My boss refused to move away from his password

We have a conditional access policy that requires users to use any form of phishing resistant authentication and a compliant device. Users are given a Temporary Access Pass to sign in to configure WHfB. But, as with many other companies, my boss was excluded and refused to switch to a WHfB PIN. So, I enabled alphanumeric characters and instructed the helpdesk to set up his password as a WHfB PIN.

Now he is mad and bugging me on Sunday because he doesn't have to press Enter after typing in his "password". Fire me, please. I'll see you in court. My position is protected by law since I'm the security officer 🤣😂😁.

Seriously, if you are having pushback from users for WHfB, just enable alphanumeric characters in Intune. Easy fix. Hope it helps others.

https://redd.it/1nb1pfq
@r_systemadmin

HORROR STORY: Microsoft 365 target never provisioned - Tenant says it did

Hey all,
Small business MSP here. We do migrations from 3rd party mail to Microsoft pretty regularly, but this weekends migration was quite the gem.

Normally these are pretty straightforward: spin up a new Microsoft tenant, add/verify the domain, update DNS, and let the wizard guide you. The Microsoft Admin Center gives you all the green checkmarks under Setup → Domains once everything’s validated, and at that point you’re supposed to be good to go.

That’s exactly what we did — tenant created, domain added, DNS records entered, and the Admin Center proudly showed the domain as “Active.” Microsoft said we were ready to receive email, so we flipped the MX.

We ran some test emails and waited. After about 30 minutes, still nothing. No mail in the tenant, but also no bounce backs. Figured it was just propagation and called it a night.

Next morning, still no mail. Exchange Message Trace showed nothing received at all. Checked the old email system — nothing since the flip there either. Still no bounce backs. We waited longer. Eventually, the first NDRs (bounce backs) started rolling in:

“Your message couldn’t be delivered. Despite repeated attempts to deliver your message, querying the DNS for the recipient’s domain location information failed.”

We double-checked everything. MX records were correct, no typos, SPF/DKIM/DMARC looked fine, nameservers updated. Everything on our side checked out. Since the migration clearly wasn’t working, we rolled the MX back to the old host. Mail resumed flowing there, but all messages sent during the \~24-hour window were lost to bounce-backs

\- Clarification. We thought emails stuck in sending would redirect to the old mail system after the MX record was updated. Turns out that prompted them to just return NDR's. Oops.

Now we’re in full forensic mode. Why did this fail when everything showed green? After a lot of digging (and some prompting from AI), we tried a direct nslookup on the MX target Microsoft had given us:

NSLOOKUP ClientDomain-com.mail.protection.outlook.com 8.8.8.8

Result: NXDOMAIN. **dns.google** can't find ClientDomain-com.mail.protection.outlook.com: Non-existent domain

Turns out Microsoft never created the corresponding record in their DNS. Our MX was correct, but the hostname itself didn’t exist anywhere in the global DNS. With no A/AAAA records for the MX target, there was literally nowhere for inbound mail to go. Mail wasn’t “stuck in propagation” — it was pointing to a black hole.

So to recap:

Tenant domain showed “Active” in Admin Center.
DNS records were all present and correct on our side.
But Microsoft’s automated provisioning never published the MX target hostname (`ClientDomain-com.mail.protection.outlook.com`).
End result: client lost about 24 hours of inbound mail.

TL;DR: Migration failed because Microsoft 365 didn’t provision the MX target hostname in their DNS. Our MX pointed to the right place — but that place literally didn’t exist.
It’s always DNS…

https://redd.it/1nb20iw
@r_systemadmin

Made an app to share sensitive data securely (Alternative to PasswordPusher, Yopass and Bitwarden Send)

Hey folks,
I just open-sourced a small project l've been hacking on: https://dele.to

It's a self-hosted tool for sharing sensitive text or links that automatically self-destruct (configurable) after being viewed or after a set time.

Think "Pastebin for secrets"

Repo: https://github.com/dele-to/dele-to

https://redd.it/1nb32l2
@r_systemadmin

Looking for name of vendor and solution for HDMI / TV over IP from 2010s-20s

Hey all,

Trying to find a vendor name of an HDMI / TV over IP solution from roughly mid 2010s supported through to 2020. Some details I remember:

Slave boxes mounted behind TV units were blue with a yellow /white logo. Roughly the size of a VHS / 2 x DVD covers. Ethernet in, HDMI out to TV nearby. Had a range of output ports available.

Slave boxes connected to a master broadcast unit in the server room. Believe this was a 2 or 4U unit, very hot and very loud.

