Keeping Meraki for switches but using Ubiquiti for wireless APs?
We are currently a 100% Meraki shop, with about (15) 48-port switches and about (60) inside and outside APs. Everything is working fine, but I need to save some money in the coming year.
To save on annual licensing costs, we have seriously considered switching from Meraki to something else -- anything else. However, we are stomaching the licensing costs for the switches better than we are for the APs, so as a compromise, we thought about:
* **Switches**: remain on Meraki
* **APs**: switch to Uniquiti
All of our ACLs/firewalls are done on the switches, not the APs. The main "one-off" things I can think of that we do with wireless APs:
* We have 2 "standard" SSIDs for all APs: one secured with WPA 3; one for that is wide-open for guests. One goes to one VLAN and the other goes to another VLAN.
* We have 1 SSID that is provided by only 4 APs; it's used for a sound/PA system; it has no internet access
So:
* Is it true that, for a commercial area, Ubiquiti's APs have tended to work better and be more reliable than their switches?
* Can you think of anything I have forgotten?
* How much money would you bet that I will regret doing this?
https://redd.it/1pt83tg
@r_systemadmin
We are currently a 100% Meraki shop, with about (15) 48-port switches and about (60) inside and outside APs. Everything is working fine, but I need to save some money in the coming year.
To save on annual licensing costs, we have seriously considered switching from Meraki to something else -- anything else. However, we are stomaching the licensing costs for the switches better than we are for the APs, so as a compromise, we thought about:
* **Switches**: remain on Meraki
* **APs**: switch to Uniquiti
All of our ACLs/firewalls are done on the switches, not the APs. The main "one-off" things I can think of that we do with wireless APs:
* We have 2 "standard" SSIDs for all APs: one secured with WPA 3; one for that is wide-open for guests. One goes to one VLAN and the other goes to another VLAN.
* We have 1 SSID that is provided by only 4 APs; it's used for a sound/PA system; it has no internet access
So:
* Is it true that, for a commercial area, Ubiquiti's APs have tended to work better and be more reliable than their switches?
* Can you think of anything I have forgotten?
* How much money would you bet that I will regret doing this?
https://redd.it/1pt83tg
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Remote Sysadmins, what's your go to headset for meetings?
My Plantronics Voyager UC 2 went to the farm upstate after it fell off my head while I was trying to corral a dog.
Work gives me a wired one but I cannot stand it, I hate being wired to the PC and after a month the cable already looks like one long twizzler.
I use Teams and sometimes Amazon Connect as well.
https://redd.it/1ptgz71
@r_systemadmin
My Plantronics Voyager UC 2 went to the farm upstate after it fell off my head while I was trying to corral a dog.
Work gives me a wired one but I cannot stand it, I hate being wired to the PC and after a month the cable already looks like one long twizzler.
I use Teams and sometimes Amazon Connect as well.
https://redd.it/1ptgz71
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Best practice for AD CS certificate templates requiring custom Subject Name without introducing security vulnerabilities
Hi Experts,
In AD CS certificate templates, there are certain scenarios where the Subject Name must be supplied in the request (for example, to include specific organizational details such as Organization, OU, or a custom CN).
However, enabling **“Supply in the request”** for the Subject Name is commonly flagged by security assessment tools (e.g., ESC1/ESC4-related findings) because it can allow abuse if permissions are weak or misconfigured.
When a business or application genuinely requires a custom Subject Name in an AD CS certificate template:
* What are the recommended best practices to implement this securely?
* How can this requirement be met without introducing AD CS vulnerabilities?
* Are safer alternatives commonly used,??
Thanks in Advance
https://redd.it/1ptktpf
@r_systemadmin
Hi Experts,
In AD CS certificate templates, there are certain scenarios where the Subject Name must be supplied in the request (for example, to include specific organizational details such as Organization, OU, or a custom CN).
However, enabling **“Supply in the request”** for the Subject Name is commonly flagged by security assessment tools (e.g., ESC1/ESC4-related findings) because it can allow abuse if permissions are weak or misconfigured.
When a business or application genuinely requires a custom Subject Name in an AD CS certificate template:
* What are the recommended best practices to implement this securely?
