Best enterprise password manager? (~200 seats, mostly Mac + Windows)
Our company has about 200 users split between Mac and Windows, and is finally serious about a password manager. While I'm all for security, im also under immense pressure to find a solution that is cost-effective and provides demonstrable ROI and business value, and I have smug morons breathing down my neck over this. The budget is tight, and I'm frankly exhausted by the current trend of freemium products that does nothing but lock essential features behind paywalls.
I've personally been burned by services like Defguard and Rustdesk, where after investing time in setup, I find features critical for even basic team setup requiring monthly subnoscriptions, often without month-to-month options. It’s just not sustainable and completely defeats the purpose of self-hosting for me. I want as much control over data as possible and ideally, no recurring subnoscriptions. Also if I mess this up, the aforementioned morons will have a field day, and I dont wanna give them the satisfaction.
Every other option feels like a bait-and-switch, using self-hosted or open source as a marketing scheme only to push enterprise SaaS pricing.
Because of this im heavily leaning towards solutions that offer transparent pricing or, if finding this unicorn is possible, an open source self hosted option. Not likely possible tho if I’m being honest with myself here. Vaultwarden looks decent, allows me to host my own instance, theoretically cutting costs and increasing data control, but thats all there is to it i guess. KeePass and its various clients are also appealing because they operate entirely offline and don't require server infrastructure, inherently free beyond initial setup.
Finally, Passwork claims to offer enterprise-grade security at a sustainable cost with a 30% lower TCO than competitors, which is an interesting claim. However, I need to dig into that to ensure it’s not another hidden subnoscription trap, and I haven’t found many reddit threads about it either. I have no first hand reviews of it, so I’d like those if someone has experience with it
I understand developers need to eat, and I'm not against paying for quality software or support. I regularly donate to projects I value but the "pay a cloud service amount to self-host" model is again just not sustainable for us and imho predatory for the most part.
For those of you who've successfully implemented an enterprise password manager on a budget, particularly with self-hosted solutions, what were your total costs? And do please share if you ran into any vendor lock-in or surprise paywalls, and how you avoided them. Seriously, would appreciate the advice. And sorry for the ramblings, I’ve been under some stress lately
https://redd.it/1njcpcn
@r_systemadmin
Our company has about 200 users split between Mac and Windows, and is finally serious about a password manager. While I'm all for security, im also under immense pressure to find a solution that is cost-effective and provides demonstrable ROI and business value, and I have smug morons breathing down my neck over this. The budget is tight, and I'm frankly exhausted by the current trend of freemium products that does nothing but lock essential features behind paywalls.
I've personally been burned by services like Defguard and Rustdesk, where after investing time in setup, I find features critical for even basic team setup requiring monthly subnoscriptions, often without month-to-month options. It’s just not sustainable and completely defeats the purpose of self-hosting for me. I want as much control over data as possible and ideally, no recurring subnoscriptions. Also if I mess this up, the aforementioned morons will have a field day, and I dont wanna give them the satisfaction.
Every other option feels like a bait-and-switch, using self-hosted or open source as a marketing scheme only to push enterprise SaaS pricing.
Because of this im heavily leaning towards solutions that offer transparent pricing or, if finding this unicorn is possible, an open source self hosted option. Not likely possible tho if I’m being honest with myself here. Vaultwarden looks decent, allows me to host my own instance, theoretically cutting costs and increasing data control, but thats all there is to it i guess. KeePass and its various clients are also appealing because they operate entirely offline and don't require server infrastructure, inherently free beyond initial setup.
Finally, Passwork claims to offer enterprise-grade security at a sustainable cost with a 30% lower TCO than competitors, which is an interesting claim. However, I need to dig into that to ensure it’s not another hidden subnoscription trap, and I haven’t found many reddit threads about it either. I have no first hand reviews of it, so I’d like those if someone has experience with it
I understand developers need to eat, and I'm not against paying for quality software or support. I regularly donate to projects I value but the "pay a cloud service amount to self-host" model is again just not sustainable for us and imho predatory for the most part.
For those of you who've successfully implemented an enterprise password manager on a budget, particularly with self-hosted solutions, what were your total costs? And do please share if you ran into any vendor lock-in or surprise paywalls, and how you avoided them. Seriously, would appreciate the advice. And sorry for the ramblings, I’ve been under some stress lately
https://redd.it/1njcpcn
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Sonicwall security breach: cloud backups compromised
I didn't see this posted yet.