All administered through either dashboard, or simply mirroring a desktop out to multiple screens.

Allowed for multiple sources, so in this example there was a cycling info slide deck, current visitor schedule to the offices, and then a range of sport channels.

Does anyone happen to know the name of such a vendor and the solution they were providing? Was sold in EMEA most likely US as well.

Many thanks!

https://redd.it/1nb0ph8
@r_systemadmin

Google Chrome update disabled by administrator question.

So I have a client that on their google Chrome, it gives the following message when you try manually updating Chrome:

"Administrator has disabled updates"

I've already downloaded google ADMX and applied the policies, forced GPupdate on the computer. no joy.

I then went to the server, added ADMX files to the C:\\Windows\\Policy Definitions Folder did the same on the group policy editor. There was already an "UPDATES" policy created so I just edited the Chrome update policies in that policy. Did a GPUpdate /force on the Domain controller (where the group policy resides, and also on the local PC. still saying the same thing. I downloaded the latest chrome installer and without uninstalling chrome I was able to update the version by running the installer. But I'd like to be able to enable automatic updates. Any help?


I ran GPResult /r on the workstation and got this output:

C:\\WINDOWS\\system32>gpresult /r



Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0

© Microsoft Corporation. All rights reserved.



Created on ‎07/‎09/‎2025 at 12:41:10 p. m.





RSOP data for INTER*******\\**tp* on IQ-WS04 : Logging Mode

-----------------------------------------------------------



OS Configuration: Member Workstation

OS Version: 10.0.19045

Site Name: Default-First-Site-Name

Roaming Profile: N/A

Local Profile: C:\\Users\\****

Connected over a slow link?: No





COMPUTER SETTINGS

------------------

CN=IQ-WS04,CN=Computers,DC=inter******,DC=local

Last time Group Policy was applied: 07/09/2025 at 12:19:06 p. m.

Group Policy was applied from: IQ-DC.inter******.local

Group Policy slow link threshold: 500 kbps

Domain Name: INTER*****

Domain Type: Windows 2008 or later



Applied Group Policy Objects

-----------------------------

Local Group Policy



The computer is a part of the following security groups

-------------------------------------------------------

BUILTIN\\Administrators

Everyone

BUILTIN\\Users

NT AUTHORITY\\NETWORK

NT AUTHORITY\\Authenticated Users

This Organization

IQ-WS04$

Domain Computers

Authentication authority asserted identity

System Mandatory Level





USER SETTINGS

--------------

CN=*PC**,CN=Users,DC=inter*****,DC=local

Last time Group Policy was applied: 07/09/2025 at 11:41:37 a. m.

Group Policy was applied from: IQ-DC.inter*****.local

Group Policy slow link threshold: 500 kbps

Domain Name: INTER*****

Domain Type: Windows 2008 or later



Applied Group Policy Objects

-----------------------------

N/A



The following GPOs were not applied because they were filtered out

-------------------------------------------------------------------

Local Group Policy

Filtering: Not Applied (Unknown Reason)



The user is a part of the following security groups

---------------------------------------------------

Domain Users

Everyone

BUILTIN\\Users

BUILTIN\\Administrators

NT AUTHORITY\\INTERACTIVE

CONSOLE LOGON

NT AUTHORITY\\Authenticated Users

This Organization

LOCAL

Group Policy Creator Owners

Domain Admins

Personal

Enterprise Admins

Schema Admins

Authentication authority asserted identity

Denied RODC Password Replication Group

OmePowerUsers

OmeAdministrators

OmeUsers

High Mandatory Level

https://redd.it/1nb2ukg
@r_systemadmin

Am I missing something trying to make a file share work?

So we have 2 PC's, both Win 11 pro, and a file server with Server 2022 on it. Had them all getting IP's via DHCP and they were pulling 192.168.xx.xx numbers on the same subnet and I was able to setup a file share on the server and have the PC's able to see it and place files onto it.

A new room was built and I got with the networking team and they thought it would be better just to make a VLAN for these 3 systems and set some IP's and that way we can lock the file server down with no internet access, and the PC's would still be able to place files on it through the network.

So they do all that, and IP's are set on each unit to 10.66.1.21 and 10.66.1.22 for the PC's and 10.66.1.10 for the server

I got on each PC and verified that those PC's could still get to the internet which they could, and they could ping each other and the server which they can.

I got on the server and can ping each PC and internet is blocked like we wanted.

but on the PC's when I attempt to go to the already created file share or even create a new file share to the server, it errors out saying it's not valid file path.

