Finally got a new job

After 7 months of interviews and applying to 5+ places every day I finally got an offer. If you are struggling and still looking for work don't give up, you'll get something eventually.

https://redd.it/1opapvg
@r_systemadmin

Setting up new Active Directory - best practice for passwords?

OK so I have a bit of a conundrum.

Company has never used AD. Everyone logs in with a local account on their machine. Shared machines and servers have multiple local accounts, one for each person.

For example ServerA will have four accounts for John, Jude, Mary and April.
Workstation A will also have four local accounts John, Jude, Mary and April.

John logs into WorkstationA with his username and password. He tries to access a resource on ServerA, as long as that server also has a local account "John" with the same password as his workstation, the authentication "passes through" and he gets access.

So, now we're finally getting M365 and setting up Azure AD. CTO wants to setup each user's machine himself. I create account, assign random password, give CTO the password, he logs into their workstation using the new Azure AD account and "gets things setup" for them.

Then he stores the users credentials in LastPass. For every user.

Uhm, what? Am I taking crazy pills? He says it's best practice to keep track of every user's password in a password manager but this just sounds like a huge security risk to me.

https://redd.it/1opih6o
@r_systemadmin

Thickheaded Thursday - November 06, 2025

Howdy, /r/sysadmin!

It's that time of the week, Thickheaded Thursday! This is a safe (mostly) judgement-free environment for all of your questions and stories, no matter how silly you think they are. Anybody can answer questions! My name is AutoModerator and I've taken over responsibility for posting these weekly threads so you don't have to worry about anything except your comments!

https://redd.it/1opuyfa
@r_systemadmin

What's your company policy on adblockers?

Do you install for whole company? Block them? Allow people to install them?

https://redd.it/1opsnxa
@r_systemadmin

HP seems to be disabling HEVC Hardware Decode support on their laptops, creating problems.

Hi all,

Wanted to cross-post a post I made at /r/Hewlett-Packard, but it seems I cannot. Making this post here mostly as an FYI in case anyone happens to run across this at their company, and to be aware of / stay clear of the issue.

Yesterday I spent the better part of my afternoon diagnosing an issue with the playback of HEVC / H.265 content on a machine. The device would experience infinite loading whenever HEVC Content would be accessed through a web browser (Edge, Firefox, Chrome, etc), but would seemingly have no issue with playback from Windows Media Player, VLC, and other local players. Another symptom is that the local media players play HEVC back in Software decoding mode, as evident by no GPU load appearing, and DXVAChecker shows APIs such as AV1, VP9, VP8, and H.264 being available, but no HEVC.

After going down an entire rabbit hole of troubleshooting, I identified that HP seems to be intentionally disabling hardware decoding of H.265 / HEVC content, and this has introduced software breaking bugs in my organization. People with older hardware were not experiencing problems, whereas those with newer machines needed to either have the HEVC codec from the Microsoft Store removed entirely from MediaFoundation, or have Hardware Acceleration disabled in their web browser/web app, which causes a number of other problems / feature degredations. For example, no background blurring in conference programs, significantly degraded system performance (Intel's hybrid architecture chips are slow as heck with E-Cores), etc.


After some digging, I've found affected models such as the HP ProBook 460 G11 and the ProBook 465 G11. HPs Quick Specs sheet call out under the Graphics section that H.265 Hardware Decoding is disabled on the platform.

Sources: https://h20195.www2.hp.com/v2/GetDocument.aspx?docname=c08915560

https://h20195.www2.hp.com/v2/GetDocument.aspx?docname=c08908497

I've also seen it on the EliteBook 665 G11...

https://h20195.www2.hp.com/v2/GetDocument.aspx?docname=c08927104

This is pretty ridiculous, given these systems are $800+ a machine, are part of a "Pro" line (jabs at branding names are warranted - HEVC is used professionally), and more applications these days outside of Netflix and streaming TV are getting around to adopting HEVC.

So just posting this as an FYI, to either continue to avoid HEVC due to the licensing mess it has been (and I assume HP isn't paying the license fees on these machines), or to pay extra attention to what you're buying from HP and to avoid these models for being "broken by design."

https://redd.it/1opxue7
@r_systemadmin

Looking for the most efficient GRC platform?

I am a CISO for a SME and we already have quite a few frameworks under our belt. We used a company to help us get compliant but now that we are scaling but it feels like they are more catered to startups. we need something a bit more comprehensive now.

Some of the things my team would be looking for:

\- Cross framework control mapping We are adding new frameworks at a fast pace as we are expanding into more regions. So many of the controls overlap but I still find that we are duplicating work unnecessarily.

\- Real time visibility: I want to be able to view all our compliance activities/status etc in one centralized place but still have all the necessary evidence collection etc going on in the backgroubd

\- Real time threat detection: We want to stay compliant year round so when the audit rolls around it's smooth sailing. So something that identifies gaps and vulnerabilities immediately so we can remediate asap.