Sonicwall cloud backups have been compromised.
https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330
Steps are to reset everything.
https://www.sonicwall.com/support/knowledge-base/essential-credential-reset/250909151701590
Anyone changing subnets and host IPs too?
https://redd.it/1njdtn5
@r_systemadmin
I didn't see this posted yet.
Sonicwall cloud backups have been compromised.
https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330
Steps are to reset everything.
https://www.sonicwall.com/support/knowledge-base/essential-credential-reset/250909151701590
Anyone changing subnets and host IPs too?
https://redd.it/1njdtn5
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Typos in Dell SupportAssist Upgrade Tool
While running the Dell SupportAssist Upgrade Tool last night I noticed the ridiculous amount of typos as the app is running and giving feedback. This app was obviously written by someone whose primary language is not English. That's fine, but come on Dell. ZERO effort in QA here. They just pushed out this tool to the public.
https://redd.it/1njjvza
@r_systemadmin
While running the Dell SupportAssist Upgrade Tool last night I noticed the ridiculous amount of typos as the app is running and giving feedback. This app was obviously written by someone whose primary language is not English. That's fine, but come on Dell. ZERO effort in QA here. They just pushed out this tool to the public.
https://redd.it/1njjvza
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Is there a device that makes 1-man switch mounting non-miserable?
Mounting Cisco switches (and other vendors, for that matter) in a rack is a major pain when going solo. Server lifts are godsends when needed, but are also a pain to get and use.
Is there some device that can be inserted in a 4-post rack that can temporarily hold a switch in place while mounting it?
Of course mounting switches directly above a server is easy. It’s those switches that are mounted around 38-39U that have nothing above them or nothing in close proximity below them. Sound needs to be to hold anything above 25lbs.
And 20x bonus points if it’s easily portable and can fit in a carry-on bag
https://redd.it/1njkyv3
@r_systemadmin
Mounting Cisco switches (and other vendors, for that matter) in a rack is a major pain when going solo. Server lifts are godsends when needed, but are also a pain to get and use.
Is there some device that can be inserted in a 4-post rack that can temporarily hold a switch in place while mounting it?
Of course mounting switches directly above a server is easy. It’s those switches that are mounted around 38-39U that have nothing above them or nothing in close proximity below them. Sound needs to be to hold anything above 25lbs.
And 20x bonus points if it’s easily portable and can fit in a carry-on bag
https://redd.it/1njkyv3
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
AC Company Thermostat Demands
AC company demanded port forwarding for their AC controller. I reluctantly set it up. A year later they add a 2nd controller and port forwarding doesn't work. Still connects on local network, but forces HTTPS to HTTP. I tell them they never set it up with a certificate. They bark back that their device is secure and I don't know how to port forward. Now they want a VPN, which the basic ISP router does not offer. They want a VPN router put in.
I say no and that if I can buy a $100 honeywell thermostat from walmart and that I can log on that thing on homeywell.com and control it, securely, there is no reason their controller can't do the same. Or, if that is beyond their ability, they can place a PC on network with a remote service and that device will be allowed to connect with the controllers locally.
AITA? What say ye? Which way is most secure / common in 2025?
* To clarify, this is a million dollar AC system and a $30k custom controller. I have the same instance with the same company for a few buildings. It is the local Trane fabrication facility and their regional security officer making the demands.
** Follow up
Basic ISP router because it is a separate building. Only has the AC and 2 computers with unique roles that needed separate upload bandwidth, but don't perform business work.
AC company basically says fine, don't do it. We will bill you for 2 guys, a van, and drive time any time we need to check the stats. My employer is fairly married into the system with these guys. Not many can work on old, custom trane systems.
I do have it as separate network at other sites using port forward (sites that have a business firewall).
I guess the crux question is: is it safer to not have port forwarding but to use VPN to network, or to have port forwarding without VPN. Or with a PC with remotePC or whatever on it and none of that jazz (my choice). They are rejecting the PC idea. Guess the business will have to buy another enterprise router and pay annual fees for it. Cheaper than AC guys coming out...
