Is it impossible to introduce Terraform or Ansible in a traditional infrastructure environment?
Our infrastructure team manages over 3,000 customer PCs and more than 300 VMs and EC2 instances. Around 90% of the systems run on Windows Server, and most instances don’t require high performance (8GB of memory is usually sufficient)
I’m trying to become an SRE in the future, and currently manage around 50 EC2 instances on AWS. I’d like to try codifying them using Terraform.
That said, I’m wondering if such a proposal would generally be rejected in our environment. Or, if I build enough skill, is it something that could realistically be accepted?
I just want to understand the reality because I don’t want to waste effort on something that has no chance.
https://redd.it/1o9vdhw
@r_systemadmin
Our infrastructure team manages over 3,000 customer PCs and more than 300 VMs and EC2 instances. Around 90% of the systems run on Windows Server, and most instances don’t require high performance (8GB of memory is usually sufficient)
I’m trying to become an SRE in the future, and currently manage around 50 EC2 instances on AWS. I’d like to try codifying them using Terraform.
That said, I’m wondering if such a proposal would generally be rejected in our environment. Or, if I build enough skill, is it something that could realistically be accepted?
I just want to understand the reality because I don’t want to waste effort on something that has no chance.
https://redd.it/1o9vdhw
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
TPRM platform
You have to start your TPRM program and get to buy any platform you want. Which do you choose (and if you have time explain why)?
https://redd.it/1o9vcnw
@r_systemadmin
You have to start your TPRM program and get to buy any platform you want. Which do you choose (and if you have time explain why)?
https://redd.it/1o9vcnw
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Automate laptop replacement process.
Hello Everyone,
I have been trying to figure out how to automate or simplify laptop replacement process for our team.
We have multiple hardware replacement requests coming in because of win 11 eol.
The problem is with moving user data to new laptops, which is where lot of our time is getting wasted. We are a shop with lot of them using on prem ad and file shares. M365 for emails. Users are mostly in 50-60 years of age. So they prefer to have all their profile fully setup so that they can get logged in and all data from their old system is present in front of them.
Is there anyway I can automate this process. I have been using Transwiz to export and then import to new laptop. If anybody can give me some idea it will be helpful.
Thanks
https://redd.it/1o9v0rr
@r_systemadmin
Hello Everyone,
I have been trying to figure out how to automate or simplify laptop replacement process for our team.
We have multiple hardware replacement requests coming in because of win 11 eol.
The problem is with moving user data to new laptops, which is where lot of our time is getting wasted. We are a shop with lot of them using on prem ad and file shares. M365 for emails. Users are mostly in 50-60 years of age. So they prefer to have all their profile fully setup so that they can get logged in and all data from their old system is present in front of them.
Is there anyway I can automate this process. I have been using Transwiz to export and then import to new laptop. If anybody can give me some idea it will be helpful.
Thanks
https://redd.it/1o9v0rr
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
purestorage x50 help maybe?
I have got myself an x50 r2(no sleds) and i have populated it with directmemory modules single disk sleds, i did reset_drive, and puresetup newarray, but it fails, is x50 limited to what kind of drives it takes? or whats the deal?
I am running purity 6.xx if that helps
https://redd.it/1o9zmk7
@r_systemadmin
I have got myself an x50 r2(no sleds) and i have populated it with directmemory modules single disk sleds, i did reset_drive, and puresetup newarray, but it fails, is x50 limited to what kind of drives it takes? or whats the deal?
I am running purity 6.xx if that helps
https://redd.it/1o9zmk7
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
CA policies via Terraform
Apologies if this isn’t the correct sub and thanks for pointing me to the right one if that’s the case.
As the noscript, employer is pushing/forcing CA policies be deployed via Terraform instead of our current click-ops.
Typical volume is circ. 5-10 new policies planned in the next few months to 1 year.
Learning the language would no doubt be great for my development and future, but to me, it seems overkill pushing CA behind terraform over the existing method.
Any thoughts, good or bad?
Thanks
https://redd.it/1oa6c5a
@r_systemadmin
Apologies if this isn’t the correct sub and thanks for pointing me to the right one if that’s the case.
As the noscript, employer is pushing/forcing CA policies be deployed via Terraform instead of our current click-ops.
Typical volume is circ. 5-10 new policies planned in the next few months to 1 year.
Learning the language would no doubt be great for my development and future, but to me, it seems overkill pushing CA behind terraform over the existing method.
Any thoughts, good or bad?
