Sign-up and Setup

Action1 has a pretty generous free tier; you can manage up to 200 endpoints for free. Additionally, the sign up process, downloads and documentation are free and open, no sales demos or calls needed. Check out the full details of the free tier here: https://www.action1.com/free-edition/

After creating an account, you are brought to an empty dashboard. Simply download and install the relevant agent for your OS (Windows or MacOS) and you will start seeing your dashboard populate with data. Note that Linux support is on their roadmap and coming soon. I have to say, it is quite a nice layout:

Automating Agent Deployment

For SMBs, you won’t want to be manuallly installing the Action1 agent on all your endpoints. Instead, you will want to use Action1 Deployer. The requirements for the deployer are pretty basic, check them out here: https://www.action1.com/documentation/action1-deployer-recommended/. You will also need to set up a service account that will have admin permissions on the endpoints you plan on managing. This service account needs:

As recommended, I created a service account specific to Action1. I then added that service account to the AD group that I have added as an administrator on all workstations.

To run the deployer, I spun up a Server 2022 VM and launched the Action1 Deployer installer. After installation, the deployer launches a cmd window and prompts for your service account and its credentials. This is where I ran into my first issue. For the life of me, I could not get it to accept the service account’s password. After trying everything I could think of, I ran across a Reddit post of someone with the same issue. Apparently, it has to do with some password characters? Well, a reset of my service accounts password to…something else…fixed the issue, and I was on to the next speed bump. And that was that the Action1 service would not start. This one I didn’t need Reddit for; it was because my service account didn’t have permissions to start the service on my Deployer server. Maybe Action1 assumes that you will give it administrative permissions, or maybe I completely missed that requirement (I still can’t find it), but adding the account as an admin on the server fixed the issue.

Now that the Deployer service is humming along, back in the Action1 console it is connected and ready for configuration. This configuration is pretty basic; what do you want it to push the agent to? Add in your OUs and exlude/include anything you want:

Push some Updates

Now that the agent is installed on some workstations, I pushed a simple Microsoft Edge update to test:

Super simple. Select the update, set who gets it, schedule it, and watch it go. All in, it took about 10 mins for the update to hit the workstation and start installing.

Push Some Apps

Now let’s push a third-party application out. Here I am installing 7-Zip on a Windows 11 workstation:

Just like with the Edge update, the third-party app push was simple and quick.

Wrap-up

In just a few hours I was able to set up Action1 and its automated agent deployment tool. I really like the modern user interface of Action1’s dashboard. It seems to have plenty of items in its toolbox and some decent reporting capabilities. I also like the option of using the Action1 deployer to ensure that any newly added domain devices will get the agent installed. This could be a really great add for SMBs who don’t want to dive into another MDM tool’s licensing cost (Intune, JAMF, etc).

note: water, electricity and humans don’t go together great. Do be careful!

Step 1

Watch Drew Smith’s YouTube video of basic troubleshooting. It covers the easy stuff, such as checking the nozel and the solution container. To sum up these steps, you basically want to remove all the bits after the black line, at the nozzel end. If this fixes your problem, you know the issue is in the spring trigger valve or the actual nozel where water comes out. If those steps didn’t fix the problem, you can move to the below step.

Step 2

Unscrew the 6 bottom screws to take off the bottom panel. With the bottom panel off, you can see the pickup where the solution is grabbed by the pump. You can also remove the two screws (and their washers) that hold the black piece in. There is no hose clamp holding the water line to the black piece or to the pump, just a single barb. Using compressed (or canned) air, you can blow air through the black piece to ensure it is not clogged.

Step 3

If you still don’t think you found the culprit, you can remove the top cover of the main motor and pump motor. This involves four screws up top, two on each side. On one of the sides you may need a long thin screwdriver, as it is pretty narrow.

You can now lift off the cover a bit. Note that wires are still connected to the power switch, so do not yank the cover off; just lift it a bit to give yourself some visibility to the solution pump mechanism and its hose. Remove the tiny hose clamp from the black line and slide the hose off the pumps plastic barb fitting.

Note that this black line is the same line that runs to the nozzel end of the hose. Here is where you can again put some compressed air into the line. As long as you have the spring loaded trigger removed from the nozel end, there should be no obstructions from end-to-end. Also, since the black hose runs inside the green vaccuum hose, you can articulate the hose back and forth to try to free up any blockages. Once enough pressure is applied, you should get quick stream of solution out of the nozzel end of the hose, and then freely flowing compressed air.