Thanks for the support. They treat you like you're the crazy one, and sometimes you start to believe it...
https://redd.it/1njh3v1
@r_systemadmin
AC company demanded port forwarding for their AC controller. I reluctantly set it up. A year later they add a 2nd controller and port forwarding doesn't work. Still connects on local network, but forces HTTPS to HTTP. I tell them they never set it up with a certificate. They bark back that their device is secure and I don't know how to port forward. Now they want a VPN, which the basic ISP router does not offer. They want a VPN router put in.
I say no and that if I can buy a $100 honeywell thermostat from walmart and that I can log on that thing on homeywell.com and control it, securely, there is no reason their controller can't do the same. Or, if that is beyond their ability, they can place a PC on network with a remote service and that device will be allowed to connect with the controllers locally.
AITA? What say ye? Which way is most secure / common in 2025?
* To clarify, this is a million dollar AC system and a $30k custom controller. I have the same instance with the same company for a few buildings. It is the local Trane fabrication facility and their regional security officer making the demands.
** Follow up
Basic ISP router because it is a separate building. Only has the AC and 2 computers with unique roles that needed separate upload bandwidth, but don't perform business work.
AC company basically says fine, don't do it. We will bill you for 2 guys, a van, and drive time any time we need to check the stats. My employer is fairly married into the system with these guys. Not many can work on old, custom trane systems.
I do have it as separate network at other sites using port forward (sites that have a business firewall).
I guess the crux question is: is it safer to not have port forwarding but to use VPN to network, or to have port forwarding without VPN. Or with a PC with remotePC or whatever on it and none of that jazz (my choice). They are rejecting the PC idea. Guess the business will have to buy another enterprise router and pay annual fees for it. Cheaper than AC guys coming out...
Thanks for the support. They treat you like you're the crazy one, and sometimes you start to believe it...
https://redd.it/1njh3v1
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
How long were you a developer before moving to sysadmin?
Question in noscript.
I know the answer will be 0 days for many, but for those of you who use to be a software developer, how long were you doing that before you became a systems administrator?
And following question, do you wish more of your peers had a similar background?
https://redd.it/1njtd79
@r_systemadmin
Question in noscript.
I know the answer will be 0 days for many, but for those of you who use to be a software developer, how long were you doing that before you became a systems administrator?
And following question, do you wish more of your peers had a similar background?
https://redd.it/1njtd79
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
I think this subreddit managed to give me a reality check..
Saying this as a High School Senior
Wanting to become a sysadmin in the future almost seems uncertain and almost slightly demotivating for getting into IT as a whole..
I still want to at least try as I’ve had a passion for it (and technology in general) but it almost makes me question if I should even bother as I’d rather not get into trades, plus wages in south florida aren’t exactly the best.
And going to the military doesn’t seem that ideal to me either.
Am I just overthinking things currently or would things “maybe” get better?
https://redd.it/1njwgs2
@r_systemadmin
Saying this as a High School Senior
Wanting to become a sysadmin in the future almost seems uncertain and almost slightly demotivating for getting into IT as a whole..
I still want to at least try as I’ve had a passion for it (and technology in general) but it almost makes me question if I should even bother as I’d rather not get into trades, plus wages in south florida aren’t exactly the best.
And going to the military doesn’t seem that ideal to me either.
Am I just overthinking things currently or would things “maybe” get better?
https://redd.it/1njwgs2
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
The Daunting Task of App Deployment through Company Portal.
My manager has tasked me with deploying all of our apps through Company portal. All 200+ of them across about 1,000 users. Most of the apps have an exe only and ends up writing a registry key to who the hell knows so validation is tough. It takes me 9-10 tries to test deploy an app on a test machine before it starts to look like it’s working.
And then just pray it doesn’t need an update for a while or I’m doing it all over again. For every app.
Then there are these apps that need .NET 8 to supersede and a couple hotfixes before you can even try to run the executable. I’ve gotten that to work a total of 0 times.
Please tell me I’m an idiot and there’s a better way to do this. It’s my first major project in my career and I don’t want to kill it through a lack of ability. While I should have set some boundaries early, I jumped at the chance to take on something that wasn’t glorified help desk.
https://redd.it/1njwqje
@r_systemadmin
My manager has tasked me with deploying all of our apps through Company portal. All 200+ of them across about 1,000 users. Most of the apps have an exe only and ends up writing a registry key to who the hell knows so validation is tough. It takes me 9-10 tries to test deploy an app on a test machine before it starts to look like it’s working.
