Microsoft 365 Local is Generally Available

Is anyone planning to investigate / deploy? It was promised a while ago as the ultimate answer to data sovereignty issues - as expected, looks like a fairly out-of-the-box Azure Local (formerly Azure Stack HCI) deployment of Exchange Server, SharePoint Server, and Skype for Business Server with a hardened security baseline and some cloud-based orchestrations. Not surprisingly there’s no on-premises Microsoft Teams functionality but this is still a disappointment. Useful or just another marketing innovation?

https://techcommunity.microsoft.com/blog/azurearcblog/microsoft-365-local-is-generally-available/4470170

https://redd.it/1p3q3td
@r_systemadmin

Rant: "I'm not technical" is not a badge of pride

When I started in the industry users didn't do computers at school and the home computing revolution hadn't begun, so "I'm not technical" was perhaps a valid claim

Fast-forward 35 years and this phrase is still being said and as if it's a badge of pride.

There are not enough swearwords in the universe to describe what I want to say...but I am sure I am not alone in thinking in '25 ...it should actually be followed by "and I need to fix that"

https://redd.it/1p3rlkq
@r_systemadmin

DRAM Prices - lol WTF?

You guys seeing this? I know it's slightly off topic of sysadmin stuff, but we do upgrade some systems with 1 year EOL left, take them from 16GB to 32GB just to get them through their final year in service before RPL.

So I decided to lookup the RAM kit I bought for my personal setup. A few days ago, I paid $219.99 at BestBuy. (Solid RAM low timings BTW).

2 Days ago it was $679.99 and today... well.... today it's $906.99.... yep, for 2x32GB DDR5 6400

This isn't 3rd party, it's retail at BestBuy - https://www.bestbuy.com/product/corsair-vengeance-rgb-64gb-2x32gb-ddr5-6400mhz-c32-udimm-desktop-memory-black/J39QHTC43T

Newegg also: https://www.newegg.com/corsair-vengeance-rgb-64gb-ddr5-6400-cas-latency-cl32-desktop-memory-black/p/N82E16820982255

Price Charts: https://pcpartpicker.com/trends/price/memory/

https://redd.it/1p3sbrq
@r_systemadmin

Is there any DLP that’s designed specifically for AI applications?

What I mean is checking at the prompt level by not just blocking but semantically assessing the prompt against policies (e.g. no PII, relevance, etc.) before letting it through

https://redd.it/1p3t826
@r_systemadmin

What's the point of having VLAN tagging functionality for server management port (IPMI)?

To my knowledge, unless a port is a shared port (used by hypervisor), vlan tagging should be done on the switch, not by the node itself (IPMI).

My workplace supermicro server have the functionality to vlan tag the traffic going out of the IPMI port.

Why this functionality exists? What is the used for it?

https://redd.it/1p3t47c
@r_systemadmin

Azure File Shares now support kerberos for entra only in preview

https://learn.microsoft.com/en-us/fslogix/how-to-configure-profile-container-entra-id-hybrid?pivots=hybrid-identities

I'm currently running an AVD setup using the Nerdio storage key injection workaround, and so far so good. Mostly for Intune only computers to run Remote Apps, a few teams use privileged desktops, like for database access.

With AVD you can schedule your session hosts to allocate off and on as needed. Same with things like Azure SQL or other back end systems.

I know everyone has their thoughts on cloud, but this basically means that SMBs don't need to run anything 24/7. Your entire infrastructure can allocate on and off on demand or schedule. If you're a 9-5 company this might mean pausing compute for 50% of the year. On-prem is a hard sell over that capability.

I guess the last big hurdle is SMB shares. Not sure we will see an Entra-only workaround for that any time soon, but Entra DS is not so bad if SMB is your only requirement.

https://redd.it/1p3voik
@r_systemadmin

WHFB + FIDO2 - looking at SCRIL

Users have an issued FIDO2 security key. They use this key to register WHFB and setup a 6 digit pin for WHFB (Cloud Kerberos trust).

Some users on shared workstations will use the FIDO2 key to avoid the (10) machine limit.


