>> Please give me an example of what you want to do.
>>>>>>
>>>>>>
>>>>>>

>>>>> wrote on ent::

[Erik Goldoff]

plenty of hits on Google, but a couple that might meet your needs :

Sysmon: How to Set Up, Update, And Use? | CQURE Academy

Sysinternals Tool Sysmon Usage Tips and Tricks - InfoSec Memo (51sec.org)

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/MN2PR04MB64165B08957E250CAE87248CCC529%40MN2PR04MB6416.namprd04.prod.outlook.com.

[Jim Behning]

I had to move one of my domains from a private domain name to a public domain. My public and AD domain is - - -fay.com. Godaddy is hosting our publicly accessible website. The only reason to go from a private internal domain name to a public one is to allow me to buy a certificate for the internal website which is not exposed to the real world.  Requirement of some practice management software.

 

I have two internal AD domains, - - -fay.com and dhc.lan I have conditional forwarders and trust relationships between the two domains. I can ping the workstations on - - -fay.com by fully qualified name with all the dots but not by NetBIOS name. Not particularly unexpected. The two servers I have on - - -fay.com I have entries in AD DNS on dhc.lan so I can ping them by NetBIOS name.

 

The blah blah blah is someone on the dhc.lan edits the website for - - -fay.com. She can get to Godaddy web hosting product and edit but cannot audit her changes by opening a browser on her dhc.lan workstation. I tried guessing what ip I might make over on the - - -fay.com internal AD DNS and www.- - -fay.com web page never comes up. Pings are successful. I have tried all three web page listed when I use mxtoolbox.com GoDaddy support said I have a www entry. None of the ip listed got me to the company external website. Yes I did dns cache flush and ipconfig/flushdns on both AD servers so new pings to www.- - -fay.com came up with a different ip each time I made an entry in the DNS manager over at AD - - -fay.com

 

Another thing to note. I have a dns entry for remote.- - -fay.com that pops up properly on mxtoolbox. That remote access has been killed. Too many foreign attacks coming in. Now we use Duo and VPN if someone needs to get in and look at internal resources. Anyhow when I do the mxtoolbox query for www.- - -fay.com it comes back with the same answer as a query to - - -fay.com. Does that mean that there isn’t technically a proper www entry at Godaddy’s DNS and they are just using some alias of some sort? Kind of like a http goes to https these days.

 

I suspect I may be silly trying obfuscate the domain name as I am blocking things at the firewall and the public DNS has no entries for our private internal AD domain.

 

Note that I am not doing any Azure. I am working old school low cost up to date with patches Windows servers, no expensive cloud computing, cloud domains, cloud O365.

 

Any browser query to https://www.- - -fay.com pops over to https://- - -fay.com. If www had proper entries at GoDaddy’s DNS manager then maybe it could work?

 

Sorry for the long ramble, trying to toss out all relevant or possibly relevant observations.

 

By the way if I know you and you are curious I can email you the real domain name. Technically I only “know” a few folks from the SBS groups.

 

Jim Behning
404-643-8863

 

---

This email has been checked for viruses by Avast antivirus software. www.avast.com

[Michael B. Smith]

I can’t parse these 2 sentences:

 

I tried guessing what ip I might make over on the - - -fay.com internal AD DNS and www.- - -fay.com web page never comes up.

 

I have tried all three web page listed when I use mxtoolbox.com GoDaddy support said I have a www entry.

 

Whut?

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/00CAC7E9-1891-4C9D-8CF9-532AF0CB42A0%40hxcore.ol.

[Philip Elder]

I think, if I understand things correctly, I would have just set up an AD Forward Lookup Zone for the public domain and set a DNS A for www to point to the internal server’s IP?

 

In SBS we’d have remote.domain.com point to the SBS LAN IP while outside the LAN it pointed to the WAN IP via hosted DNS.

 

A trusted third party certificate would be used for remote.domain.com without issue.

 

I’m not sure I’m understanding the reason behind establishing a full ADDS Forest/Domain for this purpose?

 

Philip Elder MCTS

Microsoft High Availability MVP

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Skype: MPECSInc.