Thanks
https://redd.it/1oa6c5a
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Paranormal IT
Is it just me, or does luck play a huge role in our profession?
An adjacent IT team was struggling with a workstation issue for about a week. It finally got escalated to me.
While we were on a Teams screen share, I watched him recreate the issue — we talked, joked a bit — and then poof, it just… disappeared. No fix, no changes, just magically resolved itself right in front of us.
The timing was impeccable — like the system was waiting for an audience.
It got me thinking: sometimes things break for no clear reason, and sometimes they fix themselves just as mysteriously. It almost feels paranormal.
Anyone else ever experience those “ghost in the machine” moments?
My message is to always step back and pray I guess lol
https://redd.it/1oa8plx
@r_systemadmin
Is it just me, or does luck play a huge role in our profession?
An adjacent IT team was struggling with a workstation issue for about a week. It finally got escalated to me.
While we were on a Teams screen share, I watched him recreate the issue — we talked, joked a bit — and then poof, it just… disappeared. No fix, no changes, just magically resolved itself right in front of us.
The timing was impeccable — like the system was waiting for an audience.
It got me thinking: sometimes things break for no clear reason, and sometimes they fix themselves just as mysteriously. It almost feels paranormal.
Anyone else ever experience those “ghost in the machine” moments?
My message is to always step back and pray I guess lol
https://redd.it/1oa8plx
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Whatever happened to IPv6?
I remember (back in the early 2000’s) when there was much discussion about IPv6 replacing IPv4, because the world was running out of IPv4 addresses. Eventually the IPv4 space was completely used up, and IPv6 seems to have disappeared from the conversation.
What’s keeping IPv4 going? NAT? Pure spite? Inertia?
Has anyone actually deployed iPv6 inside their corporate network and, if so, what advantages did it bring?
https://redd.it/1oaae1o
@r_systemadmin
I remember (back in the early 2000’s) when there was much discussion about IPv6 replacing IPv4, because the world was running out of IPv4 addresses. Eventually the IPv4 space was completely used up, and IPv6 seems to have disappeared from the conversation.
What’s keeping IPv4 going? NAT? Pure spite? Inertia?
Has anyone actually deployed iPv6 inside their corporate network and, if so, what advantages did it bring?
https://redd.it/1oaae1o
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Patching an offline ESXi Host
Quick question. I am need to patch my ESXi host. However, this host has the VM that is the router for the network. As soon as I place the host into maintenance mode, the internet will cut off. I have the patch zip file in the local host datastore. Will the following commands on the local console for the host work for patching?:
1. Enter maintenance mode: vim-cmd hostsvc/maintenance_mode_enter
2. Esxcli software vib update -d /vmfs/volumes/datastore/Updates/VMware-ESXi-7.0U3w-24784741-depot.zip
3. reboot
4. Vim-cmd hostsvc/maintenance_mode_exit
https://redd.it/1oa5xjm
@r_systemadmin
Quick question. I am need to patch my ESXi host. However, this host has the VM that is the router for the network. As soon as I place the host into maintenance mode, the internet will cut off. I have the patch zip file in the local host datastore. Will the following commands on the local console for the host work for patching?:
1. Enter maintenance mode: vim-cmd hostsvc/maintenance_mode_enter
2. Esxcli software vib update -d /vmfs/volumes/datastore/Updates/VMware-ESXi-7.0U3w-24784741-depot.zip
3. reboot
4. Vim-cmd hostsvc/maintenance_mode_exit
https://redd.it/1oa5xjm
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Windows 10 ESU Applied with slmgr.vbs -- still shows "your version of Windows has reached End of Support"
Hey there! We have a few Windows 10 PCs on which we have applied Year 1 ESU licenses using slmgr.vbs (we followed info here). All of them show "License Status: Licensed". But in Windows Update it still shows "Your version of Windows has reached End of Support. Your device is no longer receiving security updates." I just wanted to check if we missed something, or is this what everyone else is experiencing? Thanks!
https://redd.it/1oa8t6z
@r_systemadmin
Hey there! We have a few Windows 10 PCs on which we have applied Year 1 ESU licenses using slmgr.vbs (we followed info here). All of them show "License Status: Licensed". But in Windows Update it still shows "Your version of Windows has reached End of Support. Your device is no longer receiving security updates." I just wanted to check if we missed something, or is this what everyone else is experiencing? Thanks!
https://redd.it/1oa8t6z
@r_systemadmin
Docs
Enable Windows 10 Extended Security Updates (ESU)
Learn how to enable the Extended Security Updates (ESU) keys for Windows 10. The ESU program gives customers the option to receive security updates for Windows 10.