They are no longer using their password with Windows or Mobile and no 3rd party apps require the user of their password.

Sadly almost all machines are still hybrid joined - but going forward will be ENTRA only.

I want to start rolling out SCRIL and fine grained passwords but had some questions:


1. Can you still use LAPS with SCRIL? For UAC prompts?

2. Are you changing users passwords before turning on SCRIL? If so, do the users see anything different during login when this happens?

3. Once fine grained passwords is configured and SCRIL enabled - do users see anything on their end as these policies are taking place?


Thanks in Advance!

https://redd.it/1p3xub4
@r_systemadmin

Do you content filter guest WiFi?

We have guest WiFi that a few thousand random users use per day.

How do you filter it? We want to allow low on-boarding friction to provide a good user experience, but the high-friction methods provide better filtering. We are legally supposed to filter out certain types of porn and other illegal sites, where I work, but the law is slightly ambiguous on how strong-armed the filtering has to be, so most entities have taken the stance of "best effort."

What we have done:
1. At the IP-level, we have blocked the top 30 or so public IP revolvers (Google, Cloudflare, Quad9, etc.).
2. Heavily filtered sites in the DNS resolver we provide to clients via DHCP.
3. Used some of Palo Alto's IP lists to block some sites at the IP level if there is 1:1 relationship (this does not do much these days, admittedly).

Are there any other best-effort things I have forgotten to do?

https://redd.it/1p3yzfz
@r_systemadmin

Why aren’t more companies feeding their internal docs/code into an internal RAG system?

One of the first things I thought of when ChatGPT went mainstream was what if it actually knew our internal docs?

I recently built a system that feeds our team’s wikis, docs, and code into a vector DB for RAG queries, and the feedback has been great. Next we’re planning to use it as the foundation for an agent that helps with ops.

What’s the reason your team hasn’t done this yet?

https://redd.it/1p42jsz
@r_systemadmin

mariadb vs mysql

We run both of these, seemingly at random and we need to pick one and standardize. Which do you run and why?

https://redd.it/1p4bunv
@r_systemadmin

Stepping back

Not even sure why I'm posting this other than I don't have anyone else to rant to.

I've been in IT since 1988. Got my start in the dealer channel back when there was such a thing. Been with a non profit for the last 15 years and I'm just burned out. I've watched things go down the tubes since Covid. Quality of the people being hired has gone down the toilet (talking about "regular" staff, not IT. Shit... I am IT except for the CTO.)

Currently putting out resumes for a lower level desk side support to help desk position. Don't give a shit about pay cuts. Just need to get through the next few years till I can file for SS.

The only reason I don't call it quits tomorrow is because my wife needs health insurance. I can get covered through the VA. She can't and she's not old enough to get medicare yet.

I used to love what I do. Now I'm just disgusted with the level of stupidity, apathy, and lack of respect for our profession that seems to permeate my company.

Thanks for listening to this old jarhead rant.



https://redd.it/1p4d5ev
@r_systemadmin

Ahhh Hell Nah - Copilot Authoring PowerShell Core

Copilot is not only authoring commits, but whole PRs on the PowerShell Engine:

\- https://github.com/PowerShell/PowerShell/pull/26443

https://redd.it/1p4drh9
@r_systemadmin

What makes a good sysadmin?

What do I have to do and need to know to be a sysadmin? I'm currently still new to the IT field, but I know I want to be a sysadmin one day, but I don't think I fully know what it takes.

https://redd.it/1p4dptn
@r_systemadmin

What’s your guys top Christmas wishlist items?

Looking for inspiration for this holiday season.

Looking for something cool/useful for both work and play. I feel like the cool tech of the last couple decades are slow and boring now.

Looking for some cool fun tech! That’s also useful potentially.



https://redd.it/1p4dvb4
@r_systemadmin

IT ops and sysadmins. What would your ideal office include?

A rare chance has come up. I am planning the layout for a brand new space for our IT team of 18 that we will move into next year. What features, amenities, and tools do you wish your office had. I am also toying with a small decompress corner using a modular floor sofa that can switch from quick huddle seating to a short rest between imaging cycles https://adorncroft.com/product/french-daybed-sofa-evan/?utm\_source=reddit&utm\_medium=social&utm\_campaign=product&utm\_content=sysadmin

I am after ideas that are useful for the business and for quality of life.