And then just pray it doesn’t need an update for a while or I’m doing it all over again. For every app.
Then there are these apps that need .NET 8 to supersede and a couple hotfixes before you can even try to run the executable. I’ve gotten that to work a total of 0 times.
Please tell me I’m an idiot and there’s a better way to do this. It’s my first major project in my career and I don’t want to kill it through a lack of ability. While I should have set some boundaries early, I jumped at the chance to take on something that wasn’t glorified help desk.
https://redd.it/1njwqje
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Thickheaded Thursday - September 18, 2025
Howdy, /r/sysadmin!
It's that time of the week, Thickheaded Thursday! This is a safe (mostly) judgement-free environment for all of your questions and stories, no matter how silly you think they are. Anybody can answer questions! My name is AutoModerator and I've taken over responsibility for posting these weekly threads so you don't have to worry about anything except your comments!
https://redd.it/1nk44zf
@r_systemadmin
Howdy, /r/sysadmin!
It's that time of the week, Thickheaded Thursday! This is a safe (mostly) judgement-free environment for all of your questions and stories, no matter how silly you think they are. Anybody can answer questions! My name is AutoModerator and I've taken over responsibility for posting these weekly threads so you don't have to worry about anything except your comments!
https://redd.it/1nk44zf
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
CA policy blocking Office 365, blocks https://myaccount.microsoft.com/ also?
We implemented CA policies that:
block Office 365 access from unmanaged devices (isCompliant = False, any device platform except Android & iPhone)
force APP / MAM-WE for Office 365 (Android and iPhone only)
Some of our users have company email, but no company devices (production workers). They should be able to register and maintain their MFA from unmanaged devices. But with these policies in place (both targeted to the Office 365 resource), users from unmanaged devices can access https://mysignins.microsoft.com/ and https://aka.ms/mfasetup, but they cant access https://myaccount.microsoft.com/ . The second policy applies APP which results in 'sign in with edge browser' message.
I excluded 'My Profile' 8c59ead7-d703-4a27-9e55-c96a0054c8d2 since it came up in the logs. After that MS Graph popped up and i decided to pause, since i'm unsure this is the way. Excluding MS Graph is likely a security issue.
Am i going at this the wrong way?
https://redd.it/1nk4o5f
@r_systemadmin
We implemented CA policies that:
block Office 365 access from unmanaged devices (isCompliant = False, any device platform except Android & iPhone)
force APP / MAM-WE for Office 365 (Android and iPhone only)
Some of our users have company email, but no company devices (production workers). They should be able to register and maintain their MFA from unmanaged devices. But with these policies in place (both targeted to the Office 365 resource), users from unmanaged devices can access https://mysignins.microsoft.com/ and https://aka.ms/mfasetup, but they cant access https://myaccount.microsoft.com/ . The second policy applies APP which results in 'sign in with edge browser' message.
I excluded 'My Profile' 8c59ead7-d703-4a27-9e55-c96a0054c8d2 since it came up in the logs. After that MS Graph popped up and i decided to pause, since i'm unsure this is the way. Excluding MS Graph is likely a security issue.
Am i going at this the wrong way?
https://redd.it/1nk4o5f
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Sys admin Pranks
What pranks did you pull on others to make daily life go better or just to be a PITA
About 20 years ago i was in our modest server room, some racking with about 12 p3 full tower cases, the room was in effect a converted office, with air con (recirculating)and an alarm. one day i'm working in there and i let rip, i didn't think much of it, until 3 hours later. when i got a call from one of the other sys admins. he got hit full force in the face with the smell from hell, yep it stank to high heaven and yes i chuckle even now about it
https://redd.it/1nk56rq
@r_systemadmin
What pranks did you pull on others to make daily life go better or just to be a PITA
About 20 years ago i was in our modest server room, some racking with about 12 p3 full tower cases, the room was in effect a converted office, with air con (recirculating)and an alarm. one day i'm working in there and i let rip, i didn't think much of it, until 3 hours later. when i got a call from one of the other sys admins. he got hit full force in the face with the smell from hell, yep it stank to high heaven and yes i chuckle even now about it
https://redd.it/1nk56rq
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Just found out we had 200+ shadow APIs after getting pwned
So last month we got absolutely rekt and during the forensics they found over 200 undocumented APIs in prod that nobody knew existed. Including me and I'm supposedly the one who knows our infrastructure.