* How can this requirement be met without introducing AD CS vulnerabilities?
* Are safer alternatives commonly used,??
Thanks in Advance
https://redd.it/1ptktpf
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
compliance audits taking weeks to prepare is killing me and I don't know how to fix it
Our SOC 2 audit is coming up in 6 weeks and I'm already having stress dreams about it, last year it took me and one part-timer basically a whole month of nights and weekends to pull together all the evidence and documentation, and we still got dinged on stuff we thought we had covered, and it's making me feel really unprofessional and I very much fear I'm gonna lose my job especially in the current market.... so how do you guys make sure you haven't dropped anything?
https://redd.it/1ptnc81
@r_systemadmin
Our SOC 2 audit is coming up in 6 weeks and I'm already having stress dreams about it, last year it took me and one part-timer basically a whole month of nights and weekends to pull together all the evidence and documentation, and we still got dinged on stuff we thought we had covered, and it's making me feel really unprofessional and I very much fear I'm gonna lose my job especially in the current market.... so how do you guys make sure you haven't dropped anything?
https://redd.it/1ptnc81
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
PaperCut MF Scan to SharePoint/OneDrive Broken - something went wrong sending your scan
We have been using PaperCut MF Scan to SharePoint for about 12 months - has worked perfectly. We have had a few new starters who also needed to scan and when we showed them how to do it they kept getting an error:
Something went wrong sending your scan
PaperCut MF has been trying to upload your scanned file to SharePoint Online
|Unfortunately something went wrong when trying to access SharePoint Online. Please try scanning again or contact your system administrator if the problem continues.|
|:-|
After hours of troubleshooting, it seems to be following a recent change to the way users have to provide delegated consent to Enterprise Apps within Microsoft Entra it is now broken.
The official PaperCut guidance says this
https://www.papercut.com/kb/PaperCutPocketHive/ScanToCloudAuthorization/
https://www.papercut.com/help/manuals/ng-mf/applicationserver/users-receive-need-admin-approval-error-with-scan-to-onedrive-for-business/
The issue seems to be that Microsoft now does not allow delegated user consent to Sites.ReadWrite.All which is required by PaperCut.
Our tenant used to be set the same as shown in the PaperCut guidance - "Allow user consent for apps" and this permission was granted without issue.
But since Microsoft made their change that option has changed to "Let Microsoft manage your consent settings (Recommended)"
And the Microsoft help says this:
The setting labeled "Let Microsoft manage your consent settings," the Microsoft managed policy, will update with Microsoft's latest recommended default consent settings. This is also the default for a new tenant. The setting's rules are currently: End users can consent for any user consentable delegated permissions EXCEPT:
https://learn.microsoft.com/en-gb/entra/identity/enterprise-apps/manage-app-consent-policies?pivots=ms-graph#microsoft-recommended-current-settings
So what can we do to fix it or does PaperCut need to change something in their product in response to the Microsoft change?
I have a ticket logged with PaperCut but no resolution yet.
https://redd.it/1ptohzq
@r_systemadmin
We have been using PaperCut MF Scan to SharePoint for about 12 months - has worked perfectly. We have had a few new starters who also needed to scan and when we showed them how to do it they kept getting an error:
Something went wrong sending your scan
PaperCut MF has been trying to upload your scanned file to SharePoint Online
|Unfortunately something went wrong when trying to access SharePoint Online. Please try scanning again or contact your system administrator if the problem continues.|
|:-|
After hours of troubleshooting, it seems to be following a recent change to the way users have to provide delegated consent to Enterprise Apps within Microsoft Entra it is now broken.
The official PaperCut guidance says this
https://www.papercut.com/kb/PaperCutPocketHive/ScanToCloudAuthorization/
https://www.papercut.com/help/manuals/ng-mf/applicationserver/users-receive-need-admin-approval-error-with-scan-to-onedrive-for-business/
The issue seems to be that Microsoft now does not allow delegated user consent to Sites.ReadWrite.All which is required by PaperCut.
Our tenant used to be set the same as shown in the PaperCut guidance - "Allow user consent for apps" and this permission was granted without issue.
