New leadership chipping away at security

So we got new leadership late last year at our org, and this year they have started to issue functionally decrees in spite of strenuous objection from myself and my direct boss. They're overriding security policies for convenience, functionally, and at this point I'm getting nervous knowing that it's just a matter of time until something gets compromised.

I've provided lengthy and detailed objections including the technical concerns, the risks, and the potential fixes - some of my best writeups to be honest - and they're basically ignoring them and pushing for me to Nike it. A matter of just a few months and this has completely exhausted me.

Yes, I'm already looking at leaving, but how do you handle this kind of thing? I'm not really very good at "letting go" from a neurodiverse standpoint, so while I want to be like "Water off a duck's back" I can't. Pretty sure it'll bother me for a while even if I leave soon, just because we're the kind of org that can't afford to be compromised, so ethically this bothers me.

https://redd.it/1nrcd0r
@r_systemadmin

Creating a Super Restricted Windows User - Browser Profile + Printer Only Access

Hey everyone! I need to set up a Windows user account with very specific limitations and hoping someone has experience with this.
What I'm trying to achieve:

1.User can ONLY access one specific browser profile (Chrome)
2.User can ONLY use one specific invoice printer installed on that PC
3.User has NO access to anything else on the computer (no other apps, no file explorer, no settings, etc. and can't install anything new either)

Basically looking to create a "kiosk mode" type setup where the user is completely locked down except for these two specific functions. Does anyone have experience with that?

https://redd.it/1nrpscm
@r_systemadmin

Are there any windows 11 certification for IT Support role?

Are there any windows 11 certification for IT Support role?

I am looking to do a certification course for windows 11 but I can’t find any. Well are there no certification yet for windows?

Are there any certification for windows operating system? How do IT Support staff learn windows if there no certification for windows operating system?




https://redd.it/1nrz44a
@r_systemadmin

Confused about Microsoft Server License renewal

Hi Everyone,

Hope all is going well.

Hope all is going well. I’m assisting our management team with renewing our Microsoft server licenses for the first time, and I want to make sure we understand the licensing rules correctly.

From what I’ve read, and based on discussions with our sales representative (who seemed a bit unsure), here’s my understanding:



Microsoft server licenses are counted based on physical cores of the hosts.
For example, if we have 5 hosts, each with 20 physical cores, we need to license based on the number of cores per host.
There is a minimum license requirement of 16 cores per physical host.
The number of virtual machines running on those hosts does not directly affect licensing, as long as the physical hosts have the required core licenses.



So, theoretically, we could run 50 VMs on these hosts with Microsoft Server Standard license, as long as the physical cores are properly licensed.

I want to make sure this is accurate before presenting it to our vendor.

Does anyone have a proper Microsoft link or documentation confirming this?


Let me know your thoughts

https://redd.it/1ns05z9
@r_systemadmin

Not learning much at the internship

Finally, after applying for a few years I've gotten a job in IT. The role is a Student role as an IT support. Took me so long to finally land one role, had to go back to school, make projects, work on my resume so much.

Now, the problem is that I was already having the imposter syndrome and this job is gonna intensify that. We have like 4-5 people in the team, some taking care of tickets (including hardware & software issues), some doing lifecycle projects for devices and some managing assets etc. I think I'm supposed to do a lil bit of everything in the next 4 months of this internship/co op role. However, no one is training me for anything.

Everyone seems to be busy with their own work and not taking the responsibility to train me. The supervisor and manager are already not very nice (I sensed during the interview) and they're busy with meetings and high level stuff so I don't wanna bother them. I accepted the role because I wanted to get my foot in the door but there's no formal training of any sort.

One of the co workers just asked me to start looking at tickets and working on the easy ones but I have no related experience before and as a student I'm supposed to learn. There's no job shadowing or anything like that. They're not really giving me any other tasks.

Is this how internships are supposed to be or this company is just disorganized? They have hired students before so this isn't their first time but they are acting like they don't know how to train me or they don't care for it. They have given me very simple tasks related to imaging laptops but that's all they gave me in 2 weeks.