A question about Microsoft 365 licenses and MSP‘s/CSP‘s
I am retiring.
I was getting m365 licenses for clients thru D&H.
A client has annual licenses that I got them that expire on 12/ 31. I turned off auto renew with D&H.
A new firm is taking over on November 1.
The new firm said this:
We won’t do any MSP to MSP transfer of current licenses….
Just curious – does anybody know what that means?
I’m a one-man shop and never had to deal with taking over or releasing a tenant
The license is I got them are already in tenant admin portal.
Is that for sinking up the license expiration dates - my licenses versus licenses they buy?
If they buy through a different CSP and buy another year, without the transfer they talk about, the new license would start immediately?
I do think I saw where you could set a time for the license to start in the future with DH
But CSP’s have their own interface for buying m365 / not all offer that?
https://redd.it/1oa7fm4
@r_systemadmin
I am retiring.
I was getting m365 licenses for clients thru D&H.
A client has annual licenses that I got them that expire on 12/ 31. I turned off auto renew with D&H.
A new firm is taking over on November 1.
The new firm said this:
We won’t do any MSP to MSP transfer of current licenses….
Just curious – does anybody know what that means?
I’m a one-man shop and never had to deal with taking over or releasing a tenant
The license is I got them are already in tenant admin portal.
Is that for sinking up the license expiration dates - my licenses versus licenses they buy?
If they buy through a different CSP and buy another year, without the transfer they talk about, the new license would start immediately?
I do think I saw where you could set a time for the license to start in the future with DH
But CSP’s have their own interface for buying m365 / not all offer that?
https://redd.it/1oa7fm4
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Autohotkey good or bad!?
I love this thing. How can I make it bullet proof so security team won’t make me uninstall it?(silly fear but)
I imagine if i set up alerts on if the ahk file changes or is even open that would be reasonably secure?
Windows Defender Controlled Folder Access ?
Or is having it on disk create a vulnerability?
Ooo can I digitally sign my .ahk!?
I would like help making a strong case for having it and to show that I made an effort to be secure
https://redd.it/1oadd75
@r_systemadmin
I love this thing. How can I make it bullet proof so security team won’t make me uninstall it?(silly fear but)
I imagine if i set up alerts on if the ahk file changes or is even open that would be reasonably secure?
Windows Defender Controlled Folder Access ?
Or is having it on disk create a vulnerability?
Ooo can I digitally sign my .ahk!?
I would like help making a strong case for having it and to show that I made an effort to be secure
https://redd.it/1oadd75
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
PSA: Keyboard/mouse won't work in WinRE after October 2025 Patch Tuesday
Microsoft broke the mouse/keyboard in WinRE. Means you can't really use it.
"After installing the Windows security update released on October 14, 2025 (KB5066835), USB devices, such as keyboards and mice, do not function in the Windows Recovery Environment (WinRE). This issue prevents navigation of any of the recovery options within WinRE. Note that the USB keyboard and mouse continue to work normally within the Windows operating system." -- https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-24h2#3696msgdesc
Was driving our IT team crazy on a Saturday, but replacing the WinRE image from an older ISO works: https://www.windowslatest.com/2025/10/18/microsoft-confirms-windows-11-october-2025-update-breaks-winre-recovery-input/
https://redd.it/1oa7w8n
@r_systemadmin
Microsoft broke the mouse/keyboard in WinRE. Means you can't really use it.
"After installing the Windows security update released on October 14, 2025 (KB5066835), USB devices, such as keyboards and mice, do not function in the Windows Recovery Environment (WinRE). This issue prevents navigation of any of the recovery options within WinRE. Note that the USB keyboard and mouse continue to work normally within the Windows operating system." -- https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-24h2#3696msgdesc
Was driving our IT team crazy on a Saturday, but replacing the WinRE image from an older ISO works: https://www.windowslatest.com/2025/10/18/microsoft-confirms-windows-11-october-2025-update-breaks-winre-recovery-input/
https://redd.it/1oa7w8n
@r_systemadmin
Docs
Windows 11, version 24H2 known issues and notifications
View announcements and review known issues and fixes for Windows 11, version 24H2
Anyone else having Bitlocker recovery key issues after installing the latest October 2025 Windows 11 KB5066835 update and then restarting?