The attackers used some random endpoint that one of the frontend devs spun up 6 months ago for "testing" and never tore down. Never told anyone about it, never added it to our docs, just sitting there wide open scraping customer data.
Our fancy API security scanner? Useless. Only finds stuff thats in our OpenAPI specs. Network monitoring? Nada. SIEM alerts? What SIEM alerts.
Now compliance is breathing down my neck asking for complete API inventory and I'm like... bro I don't even know what's running half the time. Every sprint someone deploys a "quick webhook" or "temp integration" that somehow becomes permanent.
grep -r "app.get|app.post" across our entire codebase returned like 500+ routes I've never seen before. Half of them don't even have auth middleware.
Anyone else dealing with this nightmare? How tf do you track APIs when devs are constantly spinning up new stuff? The whole "just document it" approach died the moment we went agile.
Really wish there was some way to just see whats actually listening on ports in real time instead of trusting our deployment docs that are 3 months out of date.
This whole thing could've been avoided if we just knew what was actually running vs what we thought was running.
https://redd.it/1nk7jpr
@r_systemadmin
So last month we got absolutely rekt and during the forensics they found over 200 undocumented APIs in prod that nobody knew existed. Including me and I'm supposedly the one who knows our infrastructure.
The attackers used some random endpoint that one of the frontend devs spun up 6 months ago for "testing" and never tore down. Never told anyone about it, never added it to our docs, just sitting there wide open scraping customer data.
Our fancy API security scanner? Useless. Only finds stuff thats in our OpenAPI specs. Network monitoring? Nada. SIEM alerts? What SIEM alerts.
Now compliance is breathing down my neck asking for complete API inventory and I'm like... bro I don't even know what's running half the time. Every sprint someone deploys a "quick webhook" or "temp integration" that somehow becomes permanent.
grep -r "app.get|app.post" across our entire codebase returned like 500+ routes I've never seen before. Half of them don't even have auth middleware.
Anyone else dealing with this nightmare? How tf do you track APIs when devs are constantly spinning up new stuff? The whole "just document it" approach died the moment we went agile.
Really wish there was some way to just see whats actually listening on ports in real time instead of trusting our deployment docs that are 3 months out of date.
This whole thing could've been avoided if we just knew what was actually running vs what we thought was running.
https://redd.it/1nk7jpr
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Hot desk booking software recommendations for 100 person hybrid office - any free solutions?
Our hybrid office is a becoming a bit of a mess so looking for an upgrade.
We've got 100 people fighting over maybe 60 desks at the moment, and are currently using a very DIY approach with Outlook calendar but it's just not cutting it for a proper hybrid setup.
From what I’ve seen online, I’m thinking that we need something more visual to make the whole process clearer for everyone.
Ideally I’d like something that still integrates with Outlook calendar and won’t bankrupt us (preferably free). And extra points if it’s easy to use so I don’t have to do this again in 3 months, defeated and sad.
I've been looking at Deskbird, Archie and a few others. Also considered Microsoft Places but wondering if that’s going be good enough?
Anyone using any of these (or better yet, know of something that’s free). Any pointers at all would be appreciated. Thanks!
https://redd.it/1nk5t6u
@r_systemadmin
Our hybrid office is a becoming a bit of a mess so looking for an upgrade.
We've got 100 people fighting over maybe 60 desks at the moment, and are currently using a very DIY approach with Outlook calendar but it's just not cutting it for a proper hybrid setup.
From what I’ve seen online, I’m thinking that we need something more visual to make the whole process clearer for everyone.
Ideally I’d like something that still integrates with Outlook calendar and won’t bankrupt us (preferably free). And extra points if it’s easy to use so I don’t have to do this again in 3 months, defeated and sad.
I've been looking at Deskbird, Archie and a few others. Also considered Microsoft Places but wondering if that’s going be good enough?
