How do you account you on-call into the Flex Time when there is nothing done during on-call?

I have been on-call for last week. Work my usual 8-5 but also available outside of those hours with phone ringer on and able to jump on in 15 minutes or less. During the week I only spent maybe 3 hours at most doing on-call work.

The workplace has something they call Flex Time and I am salaried with expectation to be available 8-5.

In your experience how do you, if at all, count your on-call time against your actual expected work period and hours?



https://redd.it/1o567da
@r_systemadmin

Any other AEC sysadmins here?

Just joined an AEC (engineering) firm and wow..this isn’t your usual “Office Suite and printers” setup. I’m now wrangling render farms, beastly GPUs, dealing with all the Autodesk issues and workstations that I haven’t dealt with my entire career.

It’s way more work, but also kinda awesome.

Any other AEC admins out there? Do you actually enjoy the chaos too?

https://redd.it/1o56xsv
@r_systemadmin

ZIP SharePoint folder(s) and export to S3 without local download/upload?

Is there an easy way - maybe with noscripting, or Power Automate/AppFlow - to compress a folder in a SP document library and save it into an S3 bucket without having to download it locally and re-upload it?

We're running out of SP space and need to move old/unused project folders to an S3 bucket. I'm currently doing it manually - tick the folder in Web SharePoint, click Download to get the ZIP, drag-drop into S3 then delete the original folder. This works fine, except there's hundreds of folders with over 1TB of data, which with my time/WiFi speed/laptop space is not really feasible. So I need something that can do it automated in the cloud. I looked into Skyvia which we've used before, but apparently they have no SP<->S3 connectors. Any recommendations? We'd be using a rule - any subfolder in a given directory whose contents have not been modified in over a year.

https://redd.it/1o55vrb
@r_systemadmin

Stupid question: how does ad connect to entra id?

I know they sync but I've never had to do it nor on my own lab. Just curious how the syn/setup process works. Most training mentions it but dont show how it works.
I know when you setup a new dc ot has capability to sync with entra id(azure ad).

I know a stupid question but never seen a stand up done before.


https://redd.it/1o5a68r
@r_systemadmin

College folks, what sort of questions should I prepare efor?

Landed an interview for a help desk gig with a college. What do you or they expect? Just trying to prepare as i suck at interviews and i want to nail it out of 20+ candidates.
The soft skills i have down to the tee. Technical questions in flabbergasted and space out often. Not that I dont know what to dk but ky mind seems to fail explaining unless I show folks. Lol.

https://redd.it/1o5a1cy
@r_systemadmin

How to create a confined user in Ubuntu?

I have a question that looks like basic to system administration, but surprisingly I cannot find information about that.

I have a multi user system. I want to make sure that a particular user has access only to a set of resources like a set of applications.

Traditional Unix DAC permissions don’t seem to provide a simple solution to role-based access control. It seems MAC using SeLinux or AppArmor is required.

RHEL/Fedora have SeLinux with targeted policy which comes with labels for users, like, guest_u label for the context of a predefined confined user. I can create a new user and label it with guest_u. This way the user will be confined to capabilities defined by guest_u. It’s hard to cherry pick and compile new modules (guest is more like a kiosk), but at least there is something.

But I have Debian/Ubuntu. To my surprise, I found it difficult to create a user that is confined in Ubuntu. I can remove the user from the sudo group and prevent the user from running certain commands like su. I can create a group, but you don’t want to change group membership of system binaries. There is restricted bash, but it’s kind of a hack and there are escape routes. The issue is compounded by the fact that when the user runs an application, obviously there will be child processes and so, and that there are numerous entry and exit points.

I want to define a user that has access to certain folders and can run certain applications (like a browser, vscode, editors, other basic utilities) and nothing more. How could this be done?

The closest that I found was installing and configuring an obscure module called AppArmor PAM module. I might be wrong but there might be just one example in the internet on this module and almost none in Reddit. AppArmor has limited support for RBAC and that module is not well documented.

There ought to be an easy way to confine a user in Ubuntu.

https://redd.it/1o5dgfk
@r_systemadmin

Moronic Monday - October 13, 2025

Howdy, /r/sysadmin!