But since Microsoft made their change that option has changed to "Let Microsoft manage your consent settings (Recommended)"
And the Microsoft help says this:
The setting labeled "Let Microsoft manage your consent settings," the Microsoft managed policy, will update with Microsoft's latest recommended default consent settings. This is also the default for a new tenant. The setting's rules are currently: End users can consent for any user consentable delegated permissions EXCEPT:
Files.Read.All, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All, `Mail.Read`, Mail.ReadWrite, Mail.ReadBasic, Mail.Read.Shared, Mail.ReadBasic.Shared, Mail.ReadWrite.Shared, `MailboxItem.Read`, `Calendars.Read`, Calendars.ReadBasic, Calendars.ReadWrite, Calendars.Read.Shared, Calendars.ReadBasic.Shared, Calendars.ReadWrite.Shared, `Chat.Read`, Chat.ReadWrite, ChannelMessage.Read.All, `OnlineMeetings.Read`, OnlineMeetings.ReadWrite, OnlineMeetingTrannoscript.Read.All, OnlineMeetingsRecording.Read.All. Updates to this consent policy will have at least 30 days of given notice.https://learn.microsoft.com/en-gb/entra/identity/enterprise-apps/manage-app-consent-policies?pivots=ms-graph#microsoft-recommended-current-settings
So what can we do to fix it or does PaperCut need to change something in their product in response to the Microsoft change?
I have a ticket logged with PaperCut but no resolution yet.
https://redd.it/1ptohzq
@r_systemadmin
PaperCut
Users receive "Need admin approval" error with Scan to OneDrive for Business
Explains the procedure for how to grant consent for users to use Scans for PaperCut MF.
2026 motivational help rant
I've been working in IT for almost 22 years, Im a sysadmin / netadmin / security guy + jack of all traide "The IT guy" at a mid-sized business. Im married with two children 17 and 22. I have somthing that most people would want. To much time on my hands. I work probaly 5:30AM - 4:00 daily, unless somthing is blowing up. So after work I have from 4:00 - 10:00 typiclly ill cook dinner if wife isnt home from work yet but aside from that. Its either doom scrolling on tiktok, watching movies or being bored out of my mind. I'm not a big reader because I just cannot focus on it my ADHD sucks all the focus away during the work day. My kids are busy in there own lives both work and are with friends or boyfriends. My wife is in her own world (shes the best but going through menopause and scares me right now. ). I dont have allot of extra money to go out and spend on random hobies but I need to get back to the gym and do somthing in life other than IT, but even if I go to the gym for an hour a day that still leave 4 - 5 hours of nothing. Im not complaining about the free time I know allot of people out there have no free time. My point to this whole rant is what do yall do to keep yourself in shape (currentlly not in shape) or keep your mind sharpt, hobbies or keep yourslelf busy. I feel like im going through a mid-life crisus and want to get it under control lol before its to late.
Thanks in advance.
https://redd.it/1ptt8y9
@r_systemadmin
I've been working in IT for almost 22 years, Im a sysadmin / netadmin / security guy + jack of all traide "The IT guy" at a mid-sized business. Im married with two children 17 and 22. I have somthing that most people would want. To much time on my hands. I work probaly 5:30AM - 4:00 daily, unless somthing is blowing up. So after work I have from 4:00 - 10:00 typiclly ill cook dinner if wife isnt home from work yet but aside from that. Its either doom scrolling on tiktok, watching movies or being bored out of my mind. I'm not a big reader because I just cannot focus on it my ADHD sucks all the focus away during the work day. My kids are busy in there own lives both work and are with friends or boyfriends. My wife is in her own world (shes the best but going through menopause and scares me right now. ). I dont have allot of extra money to go out and spend on random hobies but I need to get back to the gym and do somthing in life other than IT, but even if I go to the gym for an hour a day that still leave 4 - 5 hours of nothing. Im not complaining about the free time I know allot of people out there have no free time. My point to this whole rant is what do yall do to keep yourself in shape (currentlly not in shape) or keep your mind sharpt, hobbies or keep yourslelf busy. I feel like im going through a mid-life crisus and want to get it under control lol before its to late.
Thanks in advance.
https://redd.it/1ptt8y9
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
I'm considering leaving my first IT position but I have conflicting feelings about leaving my mentor.