Step 4

That is it. Reattach the base parts (nozzel, pump line, solution pickup line) and do a functional check. If you got free flowing air from end-to-end of the black line, but you still have an issue. The only other part left to troubleshoot is the pump motor. The motor is clearly visible once you have the handle plastic off (see picture above). It is a basic brushed motor, so you should see a small spark from the brushes when the switch the power on. It should also get warm to the touch after running for a minute or two. I have never replaced one, but good luck…

Staying in the Loop

In late 2023, Microsoft released Loop to the general public. It is their everything-in-one tool that meshes OneNote (heavily), ToDo, Project/Planner and bits of many other Microsoft products. Not only does it wear a lot of hats and integrate with seemingly everything else in the Microsoft suite, but it also ties into a whole load of third-party software out there. Best of all for me, it has a built-in Kanban template.

Keeping it Simple

By default, Loop has four columns (To do, On Hold, In progress and Done), but for my personal setup I like to hide the On Hold column. This is the simplest Kanban board I have ever used, and I like it especially for that reason.

Get (in the) Loop

More Info: https://www.microsoft.com/en-us/microsoft-loop

Loop for Home: https://www.microsoft.com/en-us/microsoft-365/buy/compare-all-microsoft-365-products

Loop for Business: https://www.microsoft.com/en-us/microsoft-365/business/compare-all-microsoft-365-business-products

Copilot in Loop: https://copilot.cloud.microsoft/en-US/copilot-loop

Networking

No changes made here. My Unifi equipment has held steady and I have just been doing firmware updates. Perhaps Ubiquiti will grace us with an affordable Wifi6E access point in 2024, preferably in the form factor of the U6-Mesh.

Compute

No changes here either. My two HPE ProLiant MicroServer’s (Gen 10 Plus) have been going strong. I have been updating XCP-NG and XOA as updates roll out. Perhaps the only changes I will make in 2024 here, is to add my micro Dell OptiPlex 7050 as a third host.

Storage

While my storage infrastructure has not changes, I have swapped out a few disks in both of my Synology units. My DS720+ had one of its original drives start to fail. I replaced the 4 TB Seagate IronWolf drive with a certified used 10 TB Seagate Exos. The second drive in this array is still one of the original 4 TB IronWolf’s, so I am guessing I will have to replace it during 2024. However, until I change out this second drive, my available storage on my DS720+ unit remains at 4 TB, due to it being just RAID 1.

The second drive change I made was in my Synology DX517 expansion unit. Surprisingly, my DX517 still holds my oldest drive. Just as I said above, I’m guessing this 4 TB drive (which will hit 20k hours in less than a month) will need to be replaced in 2024. The other drives in this storage pool are not far behind, expect for one newly added 10 TB Seagate Exos, that replaced a 20k hour 4 TB drive. Since this pool can only take one drive failure, I am starting to stager the drive replacements. With the hybrid raid setup in this second pool, it currently sits at just under 21 TB of useable space.

Projects

Portainer

Portainer is still running, and I love how easy it makes running and managing various containers. I did, however, make some changes to my infrastructure. I moved it over to a new Rocky Linux VM that is domain joined to my Windows Active Directory tenant. This gives me the ability to use Active Directory security groups with Active Directory accounts to manage the server, instead of just using local accounts with static passwords.

Backups

Veeam is still my go-to here. I love their community edition and have just been keeping it up to date with their latest v12. If you have a local storage repository, I highly recommend getting Veeam set up.

Patch Management

I am still using ManageEngine’s Patch Manager Plus to scan for vulnerabilities and deploy Windows updates to my various Windows servers. The only changes I have made here is I am running their email alerting through SendGrid. Using SendGrid’s SMTP API has been great and is so much easier than hosting it myself.

Identity Management

In 2022, one of my big projects was to set up a Microsoft tenant, complete with Azure AD Connect (now called Microsoft Entra ID) and then in 2023, adding MFA. The last change I made here was introducing LAPS, which has been running just fine and rotating my local administrative credentials on my Windows servers. Also in 2022, I also explored Synology’s C2 Identity Service. I have not seen much movement on Synology’s side here, as far as adding features goes, so I have not explored it any further.

Monitoring

This is sort of a new one for me. In 2022 and 2023, I had been using Uptime Kuma on and off. While I do believe it is a great tool and it creates a super simple up/down splash page, I wanted to venture into something a bit more complex and enterprise’ish. So, a couple months back I stood up a Zabbix virtual appliance. I am still fiddling with it and getting workloads added, but it has been a great learning experience. My experience with monitoring tools at this level has been SolarWinds, Dynatrace and New Relic, so it is always good to have some experience with another product. As I expand my monitoring to various VMs and workloads, I will be sure to create a post.