Been getting reports of computers getting Bitllocker recovery key screen after installing the latest October 2025 Windows 11 KB5066835 update. Anyone else having this issue? We opened a Microsoft Support Case but the issue has not been acknowledged by Microsoft Support.
https://redd.it/1oadz4t
@r_systemadmin
Been getting reports of computers getting Bitllocker recovery key screen after installing the latest October 2025 Windows 11 KB5066835 update. Anyone else having this issue? We opened a Microsoft Support Case but the issue has not been acknowledged by Microsoft Support.
https://redd.it/1oadz4t
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Weird powershell command running and I need advice.
Past couple of days a couple of my servers have been spawning these powershell command ran by SYSTEM
Powershell.exe -ExecutionPolicy Restricted -Command function Get-UEFIX509Certificates{ $Certs = @(); try { $UefiDb = Get-SecureBootUEFI -Name db }
And this command can either be spawned with multiple processes or just one and it’s taking up a % of memory where SW is triggering alerts for high memory. Our end point security has not been triggered with this spawned powershell noscript.
I started an internal incident and investigation with my other colleagues but they haven’t seen this command before.
Our MCM team only uses “Powershell.exe -ExecutionPolicy Bypass” with Software Center to deploy updates, so it’s not related to windows updates.
Copilot threw this together since I can’t find anyone else that has ran across this noscript before.
this is what copilot said about the noscripts that are running
powershell.exe -ExecutionPolicy Restricted -Command function Get-UEFIX509Certificates { $Certs = @(); try { $UefiDb = Get-SecureBootUEFI -Name db }
What this means:
1. ExecutionPolicy Restricted
This is the most restrictive policy in PowerShell, which normally prevents noscripts from running. However, the -Command parameter allows inline commands to execute despite the restriction.
2. Custom Function: Get-UEFIX509Certificates
The code defines a function intended to retrieve UEFI X.509 certificates. These certificates are part of the Secure Boot infrastructure in UEFI firmware.
3. Key Operation: Get-SecureBootUEFI -Name db
This command queries the UEFI Secure Boot database (db). The database contains trusted certificates and keys used to validate boot loaders and drivers during Secure Boot.
In short:
PowerShell is trying to read Secure Boot configuration data from the UEFI firmware, specifically the certificate database. This is typically done for:
• Auditing Secure Boot settings.
• Checking trusted certificates.
• Security compliance or troubleshooting boot integrity.
I’m reaching out to see if anyone else in the community has seen this happen and can shed light on what and why these commands are spawning.
https://redd.it/1oafv3h
@r_systemadmin
Past couple of days a couple of my servers have been spawning these powershell command ran by SYSTEM
Powershell.exe -ExecutionPolicy Restricted -Command function Get-UEFIX509Certificates{ $Certs = @(); try { $UefiDb = Get-SecureBootUEFI -Name db }
And this command can either be spawned with multiple processes or just one and it’s taking up a % of memory where SW is triggering alerts for high memory. Our end point security has not been triggered with this spawned powershell noscript.
I started an internal incident and investigation with my other colleagues but they haven’t seen this command before.
Our MCM team only uses “Powershell.exe -ExecutionPolicy Bypass” with Software Center to deploy updates, so it’s not related to windows updates.
Copilot threw this together since I can’t find anyone else that has ran across this noscript before.
this is what copilot said about the noscripts that are running
powershell.exe -ExecutionPolicy Restricted -Command function Get-UEFIX509Certificates { $Certs = @(); try { $UefiDb = Get-SecureBootUEFI -Name db }
What this means:
1. ExecutionPolicy Restricted
This is the most restrictive policy in PowerShell, which normally prevents noscripts from running. However, the -Command parameter allows inline commands to execute despite the restriction.
2. Custom Function: Get-UEFIX509Certificates
The code defines a function intended to retrieve UEFI X.509 certificates. These certificates are part of the Secure Boot infrastructure in UEFI firmware.
3. Key Operation: Get-SecureBootUEFI -Name db
This command queries the UEFI Secure Boot database (db). The database contains trusted certificates and keys used to validate boot loaders and drivers during Secure Boot.
In short:
PowerShell is trying to read Secure Boot configuration data from the UEFI firmware, specifically the certificate database. This is typically done for:
• Auditing Secure Boot settings.
• Checking trusted certificates.
• Security compliance or troubleshooting boot integrity.
I’m reaching out to see if anyone else in the community has seen this happen and can shed light on what and why these commands are spawning.
https://redd.it/1oafv3h
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
RAID Rebuild Time
Hey All!
