Proxmox

Okay, so, bit of a brain fart. My bosses boss was doing a bit of a ride along thing, just asking questions, getting to know IT (I know, odd but, good. The leadership has always had these rules about spending time with staff). I was showing him Proxmox and how we can setup VM's and bla bla bla... I didn't mean to over sell it or anything but, it's great. Anyway, he asked, why don't we setup every computer first with proxmox then add a windows VM. Would be the ultimate way to recover a computer quickly with longer term backups on another server (whatever your backup plan is). I did address the loss of power, as some CPU and resources would been needed just for proxmox. He asked about building a super computer with proxmox and having everyone access VM's. I congratulated him for inventing thin clients but also thought it would permit a lot of flexibility for staff and maybe it wouldn't be a bad idea. All I did was pause for a few moments to consider my answer and now he wants me to write up some pros and cons. When it might be appropriate to use thin clients, would there ever be a time when it would make sense to have a singe PC with Proxmox running just one VM for the end user or (this came up right at the end of the convo) eliminating windows users in favor of VM's (which I basically said no to that right away) but, now I'm thinking about redoing my homelab computer with proxmox first.

1. Proxmox as main OS with NinjaOne installed with image level backup enabled.

2. Windows 11 Pro from me

3. Linux for fileserver

4. Grandstream UCM Multi Tenant Software PBX (Just something I'm playing with these days).


What would you tell my boss, pro or con, about single computer / super computer with thin client?

Yes, this is probably an easy thing to answer but my mind is distracted with planning the PC that will be powerful enough to design the PC that will eventually be my home lab PC (very loose nod to Douglas Adams)





https://redd.it/1omtfes
@r_systemadmin

WMIC and 25H2

Anyone know the real story about WMIC in Windows 11 25H2? Microsoft said that WMIC would be removed as part of the upgrade, but that doesn't seem to be true - we've checked several machines upgraded to 25H2 and they all still have WMIC.

A newly installed Windows 11 25H2 doesn't have WMIC but it can be installed from Optional Features, exactly the same as 24H2. (And just like 24H2, WMIC is present during the install process - it is only removed when the first user logs in.)

As far as I can see, 25H2 doesn't change anything about WMIC at all! What am I missing?

https://redd.it/1omv5ci
@r_systemadmin

Need help with getting HPE SAS drives usable in non-HP enclosures

So yea, I bought some of these - HPE 3PAR SMBP6000S5xeF7.2 (HP version of Seagate ST6000NM0285).

They are unsupported in my non-HP arrays. They refuse to accept PSID revert (sedutil-cli) and they refuse to accept Seagate OEM equivalent firmware (hdparm and Seatools both fail). They show up as SCSI devices (eg /dev/sg3) but not as blk devices. Pretty much at the end of my rope with these things.

Any suggestions about how this might be made to work? Available to run commands and report results for troubleshooting at your convenience. Really would like to be able to use these / not have to junk them.

https://redd.it/1omv3in
@r_systemadmin

How do people set up internal pentesting device?

I'm in a relatively small company (<500). Is it just a scanner like nessus then you use msf to check if the vulnerabilities found are true?

I was told to set up an internal pentesting device using kali. How do external vendors even do this. And what's the most common way people set up for internal pentesting?

https://redd.it/1on0zyc
@r_systemadmin

Rolling out a password manager for ~200 staff — is a third-party tool (like LastPass) necessary, or can we rely on browser password managers?

We were about to roll out LastPass enterprise-wide (\~200 staff), but management has put the brakes on due to cost-cutting. The current plan is to limit LastPass licenses to departments that actually need shared vaults (IT, Finance, etc.), while the rest of the staff would just use their browser’s built-in password manager (Chrome, Edge, etc.).

From their perspective, most users only have one or two credentials (mainly for SSO-integrated web apps), so a third-party password manager for everyone seems excessive. I get the logic, but I’m not sure if relying on browser password managers is a good call from a security and manageability standpoint.

All browsers are corporately managed via policy so sync restrictions, extension control, etc. can be configured, but there’s still no centralized visibility or enforcement of password hygiene, MFA use, or vault access.

For anyone who’s gone down this road: is limiting enterprise password manager licenses to “key” departments a reasonable compromise, or does it create more risk and inconsistency in the long run?

https://redd.it/1on2nt6
@r_systemadmin

HP iLO Firmware Update Error: Invalid File Signature

I am trying to update iLO 2.0 via the Web GUI to version 3.16 on a dl380 g10.

I keep getting the error: "The file signature is invalid. Make sure you are using a valid, signed flash file...". I was able to use the same file to update another dl360 g10 so the file is not an issue.

Is there a known certificate chain issue with this version jump?


https://redd.it/1on2upd
@r_systemadmin

Do sysadmins keep personal notes besides the knowledge base?