Conclusion

I think that about wraps it up. I haven’t made any huge changes in 2023, and I expect 2024 to be somewhat similar. But who knows, with a homelab there is always the urge to just tear everything down and built it back again…

Prereqs

First, LAPS is a newer feature and only supported on newer OS versions. See: Supported Platforms

This one is kind of obvious, but the VMs must be either Azure Active Directory or Active Directory joined (or hybrid).

DFL of 2016 or higher.

Implementation

My devices are domain joined so I will be proceeding with the steps for that scenario.

1) First, I made sure my account was in the schema admins group. This built-in AD group is domain\Schema Admins. If you just added your admin account to that group, you may need to log off and back on again, before running the below PowerShell command.

2) Then I can run the schema extensions PowerShell command from one of my 2019 or 2022 domain controllers

Update-LapsADSchema -Verbose

3) I also created a test OU for this. I then created a LAPS GPO and applied it to the OU (make sure you move at least one test VM to that OU). LAPS configuration can be found at Computer Configuration -> Policies -> Administrative Templates -> System -> LAPS.

4) Lastly, I had to grant permission for LAPS to reset the local passwords. In the PowerShell line below, “Laps Test” is the name of my test OU. This field accepts either the name or distinguishedName. Both examples below:

Set-LapsADComputerSelfPermission -Identity "Laps Test"

Set-LapsADComputerSelfPermission -Identity "OU=Laps Test,DC=your,DC=domain"

Testing and Verification

Now that everything is set up and has had time to sync, I can test it out and make sure I am rotating the local administrator password on one of my test servers.

On one of my domain controllers I ran the following command to get the password of my test server named “xcpconfigmgr”

Get-LapsADPassword -Identity xcpconfigmgr -AsPlainText

And the output I got

I can then test that password by logging in as the local admin account.

If you run into any issues, take a look at Event Viewer on the target workstation (Applications and Services Logs -> Microsoft -> Windows -> LAPS)

Enabling in Azure Portal

1) Log into portal.azure.com with your priviledged account and open Azure Active Directory.

2) On the left side, select Security

3) Then under Manage, click Authentication Methods

4) Under Authentication Methods, choose Microsoft Authenticator

5) Now comes the time to configure or re-configure the actual policy. What you have already set may differ from my screenshots. In my example I am creating forcing Microsoft Authenticator to a test Azure AD group. Note that the option to not use number matching is actually disabled, as Microsoft is already enforcing this.

Testing

Now, with the test user you enabled the policy for, log out and back into something (Office 365, Azure, etc). You should be prompted with a randomly generated number on the application you are signing into. Additionally, you should receive a notification on your mobile device. This will include the text box where you enter the number, along with the geographical location of the sign-in and the application name. If you don’t get prompted to MFA, you may need to wait a while or lower your token expiry length.

Networking

My home network mostly consists of Unifi devices. That is; a Unifi Dream Machine, a USW-Lite 16 port POE switch, a USW Flex Mini, a US-8 8 Port POE switch, and a U6-Mesh AP.

This has been a great setup for me. Unifi is a great solution for homes that want easy management but the ability to configure advanced features. I have not ran into any of the software/firmware issues and all my products were bought before the supply chain issues.

Compute

The main portion of my compute are two HPE ProLiant MicroServer Gen10 Plus. I have the Xeon chip versions with the optional ILO out-of-band-management cards. These two are in an XCP-NG pool.

Storage

For storage I am using a Synology unit. It is the DS720+ with the DX517 expansion unit. That gives me a total of seven drive bays and two M.2 slots for cache SSDs.

Using Synology’s SHR for redundancy, I can use drives of different sizes. The drives are broken into two storage pools. One providing storage for the Synology OS and the other providing iSCSI LUNs for the XCP-NG cluster.

Projects

Portainer

I am running Docker with Portainer on the XCP-NG pool. I currently have Muse, a self-hosted Discord bot, and the monitoring tool Uptime-Kuma.

Backups

Most of my backup tasks are handled by a self-hosted Veeam instance. I am using their community edition, running on Server 2022, and backing up to my Synology. It currently backs up a few servers and does file level backups on one other desktop. These all run on a schedule and I have never had any issues.