Any tools out there that are focused on that next "step" of compliance?

https://redd.it/1opy1kj
@r_systemadmin

Enterprise solutions to linux as a mainstream user desktop

This recent post made me think about it..

Is it even viable to utilize linux in a business full of end users? Are you (or your company) doing this? I mean, on one hand with so many services shifting to the cloud, many of those old, proprietary windows only applications are now cloud based services, so anything with a browser can access them, however what about things like:

Group policy control for various departments

SCCM's Software Center

AppLocker-esque services to prevent unwanted apps from installing

Bridges/etc/ to IAM systems potentially being used to replace the user logon and force mfa (I believe Duo might support this, but are there others?)

etc..

Do you work for a company who either has shifted to Linux for 'all' users or always been a linux shop? If so how's that been working for you?



https://redd.it/1opyk05
@r_systemadmin

Microsoft Defender/Security portal slowness

Anyone else seeing this? US East

https://redd.it/1oq0to0
@r_systemadmin

Advise with dealing Lumen

Hi everyone,


We had lumen as a failover internet connection. we were only month to month and the contract is already over. We contacted Lumen disconnects team to have their equipment removed from our rack. This was their response..

"Your site is on-net meaning it is part of a fiber ring that has other customer’s circuits.  Your service has no equipment that was specifically provided for that service so you do not need to disconnect or return any equipment.  Equipment onsite would stay in place and turned up"

We are currently working with legal to send them a notice before we disconnect power to their equipment.

Any advice would be greatly appreciated.

https://redd.it/1oq2msv
@r_systemadmin

What is everyone using to job hunt? is it still Indeed?

What is everyone using to job hunt? is it still Indeed?

https://redd.it/1oq3y5y
@r_systemadmin

Microsoft has gotten too big to fail, and their support shows it.

I have a ticket open with them for months, for something that should basically be a "yes/no" from them. My ticket has been assigned to someone from a 3rd world country who barely speaks English, who closed my ticket out as soon as I had some PTO, and who finally agreed to escalate it. Now it's been stuck with no response from them for weeks.

Microsoft knows they can make their support as absolutely atrocious as possible and there is nothing we can do about.

And yes, before you ask, I did DISM my SFC needfully.

https://redd.it/1oq6u0q
@r_systemadmin

With all the recent changes around VMware (price hikes, licensing changes, and the Broadcom acquisition fallout), our boss is asking us to start evaluating migration paths away from VMware.

We’re a smaller team ( just two of us managing around 150 VMs across on-prem infrastructure) and VMware has worked well technically, but it’s becoming less sustainable financially and administratively.

We're not running a massive data center, but we do need: stability and solid hypervisor performance, simple VM management (GUI or at least sane CLI), reasonable support for backups, templates, snapshots, etc., easy onboarding (nothing that takes weeks to spin up or learn)

I’ve started looking into Proxmox, XCP-ng, and Nutanix, but there’s a real gap between what looks good on paper vs. what holds up in production. We’re also not ruling out a partial move to the cloud, but we’re not 100% ready to be all-in on AWS or Azure just yet.

If you've already started (or completed) a VMware migration, what route did you take and what lessons did you learn the hard way?

https://redd.it/1oq0zco
@r_systemadmin

PoE+++?! WHEN WILL THE MADNESS END?

Planning switch refreshes for next years budget and I see PoE+++ switches now?? How many pluses are we putting at the end of this thing before we come up with a new name?

I just thought it was silly and had to make a post about it.

https://redd.it/1oqaif0
@r_systemadmin

Gmail is Enforcing Hard Rejections Starting Nov 2025 for Bulk Senders

Google just announced the next phase of Gmail’s bulk sender enforcement - and it’s a big one.

"Starting November 2025, Gmail is ramping up its enforcement on non-compliant traffic. Messages that fail to meet the email sender requirements will experience disruptions, including temporary and permanent rejections."

This means ff you send 5,000+ emails a day to Gmail, compliance is no longer optional. You have until November 2025 to fully authenticate your domain or risk hard rejections.

Until now, non-compliant messages were usually filtered to spam or quarantined.
Starting November 2025, they’ll be bounced or dropped entirely \- skipping the spam folder altogether.

This is Google’s final move to eliminate unauthenticated bulk mail.
Check your SPF, DKIM, and DMARC now - don’t wait until Gmail starts rejecting your emails.

https://redd.it/1oqb1t9
@r_systemadmin

What's your best "I inherited this" good/bad story?

A while back, I was hired as an administrator for a mid-sized medical practice (\~40 providers with around 200 support staff) with a 5-person IT team over several buildings on a medical campus.

My Manager gave me a lay of the land tour and took me to our Medical Records/Billing Building, walked me into the server closet, and showed me the single server responsible for the entire billing system.

The problem: The server's front was approximately 2 feet from the building's Water Heater pressure relief valve, pointed straight at it.

So that was an immediate conversation of:

Me: "How long has it been like this?.."