Am I thinking too much and should wait or there's something wrong? Am I supposed to learn everything on my own by doing it or I was supposed to get training for at least a week?

https://redd.it/1ns1fjv
@r_systemadmin

Looking for MDM solution for 200 Lenovo Android 15 tablets in a school environment

Hi everyone,

I work as IT support in a primary school. We are planning to introduce around 200 Lenovo Android 15 devices for student use in classrooms. I’m looking for a reliable MDM solution that can meet the following requirements:

Bulk app installation, with support for pushing custom APKs directly (not only through Google Play).
Lock down the status bar (so students cannot swipe down and change settings).
Force automatic WiFi connection, disallowing custom WiFi changes.
Customizable and locked home screen layout.
Real-time device monitoring (battery, volume, storage, etc.).
Remote power management (e.g., control battery use, remotely shut down devices).

# What I’ve tried so far:

1. Azure Intune
Covers most of the requirements.
Big problem: It doesn’t allow direct APK upload/push. For non-Play Store apps, you must use Google Play private app publishing.
Issue: If the app is available in other regions but not in the current Play Store region, uploading it as a private app will trigger Google Play’s package name conflict check. If the package name already exists anywhere in the global Play Store, the upload is rejected.
I’ve tried renaming/re-signing the APK to bypass this, but some apps have network auth and anti-tamper checks tied to the original package name. That breaks functionality.
So I’m stuck: keeping the original package name = can’t upload; changing it = app breaks.
Question: Am I missing something? Is there any way to push APKs directly with Intune?
2. Google Endpoint Management
Very basic compared to Intune.
Same limitation with Play Store private apps and package name conflicts.
3. Other commercial MDMs
Many look feature-rich but expensive.
Not sure which ones are truly worth considering for education use at this scale.
4. Open-source MDMs
Example: Headwind MDM.
Haven’t tested yet. Curious if anyone here has hands-on experience.
5. ADB + Intune hybrid
Idea: Use wireless/USB ADB to batch install APKs, then rely on Intune for policy enforcement.
Feels hacky and technical, but could be a backup plan.

Questions:

Has anyone deployed a similar setup (large scale, education, Android 15) and found a working MDM solution that supports direct APK distribution?
Are there any workarounds for Intune to bypass the Google Play package name conflict problem?
Is Headwind MDM (or any other open-source MDM) mature enough for production in a school with 200+ devices?
Any commercial MDMs you’d recommend that balance cost vs. functionality?

Thanks in advance for any advice or real-world experiences!

https://redd.it/1ns2ve7
@r_systemadmin

What’s the going hourly rate for a Jr. Technical Support / Help Desk role in California?

Hey folks,

I’m looking for some input from hiring managers and IT pros in California (Chino Hills/Carson area). Looking to fill a help desk role and want to make sure the compensation that was approved by leadership is competitive for the market.

Here’s a quick snapshot of the role:

* **Type:** Full-time, entry-level jr. role
* **Location:** California (initially in-office with possibility of hybrid once they are fully trained up), with frequent travel in a 50-mile radius, all travel expenses paid for, etc.
* **Responsibilities:**
* Primarily help desk and end-user support (Windows, M365, Intune, etc.)
* Hardware setup & troubleshooting (computers, printers, mobile devices)
* User provisioning and de-provisioning, workstation setup, etc.
* Occasional on-call rotation for after-hours support (one week every 2-3 months)
* **Experience:** 1–3 years, relevant IT certs a plus
* **Physical Requirements:** Valid DL, some lifting (up to 50 lbs.), frequent local travel

Given these details, **what’s the typical hourly rate (or annual equivalent) you’re seeing for similar roles in California** in 2025?

Anyone out there recently filled similar roles in the area, would love to get your insight.

https://redd.it/1ns6aqp
@r_systemadmin

EntraID Org & File Server

With so many orgs doing the "cloud-first" approach, what is everyone's go-to for file servers and mapped drives in an Entra-joined environment with no on-prem AD? Some pain points so far:

* Azure files can get pricey, but offers mapped drives
* Physical NAS on-site "sounds" great, but won't handle Entra security groups for mapped drives
* Egnyte and other similar services are at the high-end of things price-wise

The long-term goal is to transition to Sharepoint and/or Onedrive, but for now there's a lot of legacy stuff that needs to be kept in place with mapped drives.

https://redd.it/1ns7s6x
@r_systemadmin

Admin by Request on Quickbooks Enterprise Updates

I’m testing Admin by Request free tier on a 10-computer network and overall I like it so far. The main issue I’m running into is with QuickBooks Enterprise Platinum, I want it pre-approved so that when it prompts for an qb update, the update can run automatically.