Context. We image and service about 1,700 rugged field tablets for first responders, so devices cycle through the room often. Suggestions that account for staging, charging, and repair flow are very welcome.

https://redd.it/1p4gh1k
@r_systemadmin

Recovery partition keeps reappearing in File Explorer after removing drive letter - tried everything

I have a 1GB recovery partition on my Windows laptop that keeps getting assigned a drive letter (D:) and showing up in File Explorer every time I restart, even after I remove the drive letter.

**What I've tried so far:**

1. **Removed drive letter via Disk Management** \- comes back after restart
2. **Changed partition type ID via DiskPart:**

​

set id=de94bba4-06d1-4d40-a16a-bfd50179d6ac

1. **Set GPT attributes:**

​

gpt attributes=0x8000000000000001

1. **Both methods combined** \- still reappears after restart

**My setup:**

* Disk 0: 476.92 GB
* Partition 1: 100 MB EFI System
* Partition 2: 16 MB Reserved
* Partition 3: 475 GB Primary (C:)
* Partition 4: 1024 MB Recovery (keeps showing as D:)

Has anyone else dealt with this? What am I missing? I want this recovery partition to stay hidden permanently.

https://redd.it/1p4p8mu
@r_systemadmin

Services Running on Administrator Accounts

Hi,

I found multiple Windows services in production that are running using the DOMAIN\Administrator account. I know this is not recommended, but I want to understand the correct and secure way to fix this issue. What is the proper method to replace these high-privileged accounts with a safer alternative, especially in environments with SQL servers and other critical applications?

Also, how should this be tested properly before applying in production, and what are the common problems or breakages that can happen when changing service accounts from Domain Admin to restricted accounts? If anyone has best practices or real examples from enterprise environments, please share.

Thank you.

https://redd.it/1p4hjj9
@r_systemadmin

The Coverup

Trillion dollar company.

Mid level managers covering up the true cause of major outage that I discovered and fixed.

While these guys are yelling to restore major infra I’m doing packet captures showing the culprit.

I make a change, problem resolved.

The root cause of 3 major outages has now been caused by 1 guy who is careless and protected by mid level managers. No one even remembers that I fixed these outages and how no one else in any team would be capable of finding it. VPs have no idea. I’m simply telling the truth not saying I’m a God of troubleshooting. But these guys I work with are click ops cowboys who can barely type cmd.exe

Mid level managers are not telling the true root cause to anyone. As I said, they have forgotten, as always, that I found the root cause and fixed the mother clucker. They have the memory of a guinea pig.

Now VPs want meetings on how we’re going to have to spend to horizontally scale to fix the fake narrative. So I have to spend the weekend building PowerPoint fake narrative solution.

My conscience and dignity are worth more. But I certainly cannot quit.

Don’t ya’ll just hate the cluster of VPs who are NEVER around until a problem occurs.

I respect these VP guys who we keep in the dark nonetheless but what a dumb reality that they are nowhere near the trench warfare and day to day but will inject themselves into the crisis with sudden urgency.

If I expose the cover-up I am toast. I fantasize about sending a confidential email but that is a nuclear bomb I’m avoiding.

Happy to be employed but god these stupid fucks all around just suck major ass.

Funny seeing young people posting here everyday asking about the road to high paying IT jobs.

Don’t fucking do it. Do everything you can to go to law school. Do not do IT. Stop and turn around. Unless you are an extraordinary high achiever stay the fuck away.

Graybeard in Hell.



https://redd.it/1p4ko0z
@r_systemadmin

How green am I?