Patch Management

This is something I hadn’t set up before, but has been a pretty slick addition. I am using ManageEngine’s Patch Manager Plus to report on vulnerabilities within my homelab, and also push out patches. Here is one expample of how the dashboard looks:

Identity Management

I have had an on-prem Active Directory domain set up for a while. I mainly use this for testing solutions in a lab environment. I also use it for authentication for a few apps (like ManageEngine above). New to my lab is Microsoft’s Azure AD. I am using Azure AD Connect to sync my on-premise directory to Azure AD. This has let me explore and test a whole lot more with Microsoft’s cloud offerings. I also explored Synology’s new C2 Identity Service, but wasn’t too impressed. Perhaps I will explore it later down the road.

Conclusion

I think that about wraps it up! I have plenty of ideas left to try out in 2023, but feel free to make suggestions at my contact info below.

Agent Install

Download the latest agent on a second domain controller: Download Link

Launch the installer, accept the license terms and click continue

Clicking customize will show you some advanced settings. For this example, I am going to stick with the express settings

Enter the credentials for an Azure AD global admin account

Enter the credentials of an AD enterprise admin account

On the final screen, leave the “Start the synchronization process…” option unchecked

Configuring Staging Mode

Reopen Azure AD Connect, and choose Configure

Select the Configure staging mode task and click Next

Check “Enable staging mode” and click Next

On the final screen, this time you do want to check the option to start the sync process. Microsoft’s documentation explains why: “It is recommended to leave the sync process on for the server in Staging Mode, so if it becomes active, it will quickly take over and won’t have to do a large sync to catch up to the current state of the AD/Azure AD sync.”

Done!

It’s free (for 250 users) - Synology Marketing Materials

Installing the Agent

Once you sign up for the service with your Synology account and pick a domain name, you can download the C2 Identity AD Sync application.

Run throught the install wizard.

Agent Setup

This is what I am getting on first launch, after the install completes

A reboot does not help. But whoops, turns out is it that you just need to make sure you right-click “Run as administrator”. After doing so, you will be prompted for your C2 Identity connect key, which you can copy/paste from your C2 Identity dashboard.

After submitting your connect key, you are prompted to approve the connection in the C2 Identity admin portal

Back in the admin portal, you will see the Approve option, along with the FQDN of your domain controller

Once approved, the directory will automatically start syncing

I’m going to let this sync run and i’ll be back to explore more of what Synology’s C2 Identity Active Directory integration has to offer.

Install or Update

# Check to see if you have the EOM Module installed already
Import-Module ExchangeOnlineManagement; Get-Module ExchangeOnlineManagement

# If yes, update it
Update-Module -Name ExchangeOnlineManagement -Scope CurrentUser

# If no, install it
Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser

# Confirm installed
Import-Module ExchangeOnlineManagement; Get-Module ExchangeOnlineManagement

Connect

Connect-ExchangeOnline -UserPrincipalName username@domain.com -ShowProgress $true

That’s it. We are now connected to EXO using modern authentication. We are also using the latest module and can use the new Get-EXO cmdlets. Below are some basics for managing an O365 environment. Some are exclusive to EXO V2 and some are not. Enjoy!

Microsoft 365 Groups

# Get info about M365 Group
Get-UnifiedGroup -Identity "Legal Department" | Format-List

# Add member(s)
Add-UnifiedGroupLinks -Identity "Legal Department" -LinkType Members -Links chris@contoso.com,michelle@contoso.com -confirm

# Add owner(s)
Add-UnifiedGroupLinks -Identity "Legal Department" -LinkType Owners -Links chris@contoso.com,michelle@contoso.com -confirm

# Remove member(s)
Remove-UnifiedGroupLinks -Identity "People Leaders" -LinkType Members -Links laura@contoso.com,julia@contoso.com -confirm

# Remove owner(s)
Remove-UnifiedGroupLinks -Identity "People Leaders" -LinkType Owners -Links laura@contoso.com,julia@contoso.com -confirm

# Create new
New-UnifiedGroup -accesstype Private -AutoSubscribeNewMembers -DisplayName "Group Name" -EmailAddresses groupname@contoso.com -Owner julia@contoso.com -Members chris@contoso.com,michelle@contoso.com -notes "Requested by Susan Suzzy"

# Add authorized sender(s)
Set-UnifiedGroup -Identity  "Group Name" -AcceptMessagesOnlyFrom @{add="email@contoso.com"} -confirm

