u/CeC-P

Setting up 5 brand new Yealink T54W phones with Ring Central. I provisioned them so they're all in the admin portal on the web. They updated the firmware as part of that. Then I noticed one of those two things reset the admin password to default. Now it's also complaining that user "user" and user "var" are using default passwords.

I assume user will be filled in when I assign a user/extension to the phone. But should I change var, as that's an internal type of user. Also, should I then change the admin user account on the phone via the web interface of the phone itself on our local network, or will that somehow lock Ring Central out?

Also, can I change any of these centrally from Ring Central's admin page? It'd be a lot faster if I could.

I just found out they technically do exist and some of them are even not scams/counterfeits. I was tracking some down for use in a small battery pack that will have VERY high cycles. Then a source told me that 18650 LiFePO4 cells tend to be rated for 3.2V and top off at 3.65V.

That means they won't work in a flashlight or traditional battery back with USB charge. But that's fine, I was going to put them in a small 12V arrangement. But then they'd have to be 4SxP instead of 3SxP arrangement to get to over 12V. That's kinda weird. I have to check the input range on my intended inverter because 14.4 is pushing it for some. Anyone else use these ever and anything else I should watch out for?

Remember the late 1990's when people would steal 128MB sticks of pre-DDR RAM worth about $300 each from computers before resigning or getting fired so they put padlock loops on the desktop cases? Yeah, they're like $400 a stick now for 64GB setups. We had a request to do so by one of our MSP customers after we can't really prove it but we're 99% sure someone stole a stick.

Considering I can get past a dollar store bulk padlock that small with a paperclip, I instead put in an RMM rule that says send a high priority alert email if the RAM on a system falls below what it is now by more than 10%. I had to hard code it since that wasn't a trigger template for some reason.

Anyone else already run into this and doing something similar? For everyone else, not a bad idea.

It has been upgraded from debacle to train wreck now, but we picked up all the pieces of the train strewn about and are good to go now, after it got so much worse!

This is too great not to follow up on. Remember the "I need to disable a stolen laptop without destroying any data or accounts but net user active:no won't work because it's a domain account" post?

Short version: we're an MSP. A company was shutting down. There was a dispute about pay between 2 people that is now a lawsuit. We're caught in the middle, as the IT management company. A court order exists that an employee was supposed to return their work laptop. The owner said they didn't. I had an alert where in Ninja RMM saw the laptop turn on, send an email to me. AHA, finally, time to nuke it.

I got a call on lunch: wrong laptop. UM WHAT?! First of all, they were lying. It had already been sent back. I didn't compare serial numbers to the court order because their company has 7 computers in Ninja and 2 are servers. Also, this is the one that had the ex employee's username as the "last logged in." You wouldn't check further either and you know it lol.

So I remote nuked it. Script works perfectly btw. Strongly recommended! VERY clever!
Intune/Remote-Lock.ps1 at main · HankMardukasNY/Intune · GitHub
Intune/Remote-Unlock.ps1 at main · HankMardukasNY/Intune · GitHub

We wanted to prevent access to the local copies of the Outlook emails as soon as possible! So when I saw it was still online and responding after 60 seconds of sending the script, (and I appended a shutdown command to the script), I assumed it failed and sent the backup "destroy the boot loader" script.

It was running windows updates during the shutdown. That's why it was still responding. Luckily the syntax was wrong because AI wrote the command and I didn't have time to test it, as testing it would destroy a computer. Or it's not compatible with 25h2 or something.

Anyway, employee calls in and says we locked the wrong laptop and that it's her personal laptop. HAHAHA not falling for that one, you manipulative villian! I have the receipts!

I check. It's Windows 11 Home, HP 15 series. Why TF is that in Ninja?! Oh, her work laptop broke so we put ninja on this one so she could use her personal one to access work stuff one time like 3 years ago and nobody undid it. Fantastic.

So, I disabled her personal laptop. Awesome. And she likes suing people. Well, through some Twilight Zone level circumstances that I can and would defend in court, that's what happened.

Employee was very understanding about it, especially the way I phrased what happened and how and why. Very nice lady actually. I hope she wins the lawsuit. She even said "yeah, I can see why having it enrolled in your management thing would be misleading. That was my bad." and I'm like, "UH NO, I'm the one who screwed up BADLY!" but didn't say that, cause she likes suing people.

But now they know what I look like, so I have to wear a disguise if I go to the court hearing and sit in the gallery. Darn. I wanted to see who won. This is a very engaging soap opera so far with lots of half-truths and twists and turns.

Yay, another RDP post. Anyway, one of our clients wants to use RDP for some reason to connect to their desktop from a laptop offsite. We already have Ninja Remote set up but sure, why not.

We've got computer A running 25H2 all latest updates. Same for computer B.
B is a laptop, wants to RDP into 25H2 once it's on the VPN.

We try to RDP into CompA by IP address, no connection, no response. Try hostname, nope.
In the registry, it's indeed still bound to port 3389
We allowed the user by username in RDP config.
RDP connections are turned on.
Terminal service is running
Outgoing RDP connections from computer A work just fine to other computers on their network.
10000 other checks are all as you'd expect.
Firewall rules say allow, etc etc etc.

But when I run netstat -an, there's no entry for port 3389. So nothing is listening on that port. WTF? That rules out external switch VLANs, firewalls, whatever, I guess.

Also, we completely turned off the windows firewall, same result. Zero failed login attempts seen in the Windows Security log on the target computer. It didn't see anything because it wasn't listening.

Now we're not using an RDP file, we just pull up the RDP application in windows and type in the IP address and hit connect. But still, we're not seeing that warning popup from the new update. I put in the reg fix for that anyway, no difference.

I think this is actually unrelated to the Windows update. Except all 10 of our newly imaged computers are refusing RDP connections and it works fine on every other system they own (which may be 24h2). So now they're blaming us. Someone set up the PCs before I worked here so maybe they did sabotage port 3389. I dunno.

I'm at a loss for how to fix or even diagnose this. Ran SFC and DISM and are waiting on an overnight reboot to re-test tomorrow but I guarantee there won't be a listener on 3389 tomorrow because there's no way 10 computers all randomly broke in the same way.

Does this still sound that like April 2026 update or something different and has anyone ran into this? According to my research, listening on 3389 in a fundamental part of the TS system and if it's not there, it's not repairable. So that would suck.

Just found out why our client at this MSP can't log in to their own sharepoint private site (aka onedrive). Their entire sharepoint site is blocked for phishing by the latest definitons of Fortiguard. By the way, if you ever want to check how the content on a site is classified by them:
https://www.fortiguard.com/webfilter
Anyway, I requested re-review. Anyone done this before and have a success rate % estimate and an average turnaround time?