Network team says nothing is being blocked on their end, and the issue has to be the firewall on the server itself.

SO I went into the Windows security on the server and set ALLOW for TCP and UDP from IP range 10.66.1.21 through 10.66.1.22

I set that rule both for the TO and FROM sections but the PC's still cannot see the file share path. DNS Client and Function discovery are both running on the server service wise. I did see that network discovery is turned off on the private network in Windows security on the server, but when I turn it on it just immediately turns itself back off again.

Am I missing something here?

https://redd.it/1nb9pj6
@r_systemadmin

For my company, if I have to switch out of Azure, will selfhost be a good idea

First, for the context, I am not a system admins. I am a Fullstack Developer with minimal knowledge about how to throw my Java/ASP.Net app on Azure for deployment and minimal Docker knowledge.

My company is a MEP company with 40-ish people. We are currently undergoing restructuring (new CEO), which is causing some issues with our cash flow. We have Azure handling our email (Email Communications Service), VM to run apps, and blob storage to store the files. Now, everything cost up to around 3000-5000 dollars a year so the accountants ask me if I could find alternative ways to lower the cost.

With this I came up with 2 plans: buying Dell PowerEdge server or VPS. We already have a NAS Synology to backup stuff already (Vietnamese laws require every company to have local backup) so I think I can setup the selfhost and do the migration (selfhost can lower the price to below 800 dollars/year). I know it sucks but for you guys, is it OK to do this?

I really appreciate any help you can provide.

https://redd.it/1nbcm1i
@r_systemadmin

Anyone have a copy of MDT 2008 or/and MDT 2008 Update 1?

Hey, so I was trying to find MDT 2008, but there were no copies of it on the internet as Microsoft pulled the download of it years ago. Wondering if anyone still have a copy of it as I wanted to experiment with it on my virtual machines.


https://redd.it/1nbd7dv
@r_systemadmin

Challenge Your Inner Critic: Steps 1 & 2 of the Thought Record for Imposter Syndrome

Having identified some common tactics of your inner critic, it's time to introduce a powerful tool to help you fight back against imposter syndrome: The Thought Record. This is a fundamental Cognitive Behavioral Therapy (CBT) technique designed to systematically challenge negative thoughts and gain perspective.

Here are the first two steps to get started:

Step 1: Identify the Situation
When you feel the anxiety of imposter syndrome rising, pause and objectively write down the trigger. Focus on facts, without adding your emotional interpretation.
• Example: "My manager praised my work on the project in the team meeting."

Step 2: Pinpoint the Automatic Negative Thought (ANT) & Rate Your Emotion
Write down the exact thought that went through your mind immediately after the situation. Then, rate the intensity of the emotions you felt (such as anxiety or shame) on a scale of 0-100%.
• Example ANT: "They’re just being polite. I didn’t really do anything special; it was all luck."
• Example Emotion: Anxiety: 80%, Shame: 70%.

These initial steps are crucial. They create a valuable distance, allowing you to observe your thoughts more objectively instead of being consumed by them. This practice helps you start to dismantle the power of your inner critic.

https://redd.it/1nbesjo
@r_systemadmin

Eset is garbage

If you work in any IT-related business, don't bother with ESET, it’s an absolute garbage of an antivirus. Not only does it fail to work properly, but it also seems broken the majority of the time. The called admin panel is just as useless as the antivirus itself; it rarely functions, and on the rare occasions it does, it’s riddled with problems in every aspect that actually matters.

Creating new security rules is pointless. This software forgets them as soon as the machine restarts, effectively wiping and lobotomizing out all configuration, whether those rules were created in the admin portal or on a local machine.

As for support? It’s practically non-existent. At best, you might get a response every two to three weeks, and even then, the replies are generic and completely useless.

Conclusion: 0.5/10. This software is garbage. The interface is cluttered, dysfunctional, and frustrating to use. The support is absent, the reliability is non-existent. In a few more months, this sad excuse for an antivirus will end up exactly where it belongs in the trash bin.

https://redd.it/1nbfvog
@r_systemadmin

What’s the best Postman alternative that works fully offline?

I’ve been managing a few internal APIs recently, and one of the pain points has been relying on Postman. It’s solid, but the cloud sync + login requirements aren’t always great when you’re working in locked-down environments.