Anyone using any of these (or better yet, know of something that’s free). Any pointers at all would be appreciated. Thanks!
https://redd.it/1nk5t6u
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Where do you draw the line between monitoring and surveillance?
Some companies are getting really heavy handed like keystroke loggers, screen recorders, even browser activity tracking for productivity. i obviously hate it, and it doesnt exactly build trust. But then again, insider threats are real, and visibility matters. What is ur thoughts on keeping staff safe/productive and not creeping them out?
https://redd.it/1nk5uq6
@r_systemadmin
Some companies are getting really heavy handed like keystroke loggers, screen recorders, even browser activity tracking for productivity. i obviously hate it, and it doesnt exactly build trust. But then again, insider threats are real, and visibility matters. What is ur thoughts on keeping staff safe/productive and not creeping them out?
https://redd.it/1nk5uq6
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
CVE-2025-55241
This one is wild and should be enough to not trust Entra ID. Still don’t understand why this isn’t a score 10. Any global admin token was accepted for any tenant, making virtually all systems open to anyone. Wild. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55241
https://redd.it/1nkaxd7
@r_systemadmin
This one is wild and should be enough to not trust Entra ID. Still don’t understand why this isn’t a score 10. Any global admin token was accepted for any tenant, making virtually all systems open to anyone. Wild. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55241
https://redd.it/1nkaxd7
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Is noscripting just a skill that some people will never get?
On my team, I was the noscripting guy. You needed something noscripted or automated, I'd bang something out in bash, python, PowerShell or vbnoscript. Well, due to a reorg, I am no longer on that team. And they still have a need for noscripting, but the people left on the team and either saying they can't do it, or writing extremely primitive noscripts, which are just basically batch files.
So, my question, can these guys just take some time and learn how to noscript, or are some people just never going to get it?
I don't want to spend a ton of time training these guys on what I did, if this is just never going to be a skill they can master.
https://redd.it/1nkczz1
@r_systemadmin
On my team, I was the noscripting guy. You needed something noscripted or automated, I'd bang something out in bash, python, PowerShell or vbnoscript. Well, due to a reorg, I am no longer on that team. And they still have a need for noscripting, but the people left on the team and either saying they can't do it, or writing extremely primitive noscripts, which are just basically batch files.
So, my question, can these guys just take some time and learn how to noscript, or are some people just never going to get it?
I don't want to spend a ton of time training these guys on what I did, if this is just never going to be a skill they can master.
https://redd.it/1nkczz1
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Hybrid Exchange 2016 to Hybrid Exchange 2019
Hello all!
I'm going to preface this with I'm not the best with Exchange.
We're in the process of updating to Exchange 2019. We're already fully migrated - no public folders or mailboxes on prem. We only use Exchange to manage and create users/mailboxes. Exchange is also used as an internal SMTP relay for copiers and other appliances.
We already have the new server created however, a few of our certs are expired. The Microsoft Exchange Server Auth Cert and the Exchange Delegation Federation certs are invalid.
When I've looked into this, it seems easy to fix - run a noscript to renew the Auth cert and then delete any federations and then run the Hybrid Config Wizard. https://www.alitajran.com/get-exchangecertificate-blank-output/
We appear to be in Full Classic mode.
I have a few questions regarding all of this:
Do we need to worry about these certs if we're already migrated? It seems that these certs might not be used for anything anymore since we aren't migrating mailboxes and we have no on-prem mailboxes that need to share free/busy status.
If I don't, will it screw something up when we add the new 2019 server to the send O365 connectors?
Do we need to even run the HCW if we're already migrated? This step isn't listed in a guide I've been following from PeteNetLive - [https://www.petenetlive.com/kb/article/0001472](https://www.petenetlive.com/kb/article/0001472)
If I do need to fix the certs and then run the HCW, should we remain at Full Classic or move to Minimal Modern?
My brain is telling me we should fix the certs and do an apples to apples migration from 2016 to 2019.
Any help is greatly appreciated.
https://redd.it/1nkcbs6
@r_systemadmin
Hello all!
I'm going to preface this with I'm not the best with Exchange.
We're in the process of updating to Exchange 2019. We're already fully migrated - no public folders or mailboxes on prem. We only use Exchange to manage and create users/mailboxes. Exchange is also used as an internal SMTP relay for copiers and other appliances.