Most troubleshooting documents are stored in the company Knowledge Base.

But apart from that, I want to know something:

Do system administrators keep their own private notes for quick reference?
Like handwritten notes, or a small text file in their laptop/notepad?

For example:

rare commands they always forget

small tricks they learned by experience

steps to safely open specific laptop models

configuration notes for routers / switches / VC setup

strange issues they solved without knowing the full logic at first


Do you keep this type of personal notes?
If yes, what kind of things do you store in them?

https://redd.it/1on5fdt
@r_systemadmin

Everyone’s using AI at work now. No policy. No logs. What could possibly go wrong?

Just watched the new episode of *The Morning Show* and they accidentally captured what’s already happening to all of us:

1) Company builds a fancy AI using internal data.

2) Immediately leaks said internal data.

3) Leadership: “How could this happen?!”

Meanwhile in the real world:

* Users paste confidential docs into whatever chatbot they find first
* Shadow AI tools everywhere
* Zero audit trail
* But leadership wants “more AI because innovation”

We’re stuck in the middle, trying to:

* Let people use AI so they don’t bypass us completely
* Prevent the company from putting its crown jewels into the cloud

**What are you all doing for AI guardrails (if anything)?**

* Blocking everything?
* Approved tools?
* “Send to security for review” (aka never happening)?

Genuinely curious - what’s working, what isn’t, and what fresh hell have you seen so far?

https://redd.it/1on71fu
@r_systemadmin

HPE Support Refusing To Let Me Log In

Always fun when you walk in and there's a dead drive in the RAID Array. No sweat, it's under warranty, I'll just log a ticket with HP Support.

3 different accounts refusing to log us in, all with the error "The access request cannot be completed due to an administrative issue identified with your account. To resolve this issue submit a support request"

Fun times.

https://redd.it/1on7ik1
@r_systemadmin

November 2025 Microsoft 365 Changes: What’s New and What’s Gone?

Big updates in Microsoft 365 are rolling out this November! From feature retirements to security enhancements, here’s everything admins need to know. 

🌟 **In Spotlight:** 

* **Auto-Archiving for Exchange Online -** Auto-Archiving will launch in public preview for Target release opted tenants. When a mailbox exceeds 96% of its quota, older emails will automatically move to the archive mailbox to avoid storage issues. 
* **Knowledge Agent in SharePoint** \- Sites can opt in to the new Knowledge Agent, which uses AI to organize and enrich SharePoint content for better Copilot answers. 
* **Admin Consent for Entra Applications** \- Microsoft will now require admin consent for all third-party apps accessing Teams and Exchange APIs. Users cannot grant consent to third-party applications that access Exchange and Teams data via delegated permissions. 

Here’s a quick overview of what’s coming: 

**Retirements:** 6 
**New Features:** 9 
**Enhancements:** 5 
**Functionality Changes:** 2 
**Action Required:** 3 



**Retirements** 

1. The *SP.Utilities.Utility.SendEmail* API in SharePoint will be retired on October 31, 2025. Starting November 1, 2025, emails sent using this API will no longer be worked. 
2. The ‘*Mobile Devices’* page in Outlook Web and the new Outlook, used to view and manage devices syncing with mailboxes, will retire on November 6, 2025. 
3. The “*Visualize the List” and “Visualize the Library*” options in SharePoint Online, used to quickly create Power BI reports, will retire to simplify reporting. 
4. *Desktop notifications in Viva Engage* will retire by mid-November 2025 as part of Microsoft 365’s unified notification experience. 
5. *Microsoft Lists mobile app*s for iOS and Android will retire by mid-November 2025. 
6. The “*Refresh All on Page*” option in OneNote Meeting Details pane will be removed on November 15, 2025, and meeting details will no longer auto-refresh from Outlook or Teams. 



**New features** 

1. Microsoft Teams now supports *Entra-based authentication for agents and bots in group chats*. When a bot requests a user’s Entra token, Teams verifies installation and consent, prompting users privately to grant permissions for secure access. 
2. To enhance phishing protection, Microsoft Teams will display warnings when users receive *malicious URLs* in chats or channels. 
3. App Role-Based Access Control (RBAC) simplifies assigning email send permissions to apps. Admins can grant the *SMTP.SendAsApp* role for group or scoped mailbox access, eliminating per-mailbox PowerShell configuration. 
4. Microsoft Entra ID will introduce *support for passkey profiles* in the FIDO2 authentication methods policy. 
5. SharePoint admins can now use the new “*Enterprise Application Insights*” report to monitor sites accessed by third-party apps registered in the tenant, as part of SharePoint Advanced Management. 
6. Microsoft Purview *integrates Insider Risk Management (IRM) with DSI,* enabling data security admins to launch pre-scoped investigations directly from IRM cases to assess risky behavior and post-incident impact. 
7. Starting November 14, 2025, *Immersive Events in Microsoft Teams* will reach general availability. 
8. Microsoft is introducing a *modern Workflows experience in SharePoint*, enhancing automation across lists, libraries, and chats using Power Automate. 
9. Microsoft will soon allow users to chat with external contacts using their email address. External users will receive an invitation to join the session as a guest. 