If a standard user launches it using “Run as administrator,” it elevates correctly and installs. However, if they launch it as a standard user, it doesn’t work. It says

There's a new QuickBooks software update waiting for you.

Looks like you don't have the required permissions. Contact your system administrator.

What's new in this update?

I’ve tried these different combinations in the pre-approval list without success.

|Application|File|Location|Type|Notes|
|:-|:-|:-|:-|:-|
|Any|Any file|C:\\Program Files\\Common Files\\Intuit|Read-only location|Pre-approval|
|Any|Any file|C:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 24.0|Read-only location|Pre-approval|
|QuickBooks|qbw.exe|Program Files|Read-only location|Pre-approval|
|QuickBooks Application|QBWEnterpriseWholesale.exe|Program Files|Read-only location|Pre-approval|
|QuickBooks Update Service|qbupdate.exe|Program Files|Read-only location|Pre-approval|

Anybody get this working with Admin by Request, or any alternatives that have worked for you?

https://redd.it/1ns7b3m
@r_systemadmin

Company Issued Laptop

Just curious what is your company issued laptop? Started at a new job and IT is set to get the “standard laptop” - Dell 14 Pro while execs Dell 14 Plus and others get the higher spec ones. Just curious. TIA!

https://redd.it/1ns8mx2
@r_systemadmin

MDM on personal device

Company I’m working at wants me to install MDM on my personal phone. I’m not sure how i feel about that. Can i just buy a work phone and do it on that? I’m not sure if they’ll give me a work phone.

https://redd.it/1ns9xfr
@r_systemadmin

Good hardware/software setup for recording public meetings?

What is a good hardware/software solution to facilitate public meetings that must be hosted virtually (Youtube, or whatever)?

We're looking for a good solution that can support 12ish speakers/audio channels, and provides a UI that doesn't require a lot of training. Usually the city recorder is the one responsible for ensuring the audio/video is useable, and they can't be expected to use a wildly-complicated setup...

So far the best we have come up with is OBS Studio since it seems to be well documented and stable (and free!), and to upgrade our audio to support 10-bit float (which might help with clipping, which we get now).

Can anybody recommend any pieces of software/hardware for this?

https://redd.it/1nsciai
@r_systemadmin

Best resource for NTFS Permissions

Looking to do a refresher on best practices on NTFS Permissions. Any recommendation?

https://redd.it/1nsbhie
@r_systemadmin

Being able to ping a private IP. Definitely something wrong at my ISP?

I 'm having trouble accessing the work VPN. So I tried to ping one of our private IP addresses in the 172.16.0.0/12 range and to my surprise, I got a reply (didn't expect since VPN was still trying to connect). Since I don't have that subnet at home and can't remember recreating our company network at home, I first figured out I somehow could access the VPN but not everything worked or so (which would also be weird but yeah).

Then I did a traceroute and indeed, the route clearly shows my home routers, then my ISP public IPs and then finally the IP in 172.16.0.0/12 actually replying. When I ping vpn.mywork.com, the packets follow a different route.

I'm not a network engineer, but this seems to me like there's something wrong at my ISP? I'd reckon I would never be able to ping anything in 172.16.0.0/12 if I'm definitely not running those subnets at home?

https://redd.it/1nsfthx
@r_systemadmin

Setting up a Windows Server 2022 VPN has me insane

I am setting up VPN remote access on a Windows Server 2022. It has me going insane. No matter what I do, I keep getting "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer." error when trying to connect from the client machine.

I have made sure that ports are forwarded through the office router. I have verified settings on both the server and the client, and am going bonkers trying to figure it out. Does anybody have any experience with this because I am at the end of my tether over here.

I am using a pre-shared key and EAP+MSCHAPv2.