4-ish years at a small MSP. Hired on while the company was in the single digit employee count.
My mentor is great and I'm not worried about him surviving without me or anything, I just know that I have a lot more to learn.
How do you know it's time to move on and how did you feel about separating from your first mentor, especially if it was your choice?
https://redd.it/1ptuqkj
@r_systemadmin
4-ish years at a small MSP. Hired on while the company was in the single digit employee count.
My mentor is great and I'm not worried about him surviving without me or anything, I just know that I have a lot more to learn.
How do you know it's time to move on and how did you feel about separating from your first mentor, especially if it was your choice?
https://redd.it/1ptuqkj
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Linux x509 computer certificate
I have experiment for a few days and have no idea where to look for a solution.
My situation:
Our organization is using at the moment 2 internal domains and 2 seperate network domain, one of them we want to discontinue.
One domein is using radius configuration using a computer certificate and the other domain is using simple VLAN configuration on the switch ports.
For linux the VLAN configuration was working fine but now i need to create an computer certificate for the linux machine to use x509 authentication.
The problem i have is that I need to sign the csr to our windows certificate template specially for the network.
The csr must include the DNS name from the alternate subject name. My csr does include the subject alternative name, FQDN. But when i try to sign the csr with my template i get the error:
The DNS name is unavailible and cannot be added to the Subject Alternative name.
The computer is added to our domain and the hostname is resolvable.
All device that are connected for the first time only use MAC authentication, just to add the asset to the domain and install all the policies, after that it need a certificate to use the network.
Can some one help me or give any direction were to look.
Just in case, i can not change any settings in the template and windows computers are working fine.
Maby i forgot an important thing to write down because have searched for hours to find a solution.
https://redd.it/1ptt274
@r_systemadmin
I have experiment for a few days and have no idea where to look for a solution.
My situation:
Our organization is using at the moment 2 internal domains and 2 seperate network domain, one of them we want to discontinue.
One domein is using radius configuration using a computer certificate and the other domain is using simple VLAN configuration on the switch ports.
For linux the VLAN configuration was working fine but now i need to create an computer certificate for the linux machine to use x509 authentication.
The problem i have is that I need to sign the csr to our windows certificate template specially for the network.
The csr must include the DNS name from the alternate subject name. My csr does include the subject alternative name, FQDN. But when i try to sign the csr with my template i get the error:
The DNS name is unavailible and cannot be added to the Subject Alternative name.
The computer is added to our domain and the hostname is resolvable.
All device that are connected for the first time only use MAC authentication, just to add the asset to the domain and install all the policies, after that it need a certificate to use the network.
Can some one help me or give any direction were to look.
Just in case, i can not change any settings in the template and windows computers are working fine.
Maby i forgot an important thing to write down because have searched for hours to find a solution.
https://redd.it/1ptt274
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Primary Domain Controller Hardware failure - How to Restore
Our primary and sole HP Proliant DL165 domain controller had a hardware failure and is not turning back on. It's an old server so HP does not want to support it. We were in the process of replacing the server with new Dell servers as our primary and backup DC's. Unfortunately there were no AD backups performed other than the shares. Is it possible to stand up another DC? What would be the negatives in doing so?
Thanks!
https://redd.it/1ptw6at
@r_systemadmin
Our primary and sole HP Proliant DL165 domain controller had a hardware failure and is not turning back on. It's an old server so HP does not want to support it. We were in the process of replacing the server with new Dell servers as our primary and backup DC's. Unfortunately there were no AD backups performed other than the shares. Is it possible to stand up another DC? What would be the negatives in doing so?
Thanks!
https://redd.it/1ptw6at
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
ConnectWise ScreenConnect - Down
And there goes ScreenConnect - https://downdetector.com/status/connectwise/
Nothing yet on their official status page, but it's happening.
Details:
Admin page available: https://cloud.screenconnect.com/ and shows instance online
Server Instance IPs: Unable to ping
HTTPS: ERR_CONNECTION_TIMED_OUT
**UPDATE 1** - Status page posting: https://status.connectwise.com/pages/incident/619cf82551fec9053d612f09/694ab8abf5a1430583c5382f
**UPDATE 2**
As noted by Not\_Revan this appeared to be an emergency power issue at OVH as shown here \- Their last update is - "Power to VIN0120D row has been restored. Servers are powered back up. Datacenter Team is ensuring that all hosts have been brought back online." and my instance is back online and functional as of 12:10PM EST.
https://redd.it/1ptx0lt
@r_systemadmin
And there goes ScreenConnect - https://downdetector.com/status/connectwise/
Nothing yet on their official status page, but it's happening.