We already have the new server created however, a few of our certs are expired. The Microsoft Exchange Server Auth Cert and the Exchange Delegation Federation certs are invalid.
When I've looked into this, it seems easy to fix - run a noscript to renew the Auth cert and then delete any federations and then run the Hybrid Config Wizard. https://www.alitajran.com/get-exchangecertificate-blank-output/
We appear to be in Full Classic mode.
I have a few questions regarding all of this:
Do we need to worry about these certs if we're already migrated? It seems that these certs might not be used for anything anymore since we aren't migrating mailboxes and we have no on-prem mailboxes that need to share free/busy status.
If I don't, will it screw something up when we add the new 2019 server to the send O365 connectors?
Do we need to even run the HCW if we're already migrated? This step isn't listed in a guide I've been following from PeteNetLive - [https://www.petenetlive.com/kb/article/0001472](https://www.petenetlive.com/kb/article/0001472)
If I do need to fix the certs and then run the HCW, should we remain at Full Classic or move to Minimal Modern?
My brain is telling me we should fix the certs and do an apples to apples migration from 2016 to 2019.
Any help is greatly appreciated.
https://redd.it/1nkcbs6
@r_systemadmin
ALI TAJRAN
How to fix Get-ExchangeCertificate shows blank output
Learn how to fix the Get-ExchangeCertificate cmdlet showing blank output by replacing the Microsoft Exchange Server Auth certificate.
New and Improved (hahahah) Microsoft Purview
Has anyone else had to deal with the degradation of the purview portal in MS latest update (been around a while now). I had a few holds that were created in the legacy portal that no longer work and creating new holds has silly limitations and weird issues. I usually just get used to the updates that MS performs on their portals, but this one is just terrible, no matter how much I work with it.
The erroring is also terrible, unless you use Powershell.
Just posting out of absolute frustration.
https://redd.it/1nkh52x
@r_systemadmin
Has anyone else had to deal with the degradation of the purview portal in MS latest update (been around a while now). I had a few holds that were created in the legacy portal that no longer work and creating new holds has silly limitations and weird issues. I usually just get used to the updates that MS performs on their portals, but this one is just terrible, no matter how much I work with it.
The erroring is also terrible, unless you use Powershell.
Just posting out of absolute frustration.
https://redd.it/1nkh52x
@r_systemadmin
Running AutoCAD as non-admin
I have a handful of users who need to use AutoCAD. I discovered that as of the August Windows updates, changes to UAC were made that cause problems with AutoCAD launching. Normal users get error 1730: You must be an administrator to remove the application. Admins can launch the app with no issues.
I contacted Autodesk support, and they referred me to the Microsoft KB article that describes how to add the product code to the registry to bypass UAC prompts. Even though Autodesk support didn't give me it and had no clue what I was talking about, despite being referenced in the KB they sent me, I also found the Autodesk KB that references the issue and helpfully gives the product code format for all of their apps to make finding and adding the strings to the registry. Easy and done, right? Nope...
Even after adding the keys to the registry and restarting, users are still getting the same error message. We use AppLocker, so looking at the AppLocker logs, I can see the app was permitted to start, and the MST located in the windows\\installer directory that it tries to launch were permitted, but the app still doesn't launch. There are no AppLocker events that indicate anything, even things not related to Autodesk apps are being blocked. I also double-checked the product code I see being run in the AppLocker logs, and it matches the code I entered. Soo...I'm stuck.
Has anyone else encountered and worked around this issue? Initially, I thought I could rollback from the 2026 version to 2024, which previously worked, but no, it too has the same issue.
https://redd.it/1nki5bq
@r_systemadmin
I have a handful of users who need to use AutoCAD. I discovered that as of the August Windows updates, changes to UAC were made that cause problems with AutoCAD launching. Normal users get error 1730: You must be an administrator to remove the application. Admins can launch the app with no issues.
I contacted Autodesk support, and they referred me to the Microsoft KB article that describes how to add the product code to the registry to bypass UAC prompts. Even though Autodesk support didn't give me it and had no clue what I was talking about, despite being referenced in the KB they sent me, I also found the Autodesk KB that references the issue and helpfully gives the product code format for all of their apps to make finding and adding the strings to the registry. Easy and done, right? Nope...