**Enhancements** 

1. SharePoint *improves version history for lists and libraries* edited in grid view by merging consecutive edits into one version, reducing clutter and saving storage. 
2. Defender for Office 365 enhances the *quarantine preview experience* for greater consistency, security, and usability. 
3. Purview Data Loss Prevention (DLP) extends to the network layer through *Entra Global Secure Access*, enabling inspection and control of file traffic in transit. 
4. Purview enhances

compliance by enforcing *Entra Conditional Access for eDiscovery admins* and adding a new ‘FilePreviewed’ audit log activity. 
5. Microsoft is updating the quarantine view for improved usability and consistency. Quarantined messages will now *be displayed by per recipient*, and the *ReleaseToAll* parameter in the Release-QuarantineMessage cmdlet will act on each mailbox separately. 

 

**Existing Functionality changes** 

1. The “Files” tab in Teams channels will be renamed to “*Shared,*” showing not only document library files but also all files and links shared in the channel conversations. 
2. Teams is introducing a new calendar integrated with Copilot and Microsoft Places; the legacy calendar and *the toggle to switch views will be removed.* 

 

**Action Required** 

1. The *Team Guidance feature in Microsoft Places*, which helped managers manage in-office days and team priorities, is retiring. Begin transitioning to Microsoft 365 Groups for team scheduling. 
2. *UKG and Blue Yonder connector*s for syncing workforce data with Teams Shifts will retire on November 14, 2025. Move to the UKG Flow app or custom integrations 
3. The Viva Insights export via *Microsoft Graph Data Connect (MGDC) is retiring*. Switch to the Power BI Connector in Microsoft Fabric or use CSV export for reporting needs. 

Act now to stay ahead and ensure these updates don't impact you! 

https://redd.it/1on8ssi
@r_systemadmin

Fixing the 0xc00002e2 Active Directory error in Windows Server

Hi folks,


I just wanted to share my solution for the error 0xc00002e2 in Windows Server as it's taken me a few days to find the actual cause and relatively easy fix (in hindsight), so that I can hopefully save some of you some time.



Issue:

After restoring a backup of a Domain Controller in Windows Server when booting it up, you see a Blue Screen of Death (BSoD) with error code 0xc00002e2.


Cause:

The NTDS (Active Directory) database in the backup is older than 6 months. Windows Server has a build in safety feature that prevents booting an Active Directory server where the NTDS database is older than 6 months, so it throws this error.

Fix:

1. Log into DSRM (Directory Services Restore Mode). This can be done by restarting the server and hammering F8 until you see a bunch of startup options that includes DSRM.

2. Log in as the Administrator.

3. Change the date of the server to a date less than 6 months after the backup/snapshot was made.

4. Reboot the server

5. No more BSoD! Log in as usual as an admin.

6. Click start > type 'cmd' > right click 'run as administrator' and use the commands

net stop w32time
net start w32time

This corrects the time.

This fixes the whole issue, you may want to reboot at this point for good measure.



Potential additonal steps required (optional):

\- Are you restoring a snapshot to a new server? you will probably have a new IPv4 and IPv6 address. If so, don't forget to correct those in the DNS Manager (Server Manager > Tools > DNS).

\- Unable to connect to other servers in your server pool from the Domain Controller? Perform an nslookup from another server in the same AD environment, e.g. an RDS server:

nslookup dc.domain.local (replace with w/e your domain controller is called).

Do you get an error that includes a DNS resolver that's NOT the local IP of your domain controller? Go to your network adapter settings for IPv4 (on both LAN and WAN) and selected 'Advanced' > unselect 'Automatic Metric'. Set the LAN to a metric value of 10 and the WAN to a metric of 100 (gives prio to LAN). Your LAN connection now gets priority and the nslookup will succeed.


https://redd.it/1on8cp5
@r_systemadmin

SentinelOne is killing Keepass 2.6 - reporting dropper trojan

S1 is killing in during the update process.

SourceForge thread here but very little activity so far: KeePass / Discussion / Open Discussion: Drop.win32.winselfcopy detecting in Keepass 2.6

https://redd.it/1onbej9
@r_systemadmin

Am I crazy or isn't giving your password to IT against like, every kind of security compliance?

For some insane reason, Help Desk at my company is regularly obtaining people's AD credentials over the phone and over email, even for things as simple as a password reset.