Details:
Admin page available: https://cloud.screenconnect.com/ and shows instance online
Server Instance IPs: Unable to ping
HTTPS: ERR_CONNECTION_TIMED_OUT
**UPDATE 1** - Status page posting: https://status.connectwise.com/pages/incident/619cf82551fec9053d612f09/694ab8abf5a1430583c5382f
**UPDATE 2**
As noted by Not\_Revan this appeared to be an emergency power issue at OVH as shown here \- Their last update is - "Power to VIN0120D row has been restored. Servers are powered back up. Datacenter Team is ensuring that all hosts have been brought back online." and my instance is back online and functional as of 12:10PM EST.
https://redd.it/1ptx0lt
@r_systemadmin
downdetector.com
Connectwise down? Current problems and outages |
Real-time problems and outages for ConnectWise. Is the server down? Can't conenct to remote desktop? Here you see what is going on.
Tracking ticket resolution metrics what really matters??
We’re trying to set up dashboards to see how fast IT requests are handled. What do you use? what metrics do you actually pay attention to?
https://redd.it/1ptsxqt
@r_systemadmin
We’re trying to set up dashboards to see how fast IT requests are handled. What do you use? what metrics do you actually pay attention to?
https://redd.it/1ptsxqt
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
How to Recreate Builtin Group Administrators (S-1-5-32-544)
On 2 servers i had strange problems with run as administrator
It turned out that the local group Administrators probably was deleted and recreated and now had a normal SID S-1-5-21-*
I tried several thing to recreate it including secedit
Deleted local group Administrators
Reboot
But still the localgroup Administrators just does not get the built in SID.
Anyone knows how to recreate it. I found nothing about this on the internet
https://redd.it/1ptzury
@r_systemadmin
On 2 servers i had strange problems with run as administrator
It turned out that the local group Administrators probably was deleted and recreated and now had a normal SID S-1-5-21-*
I tried several thing to recreate it including secedit
Deleted local group Administrators
secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verboseReboot
But still the localgroup Administrators just does not get the built in SID.
Anyone knows how to recreate it. I found nothing about this on the internet
https://redd.it/1ptzury
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Local Admin vs. SYSTEM - Any difference in risk?
I'm looking at two different patch management solutions that seem to have different approach to how it installs (from what I can tell).
Any thoughts? Any meaningful difference in risk?
Product 1: It's a full RMM. Installs as "System" - and there's really no additional information beyond that (that I can tell) from the publicly available docs.
Product 2: It's a dedicated patch management platform. They use a service account - that has:
Read-only access to the Active Directory domain.
Logon as a service right on the local computer. The installer will attempt to automatically grant this right to the specified account.
Membership in the local Administrators group on the server where the Deployer service resides. You can add a dedicated domain account to local Administrators groups manually.
Membership in the local Administrators group on all of your managed endpoints. You can add a dedicated domain account to local Administrators groups manually, with a noscript, or via Group Policy.
And the credentials are encrypted and stored locally for Product 2. Product 1 is devoid of any additional information.
https://redd.it/1pu3d64
@r_systemadmin
I'm looking at two different patch management solutions that seem to have different approach to how it installs (from what I can tell).
Any thoughts? Any meaningful difference in risk?
Product 1: It's a full RMM. Installs as "System" - and there's really no additional information beyond that (that I can tell) from the publicly available docs.
Product 2: It's a dedicated patch management platform. They use a service account - that has:
Read-only access to the Active Directory domain.
Logon as a service right on the local computer. The installer will attempt to automatically grant this right to the specified account.
Membership in the local Administrators group on the server where the Deployer service resides. You can add a dedicated domain account to local Administrators groups manually.
Membership in the local Administrators group on all of your managed endpoints. You can add a dedicated domain account to local Administrators groups manually, with a noscript, or via Group Policy.