I’m curious what are you all using as an offline Postman alternative? Ideally something that:

Doesn’t force cloud accounts or syncing

Can run locally (Windows/Linux)

Still supports collections, environment variables, and maybe mocking


Here are a few tools I’ve seen people using:

Hoppscotch – open source, lightweight, can self-host

Bruno – plain text collections, Git-friendly

Apidog – Postman-like, with offline support and docs/mock features

Thunder Client – VS Code extension, simple and handy

Hurl – CLI-based, great for automation

Insomnia – popular, solid REST & GraphQL support

Paw – Mac-only, polished UI

SoapUI – old school, good for SOAP and legacy protocols

Yaak – newer tool by the Insomnia creator

RESTer – Firefox extension for testing APIs directly


Anyone here running one of these in restricted environments? Which worked best for you in sysadmin workflows?

https://redd.it/1nbgelb
@r_systemadmin

Multitenant PAM solution?

Very standard MSP here.
Anyone has experiences with a multitenant pam solution over a tailnet? This night i didn't slept much, so i had this very bad idea.
Any insight?

https://redd.it/1nbit19
@r_systemadmin

Moronic Monday - September 08, 2025

Howdy, /r/sysadmin!

It's that time of the week, Moronic Monday! This is a safe (mostly) judgement-free environment for all of your questions and stories, no matter how silly you think they are. Anybody can answer questions! My name is AutoModerator and I've taken over responsibility for posting these weekly threads so you don't have to worry about anything except your comments!

https://redd.it/1nbjmn1
@r_systemadmin

Red Sea data cable

Our latency to India has gone to crap over the weekend anyone else seeing the same.

https://windowsforum.com/threads/red-sea-cable-cuts-strain-global-internet-azure-latency-rises.379980/

https://redd.it/1nbjfwc
@r_systemadmin

Help with Teams Logs

Hello guys,

An incident happened, and I need to clarify something: is it possible to check in the Teams admin center, or maybe in local logs, whether I took control when a user shared their screen?
The sanction will be different depending on whether the user clicked something by themselves, or if they explicitly gave me control of their PC.

Many thanks in advance for your help

https://redd.it/1nbku5y
@r_systemadmin

Password manager with a view towards future PAM?

I just started a new role as an infrastructure team manager and the organization I joined is not super mature and is growing its capabilities as they insource a lot of their technology. I'm kind of working to build up the basics, and taking the opportunity to do things better than I've done in past roles

Today my focus is on password and privilege management. Right now they're using an Azure Keyvault to manage common secrets that multiple people might need, or that need to be stored for later use (things like API keys, accounts for services that don't support SSO that we just have one for the company, etc)

Obviously not great, and I want to implement a password manager like Bitwarden or Passwordstate

This got to me to thinking, at my last company we had Passwordstate which was in place when I joined. I liked it, wasn't perfect, but it got the job done and ticks all the boxes for a password manager

But this thread isn't about picking a password manager per se. Since I have the opportunity to start from scratch it came to mind that maybe we should go full PAM and not just do password management. We're an all Azure shop, so I also have Azure PIM available for our cloud access management. The trick is I need a password manager like yesterday, and don't want to kick off a full PAM implementation immediately

So my question: Should I pick a platform that can do password vaults but also has PAM functionality, and if so what are some good candidates? What I see out there seem to be either password vaults or pull PAM suites but not great password vaults

OR

Should I just pick a password manager today, and if we need to move to something else whenever we do get to a PAM project, just migrate?

https://redd.it/1nbm6xe
@r_systemadmin

Alternatives to Site 24x7

We currently use Site 24x7. Is there anything better or comparable to it that you have used?

https://redd.it/1nbnl20
@r_systemadmin

Our postmortem process was basically "let's not do that again"

Used to just ping whoever was online when stuff broke. Last month our checkout died during a huge sale prep and it was a shitshow 4 different people spinning up war rooms

3 hours later we figure out it was a config change from that morning. Not because it was hard to fix, but because we spent half the time just figuring out who was supposed to be doing what.

CTO walks over like "fix this process or I'm buying whatever's at the top of Google."

So now we have this bot that creates channels and pulls in the right people automatically. Feels weird having Slack tell me what to do when everything's crashing down, but last incident took 45 minutes instead of 3 hours....

Our retros actually make sense now instead of just "well that sucked, let's try not to break it again."