I haven't been on HD in a long time, and I can't remember the last time I looked up actual security compliance requirements, but I could have SWORN that the #1 rule was don't give your password to ANYONE, especially if they claim to be from IT! Like, that's the main way scammers phish people!

Am I losing my mind?

https://redd.it/1ond1aw
@r_systemadmin

Teams chats from old tenant

So guys, i am losing it right now.


We have a new employee, with new username, freshly created in our tenant and given licenses needed.

For some reason, and i cannot get behind why this is happening, the user sees ONE group chat from his old company he worked for ealier this year. The only thing that stayed the same is his first name and surname. Obviously there is no connection with the old company other than that. How the F is Microsoft happening to know that it's the same guy?


Adding to that: The user got a fresh device that was never used anywhere too.

https://redd.it/1onbiy7
@r_systemadmin

What would you do if you were forced to go into office more?

Our IT director recently decided that everyone has to be in the office at least 3 days a week instead of 2. Im sure it doesn't surprise anyone that the reaction across the department hasn’t been great.

Like many IT teams, most of what we do doesn’t actually require being in the office. When hardware work comes up, we just plan our in-office days accordingly. So it clearly feels like a “trend-following” move to align with the general push for return-to-office rather than anything based on actual need.

For me personally, it’s more of a mild inconvenience than a major issue (which I'm grateful for) but I’m curious what others would do in this situation. Would you look elsewhere, push back, or just accept it and move on?

https://redd.it/1onf9nk
@r_systemadmin

What's the most embarrassing IT blunder you've witnessed (or caused) that still makes you cringe?

Bonus points if you fixed it before anyone found out.
I think everyone's got at least one xD.. right?

https://redd.it/1ongjg3
@r_systemadmin

Sanity Check - AWS and Azure down again?

Downdetector shows them toast, and for some reason our on-prem stuff started acting strange. Anyone else seeing odd stuff happening around 9:16 Am EST?

https://redd.it/1ondu2o
@r_systemadmin

Today I screwed up

Well I guess it happens to all of us every now and then, but its always such a bad feeling when it happens. 4 years at this company and today, I screwed up production

It was a morning deployment to prod, a couple of quirks but nothing too special. And the actual deployment went fine actually. I did the post-deploy checks, all green. Closed the vpn connection and went on with my day.

Close to the end of the day we start getting tickets, users couldnt log in... me and my manager jumped into action and not even 30 seconds in we see a duplicated network on production, with my name all over it...

Fixing it took just a couple of clicks and I checked my command history and cannot find what I did but its my name on those logs and now Im just feeling like crap...

Anyways... hope your day is going better than mine

https://redd.it/1onjbmo
@r_systemadmin

Does every non-technical person state the order of HTTP redirects incorrectly? Or just the people around me?

This is just a small thing, but I'm baffled by it.

When a user asks me for help to create an HTTP redirect, if they are in a non-technical role such as marketing or education, they will almost always state it this way:

> Please help me create a redirect from www.new-site.com/new-path to www.old-site.com/old-path.

So, as a matter of course, I always have to reply with a narrative denoscription of how a redirect actually functions for a user. Something like:

> The user will enter www.new-site.com/new-path into their browser, and will get bounced over to a final destination of www.old-site.com/old-path. Are you sure that's what you want?

... It's just an extra email. And everyone has been gracious about the clarification. But I am just so surprised how widespread this inverted thinking seems to be among my users.

Among you web server sysadmins, have you noticed something similar?

https://redd.it/1onl1y9
@r_systemadmin

I hate printers

i work at a relatively small company and our IT dept is only about 5 people with very specific roles. so when more helpdesk-ish tickets come in, they're pretty much for whoever is free in that moment (Yes it sucks).


But ive been dealing with this stupid ass printer shit for soooo long now because some manager doesnt like the way the printer prints.

For context, its a citizen label printer. And i set it up with printix for whoever wants to use it but really just this specific department. You can print the labels, after some elbow grease they now look fantastic! Was even approved by the requester (a manager). But for whatever reason, you have to click portrait each time. ok... not a big deal! You can even tell itll be messed up if youre on landscape. So it should be an easy catch for anyone.

But this manager HATES that. So now he threatened to go to my boss about this whole situation... all because the user has to click portrait each time. Now really, im sure theres some way some how to write some command, noscript, or edit a driver or something so landscape just isnt an option that even appears. But what the shit are you really talking about!?!?!

Its just one click you have to do before printing out your labels! But he now wants to scrap the thousands of dollars we spent from our budget into these printers. All because of one more step to click and print these labels....

Am i overreacting??? or is this as ridiculous as he may think.

https://redd.it/1ono277
@r_systemadmin