Manager: "5 years"

Me: "We need to change this..."

Manager: "Yeah, but they don't want to mess with the building due to the asbestos... "

Me: "Ok........mental note stay the fuck away from this building > So what have we got for backup on this?"

Manager: "It runs an xcopy/robocopy* to another server daily."

3 weeks later:

As I document things and try to understand how my IT kingdom currently operates... I review the backup jobs/setup for various devices, and I review said backup for this server.

Me: "Hey, where is "billingfs" physically located?"

Manager: "It's over in Medical Records/Billing."

Me: I quickly walk over to the building, enter the IT closet, and find "billingfs" directly above the billing system server, still well within the blast range of the Water Heater pressure valve... Also, I notice its RAID array is degraded...

My Resume went out that night.

https://redd.it/1oqc0hs
@r_systemadmin

What is your org's policy about access to "separated" user accounts

Suppose a user leaves your company, and their account is either deactivated or archived. An employee asks for access to the entire email account to find information they think it contains.

I believe that giving somebody full access to another user’s entire email account can create problems as now that user can see stuff like performance reviews, HR and other potentially sensitive data. To avoid this, I have been asking them what they are looking for and using our e-discovery tool to find the information if it exists. Most people are OK with this, but some people demand full access to the account.

How does your organization handle this type of request? Do you have any policies in place?

https://redd.it/1oqgfkt
@r_systemadmin

To the good supervisors: thank you.

So, I work help desk, and recently had a run in with an extremely rude customer. Long story short, he was having VPN issues, and I called him with the intent to help. However, as he answered the phone, he immediately began to cuss me out. He insulted me and my coworkers with the entire vocabulary of offensive words. After about ten minutes of this verbal abuse, I ended up falling for the bait…

He threatened to move to another IT company.

I told him “go ahead. Find another IT company”.

I look back at it now and find it hilarious how he seemed speechless at first at how I talked back to him. It was as if he expected me to just sit there and take the insults. He was silent for a good ten seconds before he asked for my name, flabbergasted. I gave him my name.

I told my boss, he pulled the recording, and calls me in for a meeting. He tells me he is going to write me up as it’s company policy. However, he is going to “mysteriously lose” the document. He tells me next time to just hang up, or put the call on hold and notify him or any other superior. Looking back, that’s what I should have done. But, I am grateful that my boss was understanding. He even said that he can’t wait for their contract to end so they can just dump them.

So, for all the good bosses out there that believe in their employees: thank you. 🙏

https://redd.it/1oqhryx
@r_systemadmin

Weekly 'I made a useful thing' Thread - November 07, 2025

There is a great deal of user-generated content out there, from noscripts and software to tutorials and videos, but we've generally tried to keep that off of the front page due to the volume and as a result of community feedback. There's also a great deal of content out there that violates our advertising/promotion rule, from noscripts and software to tutorials and videos.

We have received a number of requests for exemptions to the rule, and rather than allowing the front page to get consumed, we thought we'd try a weekly thread that allows for that kind of content. We don't have a catchy name for it yet, so please let us know if you have any ideas!

In this thread, feel free to show us your pet project, YouTube videos, blog posts, or whatever else you may have and share it with the community. Commercial advertisements, affiliate links, or links that appear to be monetization-grabs will still be removed.

https://redd.it/1oqqgep
@r_systemadmin

Reminder: Include Intune network endpoint on your furewall.

Microsoft Intune will start using Azure Front Door IP ranges (tagged AzureFrontDoor.MicrosoftSecurity) for network service endpoints as part of the Secure Future Initiative (SFI). This change is mandatory by December 2, 2025 to ensure uninterrupted device and app management connectivity. Without this update, Intune services may fail to communicate properly, impacting device compliance and app deployment.

https://redd.it/1oqqepi
@r_systemadmin

Dear lord its hard to land a job these days

Om not sure where im failing on the technical side. Im talking basic help desk stuff. Granted I've done far above help desk so I've narrowed my mindset to just be entry level help desk guy (ie, mapping network drive wont map the dns but can via ip and know the dns of it is broken) but I tend to over think and answer basic then follow up with advanced troubleshooting.

One job I blanked on a basic "how do you add a laptop to domain". Im used to intune and its been years since I did it, muchless have issues with users cannot login due to trust issues, thus needing to log into the laptop and removed it via settings on this pc and adding it back.

At this point ill take some job thays 20/hr. Of i can work around the world id take it and move to Colombia and live the nomad life until I settle down there.

But I cant even land a job for that.

https://redd.it/1oqhmp8
@r_systemadmin

People that take photos of every slide at a conference like you're at a concert.

They're gonna share the slides anyway at the inevitable feedback email, or you can just ask the presenters, or send them an email.
Sitting there and zooming in like a madman and taking photos of every irrelevant slide is the exact same as taking photos of fireworks and it makes you look kind of dumb.

https://redd.it/1oquo6v
@r_systemadmin