Please help.

https://redd.it/1nsjrlk
@r_systemadmin

Some devices appear disconnected, however they are connected to Action1

Sorry if this is not the right sub but i already posted in Action1 but got no answer there, so i thought maybe anyone would give me the right fix

I'm using Action1 as my device management software and I have an issue that i just noticed recently, some devices appear to be disconnected however they are active and connected to the internet, is there something i miss? i tried restarting the devices but still the same issue

https://redd.it/1nsnec0
@r_systemadmin

10 Copy-Paste Wins (Shadow APIs, npm scares, O365 detections, AI guardrails, more)

I pulled together things we keep re-inventing: runnable snippets, detections, and guardrails.
No vendor slides, no “strategic guidance”, zero fluff. Just copy-pasteable wins.

# 1) Shadow APIs: find them, fence them, document later

kubectl get ingress,svc,endpointslices -A -o json \
| jq -r '..|.hosts? // empty | .[]' | sort -u > hosts.txt

Probe `/openapi.json` etc., diff vs. spec registry, block unknown hosts/paths at WAF until reviewed.

# 2) npm supply chain: “one maintainer clicked the phish” playbook

* Quarantine new versions (<48h old).
* `npm ci --ignore-noscripts` everywhere, allowlist exceptions.
* Block [`registry.npmjs.org`](http://registry.npmjs.org) egress from CI.
* SBOM diff gate → require approver outside the committer’s team.

# 3) CI vuln noise → signal

Only gate if **Severity ≥ High + fix exists + reachable at runtime**.
Use KEV/EPSS > 0.5 as fast-track fail.

`.trivy.yml`:

severity: HIGH,CRITICAL
ignore-unfixed: true
exit-code: 1

# 4) O365/Entra detections that aren’t junk

**KQL – MFA fatigue:**

SigninLogs
| where ResultType in ("500121","50074","50097")
| summarize count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 30m)
| where count_ > 6

# 5) Windows 4625 spam — find the process, not vibes

Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625;StartTime=(Get-Date).AddHours(-1)} |
Where-Object {$_.Properties[8].Value -eq 3} |
ForEach-Object {
$ip=$_.Properties[19].Value
Get-NetTCPConnection -State Established -RemoteAddress $ip |
ForEach-Object { Get-Process -Id $_.OwningProcess }
}

# 6) Android 15 classroom lockdown

Require EMM that supports: Device Owner, kiosk launcher, Wi-Fi lock, APK hosting outside Play, remote screen.
Bootstrap via Zero-Touch/QR → block ADB after.

# 7) AI guardrails that don’t kill productivity

* Browser DLP extension with redact/block regexes.
* Proxy: rate-limit & size-limit to AI domains, allow enterprise tenants.
* Bannered pre-prompt in approved tools.

Policy line you can ship:

>Don’t paste client data, secrets, or code with keys into AI tools. Use only \[approved list\].

# 8) SPF flattening without a pager

Public record:

v=spf1 include:_spf.YOURDOMAIN ~all

Nightly job resolves includes → IPs, dedupes, pushes `_spf.YOURDOMAIN`.
Alert if delta > N ranges.

# 9) Browser is the new OS

* Enforce uBO-equivalent at enterprise/DNS level.
* Block unsigned EXEs via AppControl/WDAC.
* IdP-only admin portals, MFA hardware keys.

# 10) Incident comms you can paste during npm/Okta/$vendor fires

**External:**

>We’re aware of reports involving X. Deploy freeze in place. Services remain \[status\]. Next update at +2h.

**Internal thread:**

* 📦 Freeze builds
* 🔍 Scope services & SBOM
* 🔒 Apply egress blocks/controls
* 🕒 Owners + next update time

# Tiny but mighty

* MFA fatigue → number matching.
* Exchange/Outlook → auto-label exfil attempts.
* WSL2 mirrored mode → needs IPv6.

If this saves you an hour, great.
If you want the full pack (Sigma/KQL/Trivy configs, k8s policies, SPF noscript, API crawler, incident templates), **DM me** and happy to help!

https://redd.it/1nspham
@r_systemadmin

Win Server Storage Spaces

Anyone using Windows server storage spaces how are you monitoring the storage pool / disk health for alerting ?

https://redd.it/1nsoodx
@r_systemadmin

Software used to deploy OS

I need to rebuild about 50 computers over a weekend next month at a remote site.

At our current site, we use MDT to install new OS and updated drivers but remote site doesn't have anything set up as of yet.