Still hate getting paged but at least now I know who else is awake and panicking with me.

https://redd.it/1nbq51r
@r_systemadmin

On prem break in

Welp, my companies satellite office got broken into. We’ve been here for a short time and still have another group of people to move in here. Overall wasn’t the worst as they mostly got a few ipads/iphones that come free from our cellular provider. They’re in our MDM, as well reported stolen with apple so as far as im aware they’re pretty much useless now. However I did keep a demo/loan unit on the desk I have at this office that might get used every other week, and sure enough they where able to rip the lock off the laptop which sucks, luckily it was the oldest generation in our collection and some end user dropped it a crap ton before it came back to us so we couldn't assign it to anyone else. But the whole thing gave me a chuckle as our main building security would be really anal about laptop locks and here's one finally put to the test and it folded relatively instantly. I know they're more for protecting from a grab and go during the day but I still kinda expected a little bit more from it. From now on Ill be keeping the new one in the locked IT Supply closet of course, but I was curious to see if anyone else has similar stories of cable lock failures. Also I added a picture of a paper clip I found on my desk too, looks like they wanted to pick the lock to my file cabinet?? Not sure why when they pried open two other ones but wanted to pick this one open.

https://redd.it/1nbp9sj
@r_systemadmin

Justification for not implementing MFA

Would it still be considered Multi-Factor Authentication if the individual computer only has local user accounts, but in order to even get to the computer you must have RFID badge to access the room where the computer is located? These badges require special approval by both the contractor company and the entity (government) that holds the contract. The locations require approval for accessing the campus, additional approval required to access the specific building, and additional approval required for the specific rooms the equipment is in.
We are trying to justify a waiver from having to implement MFA due to the above requirements already, plus the equipment does not store or process user/company/contract data. The systems provide either a simulation of hardware for testing software that is developed on separate MFA enabled devices, or connects to real hardware in special access facilities to enable testing against the real hardware. These systems get completely wiped and rebuilt regularly. Isolated systems may not be used for months or years until specific tests are needed. And if implementing MFA per user, the user base per location may be large, turn over regularly, and we won't have people at each site to fix any authentication problems when they randomly decide to perform their tests (air-gapped/no remote access). Only in one location is there even remote access and that can only be done via an MFA enabled computer and must know the NAT'd address of the only handful of machines that can connect.
Trying to see if can say we are already implementing MFA in some form, or justification as to why we will not implement MFA. There are also some contract requirements that would make MFA extremely difficult or outright impossible for those kinds of systems.

https://redd.it/1nbs74r
@r_systemadmin

SMB between Win11 -> Win2k/XP/7 in 2025

Hello

So, before everyone goes "BUT YOU SHOULDNT RUN WINDOWS 2000 TODAY" well, I don't have a choice. These are CNC routers that cost somewhere between 500.000 and 1 million Euro and have life expectancy measured in decades. The controller boxes for these run random Windows versions between 2000, XP and 7, one or two run some proprietary system. Some manufacturers may sell updated versions of the controller that run a newer version of Windows, like Windows 7 (I just today heard that we might be buying a new lathe that will come with Windows 10...), but such an upgrade might cost €40k. So buying new ones isn't really an option at this point.

These machines are mostly interfaced with via SMB shares directly on the machines. The GUI on these is always filled by the controller software and doing anything from the machine end of things is just not really a great time.

Now, I have already separated all these machines out on separate VLANs for each machine. None of these have access to the Internet, but can be reached from the production VLAN where our technicians design the programs for the machines and then push them via SMB.

Now, the latest versions of Windows 11, and apparently 10 as well, seem to have changed something so that especially old ones running Windows 2k no longer allows you to log on to the network shares on them. You just get a "password invalid" error. I tried all the other stuff about changing various things in the SmbClient via powershell, but this does not fix it.

I considered removing passwords and users on the 2k machines - I don't know if this will work around the underlying issue. So I didn't try it yet, because I felt that it would just be another security weakspot that might stop the most baseline breach... but maybe I'm just dumb and should have removed the passwords and called the microsegregation good enough for security. (I also clone the disks in them all at regular intervals)

I also considered a new approach, setting up a middleman server of some sort in another segregated VLAN that would run some older software that would allow me to create a network share on that for each machine and then run some noscripts to auto-copy anything in those folders on to the machines at some set interval or maybe triggered by changes.

No software etc. can be installed on the controllers.

Any of you have any insights you might be able to share for this kind of setup? And yes, some of the newer devices do support USB transfer, but this is seen as a major downgrade in user quality of life. But doesn't really fix that some of the machines do not support it and that I'd really like for all the machines to follow the same kind of workflow to reduce user stress in an environment where friction with IT systems is particularly unwelcome.

Thanks for reading, and any insight.

https://redd.it/1nbp9du
@r_systemadmin