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Jim Behning
Sent: January 12, 2022 11:03
To: ntsys...@googlegroups.com
Subject: [ntsysadmin] Split domain dns entries and conditional forwarders

 

I had to move one of my domains from a private domain name to a public domain. My public and AD domain is - - -fay.com. Godaddy is hosting our publicly accessible website. The only reason to go from a private internal domain name to a public one is to allow me to buy a certificate for the internal website which is not exposed to the real world.  Requirement of some practice management software.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/00CAC7E9-1891-4C9D-8CF9-532AF0CB42A0%40hxcore.ol.

[Jim Behning]

The first paragraph should have said. I went to mxtoolbox.com and queried - - - fay.com and got three IP results. In AD DNS, based on those three results I made an entry for www using the first IP.

 I entered them one at a time and tried to go to www.- - -fay.com and the web page would not come up.  On the DC I would ping the fqdn from an elevated command prompt. Fqdn would resolve based on the AD DNS entry but I could not see the page from a web browser. I would purge that record. I created a new www entry to a new IP discovered at mxtoolbox.com. I would purge DNS cache on the AD DNS server. I would ipconfig/flush DNS. I would ping the www record and it would show the new IP. Browsing to www.- - -fay.com would not work. Browsing kept flopping over to https://- - -fay.com. The browser kept stripping the www from the url. 

In the second sentence I meant to say I entered all three web servers listed on mxtoolbox's domain queries. GoDaddy claims I have a record for www. When I enter the fqdn www.- - -fay.com it returns the same values or table as if I queried without the www. This is a different looking answer from query of remote.- - -fay.com at mxtoolbox.com. There should have been a period after mxtoolbox.com in the sloppy sentence first posted.

At home after I disconnect my office VPN connection I go to a command prompt. I ping www.- - -fay.com and get a different ip then the ones listed at mxtoolbox.com. I start up my office VPN connection and get to the AD DNS and try that other IP for www. Still does not work.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/c3f66c36346b418f98ce5d089fa5919a%40smithcons.com.

[Philip Elder]

Sites will have redirects for www to @. That’s probably what’s happening. Remove the redirect and set the site to default to www. Instead of @.

 

Philip Elder MCTS

Microsoft High Availability MVP

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Skype: MPECSInc.

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CALOTwGYbsJTOzWrxN2yFQw6%3DA2uyK%2BP%2BGC2Js%3DoMfR%2B2-CBZ5Q%40mail.gmail.com.

[Michael B. Smith]

Concur.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Philip Elder
Sent: Wednesday, January 12, 2022 2:44 PM
To: ntsys...@googlegroups.com

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/f0658bc3952748f7a455eafcb16c395e%40MPECSInc.Ca.

[Jim Behning]

I cannot purchase a certificate for summitserver.gmed.lan. I can only purchase a certificate for a real world domain I own and manage and use it on the internal domain which I move from gmed.lan to - - -fay.com. 

I have a shared folder on summitserver that users on DHC.lan need to place files on. Security on that folder is set using AD. I need to trust the DHC.lan and - - -fay.com domains so I used conditional forwarders. That conditional forwarding and domain trusts has been working fine for 5 years. I had to recreate the trust with the new domain of course. The certificate requirement is causing the wheels to fall apart in web browsing to the external web page.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/713093ef1a5c416bbe876022993c0402%40MPECSInc.Ca.

[Jim Behning]

I will look at the GoDaddy DNS for the @ when I get to that office. Driving there to look at a 6 month old PRI outbound calls issue that a half dozen or more trouble tickets has not cleared. Sitting at the side of the road trying to clarify my confusing description of the problem.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/f0658bc3952748f7a455eafcb16c395e%40MPECSInc.Ca.

[Philip Elder]

Yes, and that’s what is in my explanation as far as the split DNS setup we received with SBS.

 

We still run with split DNS across the board unless we’re setting up a greenfield then we run with a public domain that’s set up for the purpose with a 10 year registration.