Hoping someone with more storage experience could help me. I have a server that houses my company's VMS and Access Control System, It is currently at 44TB of Video storage and 16TB was just added today for expansion into a new site next door. I followed the instructions at How to Reconfigure a Virtual Disk With OpenManage Server Administrator (OMSA) | Dell to add the drives to the array but here 5 hours later it is still showing at 0% in OMSA. Anyone have any guess how long it will take a raid 5 array of this size to reconfigure? I heard it could take a week. Is that true? Im pretty good on the software side of Sysadmin but now that Im with a company that Im the single IT guy the hardware side of this is new to me. Thanks in advance and sorry if this is a stupid question lol
https://redd.it/1oaah1z
@r_systemadmin
Hey All!
Hoping someone with more storage experience could help me. I have a server that houses my company's VMS and Access Control System, It is currently at 44TB of Video storage and 16TB was just added today for expansion into a new site next door. I followed the instructions at How to Reconfigure a Virtual Disk With OpenManage Server Administrator (OMSA) | Dell to add the drives to the array but here 5 hours later it is still showing at 0% in OMSA. Anyone have any guess how long it will take a raid 5 array of this size to reconfigure? I heard it could take a week. Is that true? Im pretty good on the software side of Sysadmin but now that Im with a company that Im the single IT guy the hardware side of this is new to me. Thanks in advance and sorry if this is a stupid question lol
https://redd.it/1oaah1z
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Receiving offensive, racist and homophobic support emails
Hi,
I'm not sure if this is the right place to ask, but I'll give it a shot anyway.
For the past few days, I've been receiving offensive, racist, and homophobic emails. These messages are from a customer complaining about a free product they're using.
I won’t go into too many details, but essentially, the person is being extremely offensive, making racist and homophobic remarks towards both me and the product. The person is also demanding that I remove certain features simply because he/she don't like them.
Over the years, I've learned to ignore this type of negativity, but this feels on another level.
I don’t want to waste too much time nor resources on this, but if there's anything I can do to prevent it, I’m happy to fill out any necessary report forms.
The individual is also using their own agency/company domain to send these emails.
https://redd.it/1oam2oj
@r_systemadmin
Hi,
I'm not sure if this is the right place to ask, but I'll give it a shot anyway.
For the past few days, I've been receiving offensive, racist, and homophobic emails. These messages are from a customer complaining about a free product they're using.
I won’t go into too many details, but essentially, the person is being extremely offensive, making racist and homophobic remarks towards both me and the product. The person is also demanding that I remove certain features simply because he/she don't like them.
Over the years, I've learned to ignore this type of negativity, but this feels on another level.
I don’t want to waste too much time nor resources on this, but if there's anything I can do to prevent it, I’m happy to fill out any necessary report forms.
The individual is also using their own agency/company domain to send these emails.
https://redd.it/1oam2oj
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
New job!
TL;DR Taking over as school IT manager with limited experience and wanted guidance on what to become skilled at. On prem AD and Google Workspace environment.
Hi all,
I am going to be taking over as a sysadmin/IT manager of a school. Altogether 2000 students and staff.
I will be replacing someone who has worked there for 30+ years and is retiring. From what I’ve heard a lot of the systems and procedures are outdated and I am fairly nervous to slowly make changes to modernise things due to my lack of experience.
I have had experience in IT since 2022 but in a proper MSP environment since 2023 which includes being an IT engineer for around 10 different schools.
I am still fairly new to IT and obviously there is a sense of imposter syndrome (which is fine- it’s always good to feel like you need to learn more) but I wanted to get some advice from others around here on what I should get better at and solidify.
The school is using a hybrid environment which includes on prem AD and Google Workspace.
Some things I am specifically nervous about is the backup solutions and how to implement the disaster recovery plan.
Also, managing and troubleshooting complex windows server issues.
Any advice and guidance would be truly appreciated!
https://redd.it/1oamhvp
@r_systemadmin
TL;DR Taking over as school IT manager with limited experience and wanted guidance on what to become skilled at. On prem AD and Google Workspace environment.
Hi all,
I am going to be taking over as a sysadmin/IT manager of a school. Altogether 2000 students and staff.
I will be replacing someone who has worked there for 30+ years and is retiring. From what I’ve heard a lot of the systems and procedures are outdated and I am fairly nervous to slowly make changes to modernise things due to my lack of experience.
I have had experience in IT since 2022 but in a proper MSP environment since 2023 which includes being an IT engineer for around 10 different schools.
I am still fairly new to IT and obviously there is a sense of imposter syndrome (which is fine- it’s always good to feel like you need to learn more) but I wanted to get some advice from others around here on what I should get better at and solidify.