It's that time of the week, Moronic Monday! This is a safe (mostly) judgement-free environment for all of your questions and stories, no matter how silly you think they are. Anybody can answer questions! My name is AutoModerator and I've taken over responsibility for posting these weekly threads so you don't have to worry about anything except your comments!

https://redd.it/1o5fkua
@r_systemadmin

Another M365 Outage?

I'm not seeing any outages on my end and so far I haven't heard from any users (it IS 7am, so that's not a shock), but is anyone seeing impacts from this alert?



Users:

Users are unable to access Microsoft 365 apps.





Scope of Impact:
Impact is specific to some users who are served through the affected infrastructure, attempting to access Microsoft 365 apps.





Updates
We're continuing to review service monitoring telemetry to isolate the source of the issue and establish a fix.

* Oct 13, 2025, 6:18 AM EDT Next update by:

https://redd.it/1o5gtrv
@r_systemadmin

How to make a Disaster Recovery Plan when (almost) all services are managed by external parties?

Hello,

I have to make a Disaster Recovery Plan (DRP) for a small Logistics company, but my problem is that almost al services that are used are managed by external parties. (examples of services are like the websites that are used in the different departments in HR or finance which are mostly websites for some specific function).

Some services we have a little control in for example the Office Suite, but if we have problems with that it goes first to the IT department if they don't know an external company will fix it.

The goal of the the DRP is "What to do when (acces to) data is lost".

I don't know how I have to do this in the DRP. My current idea was to write something like "If service XYZ is not avaiable or not working correctly then contact mail@xyz.abc or phonenumber.

Also some specific cases the IT department is only allowed to contact the service, but that's for just a few services.

But this way my DRP will look like and contact list book.

https://redd.it/1o5dbrl
@r_systemadmin

So what am I? Duties and responsibility

Recently was talking with my coworkers that Systems Admin is broad but not exactly the best noscript for what I do, so what am I?



I handle/have, Domain Admin, Azure Global Admin, OneDrive/M365 Admin, Hybrid Exchange Admin, DNS, DHCP servers, Vmware ESXI admin, Hyper V, backups, Apple Business manager, Intune MDM management, 3 Data center sites, 2 hot, 1 cold, 200VM's, 1 critical zero trust site, cross-trained on access control, SIEM escalation and logging, ADFS, Azure, AD, GPO, DFS, Fileshares, OAuth, SSO, Intranet sites, manage and configure meeting room hardware, Camera surveillance administrator, tier 3 escalation, cjis certified, and other wonderful government data standards - on call and hourly exempt status (not salary) for about 70k in USA.
Been in this role about 2 years, would not quite think the word senior would be in the noscript but maybe based on the responsibilities.

https://redd.it/1o5icso
@r_systemadmin

Meraki alternatives?

So I'm about 6 months into a new gig and inherited a ton of Meraki gear across about 200 locations. Most of these locations are 5 computers or less, but all have a site-to-site back to HQ for file share access

We're moving to a model where file shares will not be needed, so we'd like to shrink our network footprint. PCs will be Entra ID joined, or we'll have a thin client connecting to Azure Virtual Desktop both of which don't need our internal network on site

I've been cloud-only the past 7 years, so the on-prem networking world has not been top of my mind. I'd like to shrink our Meraki footprint and get away from paying Cisco prices. Many of our locations will be on small business internet access from the likes of AT&T or Charter, so we'll have ISP-provided gateways that can serve DHCP and NAT, but, I also feel like having *zero* visibility or management of the network hardware might be a step too far

I use Ubiquiti at home, but not sure it's ready for the scale we need. Again, no site-to-site VPNs, except perhaps our corporate office might need a VPN to Azure

Is there a lighter weight network platform that is controllable through a single pane of glass, is cheaper that Cisco, but is reliable enough without VPNs that we can trust it across 200-odd retail like locations?

https://redd.it/1o5jxoz
@r_systemadmin

Vodafone UK Major Outage

Major Vodafone outage in the UK, started 15:00 local time. Both leased line and mobile data impacted. Spicy Monday.

