this post was submitted on 04 Oct 2023
29 points (93.9% liked)
Sysadmin
7676 readers
90 users here now
A community dedicated to the profession of IT Systems Administration
No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
!lemmy@lemmy.ml
!lemmyworld@lemmy.world
!lemmy_support@lemmy.ml
!support@lemmy.world
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Hey, sorry to say but not seeing this at all. About 60 customers, each between 30-200 staff, in Australia region. Almost all of them have reasonable conditional access policies managing maximum login times per app, requirements for device compliance for data sync and geo-restrictions and longer login times for known sites, as well as standard mfa requirements.
Id say there's something else in your stack. We monitor many of our customers with 3rd party tools too, including Arctic Wolf for seim /SOC alerts and triage and isolation if AAD accounts are breached. Sentinel one with integration in aad too. Though personally I feel like most medium and small businesses would be better served with the already included defender for business. A topic for a different day.
But no unusual requirement for cleaning cache and such to ensure the policies we configure act as we expect.
I've seen different tenants act differently of course in the past. But nothing right now I can suggest. I'd personally start doing a/b testing and reviewing all logs relative and see what impact before and after has on logs.
Anyway sounds frustrating so good luck.
Thanks for you insight, your environment sounds ways more complex but then again, miles better configured.
After some research it now seems to point to a registry cleaning script used to clean up bizarre amounts of entries created by certain printer drivers that were added each time a user logs on or off.
We aren't sure yet since it can easily not happen for a few weeks out of itself but fingers crossed!
Thanks for taking the time to respond as I have should way faster..
I've seen something similar to this before in remote desktop servers where user redirected printers end up bloating registries to the point login times exceed processing limits and so not all the configuration in the registry or group policy gets processed. Each redirected printer gets created and never pegged, and it's unique to that rdp session so they are duplicated to infinity over time. Glad you found it out, the only point with the complexity is I was trying to explain that it being complex doesn't mean it won't be robust if it's still implemented without conflicts so you can rule that out (if you've ruled out conflicts) . Sounds like you found the culprit in the end! Good work.