The school is using a hybrid environment which includes on prem AD and Google Workspace.
Some things I am specifically nervous about is the backup solutions and how to implement the disaster recovery plan.
Also, managing and troubleshooting complex windows server issues.
Any advice and guidance would be truly appreciated!
https://redd.it/1oamhvp
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
How much do you trust immutable storage to be immutable?
I've just got Veeam writing backups out to a hardened repository and I must admit it feels damned good.
Immutable setup using single use credentials no SSH etc. all done by the guides.
But there's always that little nagging doubt that there's still a way to get at the backups.
My absolute last line of defence is having a copy on tape. You can fit a lots of bandwidth on a shelf.
But if you've got immutable storage and you have management interfaces disabled so there's no iDRAC/iLO/SSH or other access how much faith do you have that there really no way for the bad guys to get at it?
https://redd.it/1oam23u
@r_systemadmin
I've just got Veeam writing backups out to a hardened repository and I must admit it feels damned good.
Immutable setup using single use credentials no SSH etc. all done by the guides.
But there's always that little nagging doubt that there's still a way to get at the backups.
My absolute last line of defence is having a copy on tape. You can fit a lots of bandwidth on a shelf.
But if you've got immutable storage and you have management interfaces disabled so there's no iDRAC/iLO/SSH or other access how much faith do you have that there really no way for the bad guys to get at it?
https://redd.it/1oam23u
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Reusing “deleted” users username/email address
Would anyone like to explain why this can be a bad idea? We are standing up an IAM system that noscripts the creation disablement and to my dismay deletion of accounts after 90 days but I don’t see why we care to “reclaim” a username and I sense there being issues with doing so.
What’s your experience with deleting user accounts and then resurrecting them ??
https://redd.it/1oalz5u
@r_systemadmin
Would anyone like to explain why this can be a bad idea? We are standing up an IAM system that noscripts the creation disablement and to my dismay deletion of accounts after 90 days but I don’t see why we care to “reclaim” a username and I sense there being issues with doing so.
What’s your experience with deleting user accounts and then resurrecting them ??
https://redd.it/1oalz5u
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Where can I buy non-copilot laptops?
See noscript. I have a blind user in my org who cannot use it because the copilot key took the place of the right ctrl key.
https://redd.it/1oaruop
@r_systemadmin
See noscript. I have a blind user in my org who cannot use it because the copilot key took the place of the right ctrl key.
https://redd.it/1oaruop
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Strange behavior in linux: user can still run
If a user is removed from the
Additionally, PAM can be configured so that when the user runs
However, I found this restriction applies only to command-line. There are other ways for the same user to perform privileged actions. For example, instead of running:
they can simply run:
In this case, GDM displays a graphical password prompt for the root password, and the operation completes successfully. This makes membership in the
The same issue occurs with
This seems like a design flaw. There appears to be backdoors that bypass PAM restrictions and group-based privilege control.
question:
How can I configure Linux desktop so that a user is confined, that is, they cannot run any executable requiring elevated privileges (even if they know the root password), and they cannot switch to another user context even through Wayland/GDM?
In other words, I want to ensure that users can execute only the commands for which they have explicit execution permissions.
https://redd.it/1oaqvg4
@r_systemadmin
sudo commands and switch users even though pam prohibits itIf a user is removed from the
sudo group and tries to run sudo some-command they correctly receive a permission denied error.Additionally, PAM can be configured so that when the user runs
su some-user a "su: permission denied" message is shown, even if the correct password is entered for some-user.However, I found this restriction applies only to command-line. There are other ways for the same user to perform privileged actions. For example, instead of running:
sudo systemctl restart cron.service
they can simply run:
systemctl restart cron.service
In this case, GDM displays a graphical password prompt for the root password, and the operation completes successfully. This makes membership in the
sudo group useless, since the same command can be executed without sudo ! The only difference is that the password is entered in a graphical window instead of the command line! The graphical display has root privileges and follows its own policy not PAM.The same issue occurs with
su: a user can switch to another account, even root, through graphical tools, even if they are not in the sudo group and cannot run su from the terminal.This seems like a design flaw. There appears to be backdoors that bypass PAM restrictions and group-based privilege control.
question:
How can I configure Linux desktop so that a user is confined, that is, they cannot run any executable requiring elevated privileges (even if they know the root password), and they cannot switch to another user context even through Wayland/GDM?
In other words, I want to ensure that users can execute only the commands for which they have explicit execution permissions.
https://redd.it/1oaqvg4
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community