Edit: leased line not leaded line, need to slow down and enjoy the downtime…

Edit2: 130K+ customers impacted, BBC: https://www.bbc.co.uk/news/articles/c5yldldx659o

https://redd.it/1o5lftf
@r_systemadmin

Cost effective cloud database location?

Hi all,

My manager wants us to move a SQL database into the cloud. The database has membership data that is archival and would only need to be accessible for 3-4 users. They access it a few times per week only to run read queries and no longer receiving updates or additions. I feel like it may still need to be some sort of hot storage tier because they access it semi frequently. I have suggested the business owners to reduce the size of the database as well since it's 1.5TB which will increase costs. We are a small/medium size non profit so looking for suggestions on the cheapest/safest way to store this in the cloud. Any suggestions are appreciated.

https://redd.it/1o5lg1s
@r_systemadmin

A little help to make the Co Pilot madness stop for a bit.

Starting in October 2025, Microsoft will begin installing the Copilot app automatically on Windows devices that have the M365 desktop apps installed.

https://lazyadmin.nl/office-365/microsoft-365-copilot-app-will-auto-install-how-to-opt-out/

https://redd.it/1o5qi1l
@r_systemadmin

Hot take: People shouldn't go into DevOps or Cybersecurity right out of school

So this may sound like gating, and maybe it is, but I feel like there's far too many people going into "advanced" career paths right out of school, without having gone through the paces first. To me, there are definitively levels in computing jobs. Helpdesk, Junior Developer, those are what you would expect new graduates to go into. Cybersecurity, DevOps, those are advanced paths that require more than book knowledge.

The main issue I see is that something like DevOps is all about bridging the realm of developers and IT operations together. How are you going to do that if you haven't experienced how developers and operations work? Especially in an enterprise setting. On paper, building a Jenkins pipeline or GitHub action is just a matter of learning which button to press and what noscript to write. But in reality there's so much more involved, including dealing with various teams, knowing how software developers typically deploy code, what blue/green deployment is, etc.

Same with cybersecurity. You can learn all about zero-day exploits and how to run detection tools in school, but when you see how enterprises deal with IT in the real world, and you hear about some team deploying a PoC 6 months ago, you should instantly realize that these resources are most likely still running, with no software updates for the past 6 months. You know what shadow IT is, what arguments are likely to make management act on security issues, why implementing a simple AWS Backup project could take 6+ months and a team of 5 people when you might be able to do it over a weekend for your own workloads.

I guess I just wanted to see whether you all had a different perspective on this. I fear too many people focus on a specific career path without first learning the basics.

https://redd.it/1o5sh3a
@r_systemadmin

Handling requests to Merge PDF or sign without Acrobat?

What’s everyone doing for users who just need to sign or edit PDFs occasionally? Buying full Acrobat licenses for everyone feels like total overkill.

https://redd.it/1o5rhic
@r_systemadmin

How to approach an IT employee about possible theft?

This is an ongoing investigation.

I did an audit of our business phone portal, and noticed several ex employees still on the account. At first I thought to re-visit our offboarding procedures, and ask the support team why they haven’t off-boarded these lines from our account.

I decided to dig deeper instead. I discovered several of these ex employees had brand new phone upgrades, and the transaction history, in all cases, shows one specific IT staff member fulfilling these orders.

I decided to call a few of these numbers. None answered, but one number did go to a real human voicemail, of an even older user that hasn’t worked here in 10 years. What’s even weirder: that phone number is associated with a different ex employee!

Is my IT employee stealing, or (this is me giving them a huge benefit of doubt) do they have some whacky convoluted way of organizing our accounts, which needs to change anyways because wtf is this mess

https://redd.it/1o5x48o
@r_systemadmin

Leadership wants to nuke staging and test everything in prod. am I being paranoid or is
this a terrible idea?

Newish Senior DevOps at a 80 eng company. Standard setup: local dev → dev env → staging (mirrors prod) → production. Costs are being scrutinized and staging is eating 25–30% of infra spend. New leadership wants to delete staging entirely. Basically he believes “staging never mirrors prod anyway and feature flags + progressive rollouts + good monitoring > staging". He plans to kill staging, deploy everything to prod behind feature flags and use progressive rollouts (1% → 5% → 25% → 100%).