Even after adding the keys to the registry and restarting, users are still getting the same error message. We use AppLocker, so looking at the AppLocker logs, I can see the app was permitted to start, and the MST located in the windows\\installer directory that it tries to launch were permitted, but the app still doesn't launch. There are no AppLocker events that indicate anything, even things not related to Autodesk apps are being blocked. I also double-checked the product code I see being run in the AppLocker logs, and it matches the code I entered. Soo...I'm stuck.
Has anyone else encountered and worked around this issue? Initially, I thought I could rollback from the 2026 version to 2024, which previously worked, but no, it too has the same issue.
https://redd.it/1nki5bq
@r_systemadmin
Autodesk
AutoCAD products request admin credentials or give "Error 1730. You must be an Administrator..." after the installation of the…
Users reported that after the installation of the following Security Updates for Microsoft Windows. Security Update for Microsoft Windows (KB5063875) for Windows 11 Security Update for Microsoft Windows (KB5064010) for Windows 11 Security Update for Microsoft…
User was compromised and sent out 2000 emails with a bad link, 24 hours later the User still can't receive or send users after mitigation steps
As the noscript says, I have a user who has sent out 2000 emails with a malicious link. I was able to mitigate the issue by removing said OneNote page and we reset the password and information for the user in question. It's been 24 hours, and the (real) user still can't receive or send emails. I have sent emails to the user to test this and see on the trace that these emails are delivered, but they are not getting to the end user. I know Microsoft will stop emails sent from an individual user at some point, but what is the protocol to allowing the user to get and receive emails again?
*Note: This is a volunteer gig and I'm definitely not SYS Admin but have novice knowledge around Azure admin center.
https://redd.it/1nkjckp
@r_systemadmin
As the noscript says, I have a user who has sent out 2000 emails with a malicious link. I was able to mitigate the issue by removing said OneNote page and we reset the password and information for the user in question. It's been 24 hours, and the (real) user still can't receive or send emails. I have sent emails to the user to test this and see on the trace that these emails are delivered, but they are not getting to the end user. I know Microsoft will stop emails sent from an individual user at some point, but what is the protocol to allowing the user to get and receive emails again?
*Note: This is a volunteer gig and I'm definitely not SYS Admin but have novice knowledge around Azure admin center.
https://redd.it/1nkjckp
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
How do you balance ‘get it done’ vs. ‘there must be a better way’ as a sysadmin?
Something I keep struggling with is actually getting things done vs constantly thinking there must be a better tool, noscript, or process out there. With the amount of really useful tools, noscripts, online resources, etc. out there I'm always worried that the task I'm about to set out on could be done faster, bestter, be more automated, all that good stuff.
Whenever I'm about to start a task I’ll often catch myself thinking:
“Is this even the best way to do this? There’s probably some open source tool, online resource, or hidden feature that would save me time.”
The problem is that thought pattern sometimes leads to over researching instead of executing. I end up stuck between "just do it with the process or tools I know" and "wait a sec, let me try do this in the best practice, most efficient modern way. Maybe I should spend hours hunting for a more elegant solution".
Do other sysadmins struggle with this? How do you personally strike the balance between “just get it done even if it's not the most perfect, efficient solution” and “investing time to find a smarter way”?
https://redd.it/1nkoplb
@r_systemadmin
Something I keep struggling with is actually getting things done vs constantly thinking there must be a better tool, noscript, or process out there. With the amount of really useful tools, noscripts, online resources, etc. out there I'm always worried that the task I'm about to set out on could be done faster, bestter, be more automated, all that good stuff.
Whenever I'm about to start a task I’ll often catch myself thinking:
“Is this even the best way to do this? There’s probably some open source tool, online resource, or hidden feature that would save me time.”
The problem is that thought pattern sometimes leads to over researching instead of executing. I end up stuck between "just do it with the process or tools I know" and "wait a sec, let me try do this in the best practice, most efficient modern way. Maybe I should spend hours hunting for a more elegant solution".
Do other sysadmins struggle with this? How do you personally strike the balance between “just get it done even if it's not the most perfect, efficient solution” and “investing time to find a smarter way”?
https://redd.it/1nkoplb
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community