I think what I'm looking to learn from this is where my current experience would normally land me on the totem pole in a larger company. I'm not quite 30 and currently work at a hardware startup of about 25 people. I have a degree in physics, started out at this company a few years ago as a mechanical engineer and machinist because of my hobbies, and now for about 6 months I've been the sole IT guy because we needed it and I have experience from my homelab. I have no certs in literally anything. That being said, here's what I've done and currently do:

* Set up and administer microsoft 365 tenant across Teams, Exchange, Entra, Intune, Sharepoint, etc. I recently migrated a bunch of legacy systems using ForensiT profwiz, and set up a process to enroll new devices using Autopilot. Currently rolling out MAM for personal devices and doing the slow grind of getting all devices compliant so I can implement conditional access policies
* Purchased and installed some Supermicro servers for Proxmox and Truenas with replication between our two locations and a cloud storage provider, and put the rest of the rack together (UPS, switches, environmental sensor, etc)
* Set up backups for all the things. i.e. Cubebackup for Sharepoint, Urbackup for certain windows and linux devices. Trying to reduce cloud reliance (lol) and single points of failure
* Gutted our awful Eero routers and set up Unifi networking and protect equipment. Made vlans to segregate staff, servers, local services, and PLCs. Set up our security cams, will probably set up Unifi access equipment soon
* Spin up and administer all of our local services like Grafana, Vaultwarden, aforementioned backups, Nextcloud, Bookstack - in Debian VMs in Proxmox, with scheduled backups to Proxmox Backup Server. Much ansible going on here
* In the process of evaluating traditional vs overlay VPNs like Tailscale/Netbird, evaluating SIEM/XDR like Wazuh, rolling out Admin by Request, working on a presentation to push Knowbe4 phishing prevention training (has been an issue...), and writing company policy for stuff like AI use, remote access, break glass accounts, privilege management, etc

I feel like I've kind of been speed running stuff because we started from zero lol. My only real management experience comes from training and managing a jr CNC mill programmer. Because I've not been "in the industry", If I were to go to a theoretical new employer with this information, I don't even know where I land or what position I'd want to ask for.


EDIT: I should also mention a few more items:

* I have a homelab, a 3-node Proxmox cluster, which runs a lot of my self hosted services like Nextcloud, Immich, Home Assistant, etc. I have high availability set up with ZFS replication, and I've played around with Ceph.
* I've got some Traefik reverse proxies set up for both local DNS and externally exposing certain services with valid certs, and using Crowdsec to ban IPs. I'm keeping any service that doesn't NEED to be external, internal, and certain services like uptime-kuma are on a VPS. I was using Pihole as a dhcp server when we had the Eero router, but have since switched to Unifi.
* I have our backup strategies and dataflows mapped out using draw.io and Bookstack, along with any other information that shouldn't live only in my brain.

https://redd.it/1p4nz9l
@r_systemadmin

What's the next step for you guys?

Just curious. What's next for you guys? Systems engineer, something else, or are you comfortable where you are?

https://redd.it/1p4u3j0
@r_systemadmin

Users receiving Microsoft MFA SMS code when they did not initiate a login

Hi everyone!

I have two users over the past 4 days who have received Microsoft MFA SMS codes that they did not attempt any Microsoft login during the time they came in. The codes also came from the same number as authentic text codes come from. I had the two users change their password the first time it occurred just to be safe if a bad actor had their login credentials and I signed the users out of all sessions though the 365 admin portal just in case the bad actor had the users session tokens, but last night one of the users received another SMS code. I looked all though Entra in sign-in log's, Audit log's, Multifactor Authentication Activity... but can't find nothing during the time the codes came in!

I tested another account to see if a sign-in log appears in Entra if a user gets to the MFA prompt when signing into Microsoft but does not know the code or types in a bad code, but nothing appeared in the log's.

Is there another place I should be looking? could this just be SMS spoofing sending the code to the users?

Thanks!

EDIT: Guys.. I think I found the issue. Entra Admin Center> Authentication Methods > Policy's > SMS > "Use for sign-in" is check marked.... users were probably apart of a Microsoft phone number login spray attack. When logging into Microsoft with a phone number "instead of email" it sends a SMS code to the users phone to sign in.

I am going to confirm with my team on Monday and at least get that check marked off if not get SMS MFA turned off and have Authenticator app be the primary like mentioned in comments below.

Thanks for all your help everyone!

https://redd.it/1p4ryu4
@r_systemadmin