Here’s why I’m panicking we’re not a FAANG, we only have three DevOps people, our test coverage is a flaky @ 60%, and we deal with sensitive financial data where a production breakage would be a lawsuit. I don't know how we're supposed to "progressively roll out" something like a database schema migration, especially when our monitoring is a basic combination of Grafana, logs, and vibes, and some of our devs still hotfix the main branch directly without PRs.



When I brought this up, my manager's reply was, “If you can't safely deploy to prod, that’s a culture problem, not an environment problem.” Now the junior devs are hyped, the seniors and PMs are confused, its a shit show This is all happening at a company that already deploys 15–20 times daily, had three production incidents last quarter (including a 45-minute outage), and where rollbacks are basically just revert and pray. I'm the one expected to lead this rollout, so someone please tell me if I’m just being an old man yelling at clouds or if this is as bad as it feels.

https://redd.it/1o5xleg
@r_systemadmin

Do password resets on Admin Center sync with on prem AD?

I’m fairly new to IT and work for a university.

When staff need their password reset by us, the head of IT says we should change the password for them using both on prem AD and the Admin Center so they can immediately log into their laptops using our network.

However for students, we only need to change their passwords on the Admin Center and not on AD, as they log into their own devices (i.e their VLE or email)

My question is will the Admin Center password reset sync to AD? My understanding was that it syncs from on prem AD > Entra, and not the other way around. Is only changing their password for students using the Admin Center bad service desk etiquette?

https://redd.it/1o6238z
@r_systemadmin

Patch Tuesday Megathread (2025-10-14)

Hello r/sysadmin, I'm u/AutoModerator, and welcome to this month's Patch Megathread!

This is the (mostly) safe location to talk about the latest patches, updates, and releases. We put this thread into place to help gather all the information about this month's updates: What is fixed, what broke, what got released and should have been caught in QA, etc. We do this both to keep clutter out of the subreddit, and provide you, the dear reader, a singular resource to read.

For those of you who wish to review prior Megathreads, you can do so here.

While this thread is timed to coincide with Microsoft's Patch Tuesday, feel free to discuss any patches, updates, and releases, regardless of the company or product. NOTE: This thread is usually posted before the release of Microsoft's updates, which are scheduled to come out at 5:00PM UTC.

Remember the rules of safe patching:

Deploy to a test/dev environment before prod.
Deploy to a pilot/test group before the whole org.
Have a plan to roll back if something doesn't work.
Test, test, and test!

https://redd.it/1o65i4e
@r_systemadmin

Please tell me my perspectives were right about the error they were getting when trying to Open Powerpoint files using PowerPoint Desktop apps

Actually I have been sick and tired from having to answer them the same fking error they are dealing with. But I hope I am right about it, If you guys have any solutions for this, please help me..

Situation:
\- They are working a pitch powerpoint file, the size is 600MB.
\- They need to work the file "together", so they can see each other updates.
\- So usually the first 2-4 users wouldnt have any issue to open that file using Powerpoint Desktop

\- The problem now is the following 5++, when they open it, they will get an error like :
"UPLOAD FAILED: Your file wasn't uploaded because your changes can't be merged with changes made by someone else. Save a Copy / Discard Changes:

My explanation:
This is due to the users that were managed to access the large ass file (600mb), is doing their editing work. So for those users that were trying to open, it requires to download from the sharepoint first before they can open, but if the first 4 users keep adding / editing stuff into the file, how the fck can the powerpoint downloads it completely. And eventually their powerpoint will crash and boom, my message box will have full of questions like why he can open , but not me. But they doesnt accept my logic.

Solution so far:
I asked the first 2-4 users to STOP editing, let others to open first, only start the editing work. HOWEVER, in spite everyone managed to open, but because the file size is so large, and 7 users editing at the same time, eventually the powerpoint will still crash out for "SOME" of them.

https://redd.it/1o66b91
@r_systemadmin