And the credentials are encrypted and stored locally for Product 2. Product 1 is devoid of any additional information.
https://redd.it/1pu3d64
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Best practice for MFA on local admin accounts on network gear?
Our cybersecurity auditors want us to implement MFA for all local accounts on all our network gear, including routers. While that's relatively easy to do, it does make me wonder how we're supposed to get in if something goes wrong? If our router at our main office loses its WAN connection, for example, how will I be able to log into it and fix it if it can't send an MFA code or communicate with a third party identity provider?
Any known way to get around this? We have a Palo Alto, from what I can see the only supported options for MFA for local accounts are either third party online providers like Okta or Duo, or getting one of those on-prem RSA SecurID appliances, which are call-us-for-a-quote levels of expensive. Maybe that's my only option, but I wanted to check to make sure I'm not missing something.
EDIT: Specifically I'm wondering what happens if someone breaks something, like if one my coworkers edits a firewall rule poorly and blocks WAN access. Or if an update breaks something and needs to be rolled back. I don't want to be locked out of logging in and fixing it because it can't text me code due to the problem I'm trying to fix in the fist place.
https://redd.it/1pu597z
@r_systemadmin
Our cybersecurity auditors want us to implement MFA for all local accounts on all our network gear, including routers. While that's relatively easy to do, it does make me wonder how we're supposed to get in if something goes wrong? If our router at our main office loses its WAN connection, for example, how will I be able to log into it and fix it if it can't send an MFA code or communicate with a third party identity provider?
Any known way to get around this? We have a Palo Alto, from what I can see the only supported options for MFA for local accounts are either third party online providers like Okta or Duo, or getting one of those on-prem RSA SecurID appliances, which are call-us-for-a-quote levels of expensive. Maybe that's my only option, but I wanted to check to make sure I'm not missing something.
EDIT: Specifically I'm wondering what happens if someone breaks something, like if one my coworkers edits a firewall rule poorly and blocks WAN access. Or if an update breaks something and needs to be rolled back. I don't want to be locked out of logging in and fixing it because it can't text me code due to the problem I'm trying to fix in the fist place.
https://redd.it/1pu597z
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
"Just connect the LLM to internal data" - senior leadership said
Hey everyone,
I work at a company where there’s been a lot of pressure lately to connect an LLM to our internal data. You know how it goes, Business wants it yesterday. Nobody wants to be the one slowing things down.
A few people raised concerns along the way. I was one of them. I said that sooner or later someone would end up seeing the contents of files with sensitive stuff, without even realizing it was there – not because anyone was snooping, just overly permissive access that nobody noticed or cared enough to fix.
The response was basically – "we hear you." And that was it.
Fast forward to last week. Someone from a dev team asked the LLM a completely normal question, something like – can you summarize what’s been going on with X over the last couple of weeks?
What they got back wasn’t just a dev-side summary. Around the same time, legal was also dealing with issues related to X – and that surfaced too. Apparently, those files lived under legal, but the access around them was way more open than anyone realized.
It got shared inside the team, then forwarded, and suddenly people from completely unrelated teams were talking about a legal issue most of us didn’t even know existed – and now everyone is talking about it.
What’s driving me insane is that none of this feels surprising. I’m worried this is just the first version of this story. HR. Legal. Audits. Compensation. Pick your poison.
Genuinely curious – is this happening in other companies too? Have you seen similar things once LLMs get wired into internal data, or were we just careless in how this was connected?
https://redd.it/1pu79cx
@r_systemadmin
Hey everyone,
I work at a company where there’s been a lot of pressure lately to connect an LLM to our internal data. You know how it goes, Business wants it yesterday. Nobody wants to be the one slowing things down.
A few people raised concerns along the way. I was one of them. I said that sooner or later someone would end up seeing the contents of files with sensitive stuff, without even realizing it was there – not because anyone was snooping, just overly permissive access that nobody noticed or cared enough to fix.
The response was basically – "we hear you." And that was it.
Fast forward to last week. Someone from a dev team asked the LLM a completely normal question, something like – can you summarize what’s been going on with X over the last couple of weeks?