Are there any other options besides MDT for a small deployment? I could go around and boot to usb drives but would like a better option.

https://redd.it/1nssdd4
@r_systemadmin

Rsync File Transfer Guide – Efficient, Secure Bulk Transfers for Sysadmins

After seeing repeated questions about efficient large file transfers (especially the recent 4TB datacenter sync question), I thought I'd share some practical rsync workflows that have saved me countless hours and bandwidth over the years.



**Why Rsync Dominates for Bulk Transfers**



While tools like Quest Secure Copy and even simple file copies work, rsync's delta-sync algorithm is unmatched. It only transfers the changed portions of files, which can reduce transfer times by 80-90% on subsequent runs. The built-in integrity checking via checksums has prevented data corruption more times than I can count.



**Essential Flags Every Sysadmin Should Know**



• `-a` (archive mode) - Your bread and butter. Preserves permissions, timestamps, symlinks recursively

• `--progress` - Shows real-time transfer progress and ETA (invaluable for large datasets)

• `--bwlimit=50000` - Bandwidth limiting in KB/s to prevent network saturation

• `--dry-run` - **Always test first!** Shows what would be transferred without making changes

• `-z` - Compression for slower links (can double transfer speed on text/log files)

• `--delete` - Removes files from destination that no longer exist at source (use with caution)



**Production Workflows That Actually Work**



**Scenario 1: Initial 4TB Migration**

```

rsync -avz --progress --bwlimit=50000 --dry-run /data/ user@remote:/backup/

\# Review the output, then remove --dry-run

rsync -avz --progress --bwlimit=50000 /data/ user@remote:/backup/

```



**Scenario 2: Ongoing Incremental Syncs**

```

rsync -avz --progress --delete --exclude="*.tmp" --exclude=".DS_Store" /data/ user@remote:/backup/

```



**Scenario 3: Daemon Mode for Massive Datasets**

For petabyte-scale transfers, rsync daemon mode bypasses SSH overhead:

```

\# On destination server

echo '[backup\]

path = /backup

read only = no

hosts allow = 192.168.1.0/24' > /etc/rsyncd.conf

systemctl start rsyncd



\# On source server

rsync -avz --progress /data/ backup.server::backup/

```



**Real-World Performance Gains**



Last month, I needed to sync 2TB of VM backups between datacenters. Standard file copy was showing 6+ hours. Rsync with compression and the right buffer sizes completed the initial sync in 2.5 hours, and subsequent daily syncs take under 15 minutes due to delta-sync.



The key insight: rsync isn't just about speed—it's about reliability. The `--dry-run` flag has saved me from disasters, and the built-in resume capability means network interruptions don't restart your entire transfer.



**Advanced Tips**



• Use `--exclude-from` with a file list to skip temp directories, logs, etc.

• For Windows environments, consider Cygwin rsync or WSL

• Monitor with `iotop` and `nethogs` to ensure you're not saturating resources

• Test with small datasets first—rsync flags can be destructive



For those wanting to dive deeper into advanced rsync configurations, security settings, and performance tuning, I found this [comprehensive rsync best practices guide by LinuxHardened\](https://www.linuxhardened.com/rsync-file-transfer-guide/) particularly thorough in covering daemon setup and edge cases.



What are your go-to rsync workflows? Any flags or techniques that have saved your bacon in production environments?

https://redd.it/1nssup6
@r_systemadmin

Water usage in datacenters

I keep seeing people talking about new datacenters using a lot of water, especially in relation to AI. I don't work in or around datacenters, so I don't know a ton about them.

My understanding is that water would be used for cooling. My knowledge of water cooling is basically:

1. Cooling loops are closed, there would be SOME evaporation but not anything significant. If it's not sealed, it will leak. A water cooling loop would push water across cooling blocks, then back into radiators to remove the heat, then repeat. The refrigeration used to remove the heat is the bigger story because of power consumption.

2. Straight water probably wouldn't be used for the same reason you don't use it in a car: it causes corrosion. You need to use chemical additives or, more likely, pre-mixed solutions to fill these cooling loops.

I've heard of water chillers being used, which I assume means passing hot air through water to remove the heat from the air. Would this not be used in a similar way to water loops?

I'd love to some more information if anybody can explain or point me in the right direction. It sounds a lot like political FUD to me right now.

https://redd.it/1nstfzk
@r_systemadmin