 

So, the site is hosted internally. That means that:

• Internal domain setup FLZ
  • DNS A: MyDomain.Local IP = DC
• Internet Domain Setup FLZ
  • DNS A: Domain.Com IP = IIS/*NIX host IP
  • DNS A: www.Domain.Com IP = IIS/*NIX host IP

 

Our lab setup is not online at the moment otherwise I’d snip the DNS forward lookup zones (FLZs) to give a visual.

 

SSL certificates for www.MyDomain.Com and/or MyDomain.Com are moot in that it does not matter where the site is hosted internal or external so long as the DNS is split correctly.

 

If both Internet and Intranet are named the same: MyDomain.Com and the site is hosted @ (which is MyDomain.Com) then you’re in big trouble. There’s hoops to run through in order to get it to work, but both the same means MyDomain.Com = DC IP.

 

As to the site’s setup, I find folks that code sites like to have www redirected to @ (MyDomain.Com) and code the site accordingly. Thus, to flip the site to www.MyDomain.Com with a redirect for @ to same the folks that manage the site need to update their code.

 

I hope that makes things clearer?

 

Philip Elder MCTS

Microsoft High Availability MVP

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Skype: MPECSInc.

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Jim Behning

Sent: January 12, 2022 12:51
To: ntsys...@googlegroups.com

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CALOTwGb2yUQzFtsq095gWHC48RrXpA13%3DP7xPn1oGycEBE%3DVjg%40mail.gmail.com.

[Jim Behning]

I am in the GoDaddy DNS manager. They have a cname record for www that points to - - -fay.com. My quick reading of cname is that record should force the browser to query for - - -fay.com. Given that we host that domain internally in our AD, the browser would get a dud IP of 192.168.13.4 which is the IP of the internal domain.

I am not seeing any @ signs that are giving me clues. GoDaddy support says they support what we see and have. Anything else is custom DNS which is ours to figure out. If I could figure out how to remove the www cname at GoDaddy and create an A record for www maybe I could get somewhere. 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/eb461b06eac04a86afc9d16c1fdcf831%40MPECSInc.Ca.

[Michael B. Smith]

There should be an edit button on the right-hand side of the window

 

Click it.

 

Change the CNAME to an A record and change the value to the IP you want.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CALOTwGbxQ--oiZVDuqXxFLbWxADrF1jF2Zf4otcLqhULj0YDiQ%40mail.gmail.com.

[Philip Elder]

Okay, I see the problem here.

 

Let’s back the truck up to the beginning.

 

Internet: DNS A/CNAMEs point to Web Site IP on the WAN port that publishes to the IIS/Apache/NGINX server hosted internally.

^^^

This does NOT get touched.

 

What is a SPLIT DNS?

 

Answer: It is where the INTERNAL DC/DNS setup gets split up into:

INTERNAL: MyDomain.Local

EXTERNAL: MyDomain.Com

BOTH of the above Forward Lookup Zones would be hosted on the internal domain’s Domain Controllers that host the DNS Role.

 

One does NOT touch the Internet DNS settings.

 

All of the configuration is done on the internal network’s DC/DNS servers.

 

I hope that makes things clearer?

 

Philip Elder MCTS

Senior Technical Architect

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CALOTwGbxQ--oiZVDuqXxFLbWxADrF1jF2Zf4otcLqhULj0YDiQ%40mail.gmail.com.

[don.l....@gmail.com]

Hey Erich, I’ve not personally spent time with sysmon but it gets mentioned in InfoSec circles quite a bit and special mentions by SwiftOnSecurity GitHub - SwiftOnSecurity/sysmon-config: Sysmon configuration file template with default high-quality event tracing

 

Regards

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/MN2PR04MB64165B08957E250CAE87248CCC529%40MN2PR04MB6416.namprd04.prod.outlook.com.

 

[Kurt Buff]

Sysmon is at the heart of my recommendation: WEFFLES.

Sysmon is used heavily in defending Windows environments. It isn't
perfect, but it carries a lot of weight for its capability.

Kurt

> To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/09BBCF44-F818-41F5-B358-53DE8B707FCA%40hxcore.ol.