# Auto subscribe new members
Set-UnifiedGroup -Identity  "Group Name" -AutoSubscribeNewMembers:$true

# Hide from GAL
Set-UnifiedGroup -Identity  "Group Name" -HiddenFromAddressListsEnabled:$true

Microsoft 365 Group Common Commands and References

Get-UnifiedGroup, Add-UnifiedGroupLinks, Remove-UnifiedGroupLinks, New-UnifiedGroup, Set-UnifiedGroup

Dynamic Distribution Lists

# List all dynamic distros
Get-DynamicDistributionGroup

# Get info about a specific dynamic distro
Get-DynamicDistributionGroup -Identity "all-Company" | Format-List

# list all members of a dynamic distro
$DD = Get-DynamicDistributionGroup "all-Company"; Get-Recipient -RecipientPreviewFilter $DD.RecipientFilter -OrganizationalUnit $DD.RecipientContainer

# Change A DD filter
Set-DynamicDistributionGroup -Identity "all-Company" -RecipientFilter "((RecipientType -eq 'UserMailbox') -and (Office -eq 'Main Office'))"

# Pull all members
$DD = Get-DynamicDistributionGroup "all-Company"
Get-Recipient -ResultSize Unlimited -RecipientPreviewFilter $DD.RecipientFilter -OrganizationalUnit $DD.RecipientContainer | Format-Table Name,Primary*

Dynamic Distribution List Common Commands and References

Get-DynamicDistributionGroup, Set-DynamicDistributionGroup

Calendar Permissions

# View current permissions for user's calendar
Get-MailboxFolderPermission -Identity user@domain.com:\Calendar | ft Identity,FolderName,User,AccessRights,SharingPermissionFlags

# Set user to have Editor permissions to user's calendar | Note that Delegate will be able to do everything except view private events
# Note that -SendNotificationToUser is true and the person will get an email to accept the permissions
Set-MailboxFolderPermission -Identity user@domain.com:\Calendar -User user@domain.com -AccessRights Editor -SharingPermissionFlags Delegate -SendNotificationToUser $true

# Remove permissions
Remove-MailboxFolderPermission -Identity user@domain.com:\Calendar -User user@domain.com

Calendar Permissions Common Commands and References

Get-MailboxFolderPermissions, Set-MailboxFolderPermission, Remove-MailboxFolderPermission

Cleanup a Mailbox

# Simple mailbox check for size
Get-EXOMailboxStatistics -Identity john@contoso.com | Format-Table Name,DeletedItemCount,ItemCount,TotalDeletedItemSize,TotalItemSize

# Another query for mailbox statistics
Get-EXOMailboxFolderStatistics mailboxname@contoso.com -FolderScope RecoverableItems | Format-Table Name,FolderAndSubfolderSize,ItemsInFolderAndSubfolders

# Check mailbox retention for deleted items
Get-EXOMailbox mailboxName@contoso.com | Format-Table RetainDeletedItemsFor
# Set the mailbox retention
Set-Mailbox mailboxName@contoso.com -RetainDeletedItemsFor 30

# Check ELC status
Get-EXOMailbox mailboxName@contoso.com | Format-Table ElcProcessingDisabled
# Set ELC
Set-Mailbox mailboxName@contoso.com -ElcProcessingDisabled $true


# Clean out mailbox by searching for a phrase with a wildcard
$mbx = Get-EXOMailbox mailboxName@contoso.com;
Do {
$result = Search-Mailbox -Identity $mbx.Identity -SearchQuery 'subject:"Phrase with wildcard*"' -DeleteContent -force -WarningAction Silentlycontinue;
$result | Out-file c:\temp\mailsearch.log -append;
write-Host "Search result for username: " + $result.resultitemscount -ForegroundColor Green;
} Until ($result.resultitemscount -eq 0)

# Clean out mailbox by searching for items from a particular sender, AND a date
$inputbox = "mailboxName"
$mbx = Get-EXOMailbox $inputbox;
Do {
$result = Search-Mailbox -Identity $mbx.Identity -SearchQuery 'from:"someone@contoso.com" AND received:"02/20/2020"' -deletecontent -force -WarningAction Silentlycontinue;
write-Host "Search result for " $inputbox ": " + $result.resultitemscount -ForegroundColor Green;
 } Until ($result.resultitemscount -eq 0)

Mailbox Cleanup Commands and References

Get-EXOMailboxStatistics, Get-EXOMailboxFolderStatistics, Search-Mailbox, Get-EXOMailbox, Set-Mailbox