What they got back wasn’t just a dev-side summary. Around the same time, legal was also dealing with issues related to X – and that surfaced too. Apparently, those files lived under legal, but the access around them was way more open than anyone realized.
It got shared inside the team, then forwarded, and suddenly people from completely unrelated teams were talking about a legal issue most of us didn’t even know existed – and now everyone is talking about it.
What’s driving me insane is that none of this feels surprising. I’m worried this is just the first version of this story. HR. Legal. Audits. Compensation. Pick your poison.
Genuinely curious – is this happening in other companies too? Have you seen similar things once LLMs get wired into internal data, or were we just careless in how this was connected?
https://redd.it/1pu79cx
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Anyone else been getting threatening letters from Broadcom?
Hi all
Just wanted to see if Broadcom has been sending you guys hate mail on VMware licensing? We purchased perpetual copies of VMWare 7 back in the day, then renewed to subnoscription (you were forced to) now they are trying to say that version 7 somehow transferred into their subnoscription model.
News flash is that we never upgraded to version 8 and now off of their shitty product thankfully.
https://redd.it/1pu7upy
@r_systemadmin
Hi all
Just wanted to see if Broadcom has been sending you guys hate mail on VMware licensing? We purchased perpetual copies of VMWare 7 back in the day, then renewed to subnoscription (you were forced to) now they are trying to say that version 7 somehow transferred into their subnoscription model.
News flash is that we never upgraded to version 8 and now off of their shitty product thankfully.
https://redd.it/1pu7upy
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
VMware to Hyper-V, Cease and Desist
Wow.... what a ride it has been. We started the process of migrating about 100 virtual servers across three vSphere clusters to Hyper-V clusters back in August. Finally shut down the last ESXi host a few weeks ago. Our licenses expired on December 20th and today, the 23rd, a cease and desist from Broadcom landed in my inbox. Gladly signed the form stating I've removed the product and sent it back.
To any other sysadmins dealing with this right now, stay strong! Onward to Hyper-V!
Or Proxmox ;)
https://redd.it/1pua2o8
@r_systemadmin
Wow.... what a ride it has been. We started the process of migrating about 100 virtual servers across three vSphere clusters to Hyper-V clusters back in August. Finally shut down the last ESXi host a few weeks ago. Our licenses expired on December 20th and today, the 23rd, a cease and desist from Broadcom landed in my inbox. Gladly signed the form stating I've removed the product and sent it back.
To any other sysadmins dealing with this right now, stay strong! Onward to Hyper-V!
Or Proxmox ;)
https://redd.it/1pua2o8
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Preparing for the VMware VVF/VCF renewal? Watch out for the Core Floor and vSAN TiB math.
Hey folks,
I’ve been deep in the weeds auditing our clusters for the upcoming 2025 VMware renewal. Now that we’re moving from perpetual sockets to the Broadcom subnoscription model (VVF/VCF), there are two specific "gotchas" I’ve run into that can seriously mess up a budget if you aren't careful.
1. The 16-Core Minimum "Floor" Broadcom requires a minimum of 16 cores per physical CPU. If you’re running older hardware with dual 8-core or 12-core chips, you are still billed for 32 cores per host. This "ghost cost" is a major OpEx jump for smaller environments that were previously socket-heavy.
2. The vSAN Ennoscriptment Gap The difference in storage ennoscriptments between the tiers is massive:
VVF: Includes 100GiB per licensed core.
VCF: Includes 2TiB per licensed core. If you have high storage density but low core counts, the "Add-on TiB" SKUs for VVF can actually make the full VCF stack cheaper.
How I’m Auditing This: Don't rely on manual counts. Use PowerShell 7 (PS 5.1 throws too many errors with the modern modules) and the Broadcom audit noscript.
I've built a logic map and a web estimator to help my team visualize the "VVF + Add-on" vs. "VCF" break-even point. I'm happy to share the link or the raw logic if anyone is currently stuck in spreadsheet hell trying to justify these numbers to their CFO.
Curious if anyone else has found a "sweet spot" for core-to-storage ratios that makes VVF still make sense on larger clusters?
https://redd.it/1pua2ay
@r_systemadmin
Hey folks,
I’ve been deep in the weeds auditing our clusters for the upcoming 2025 VMware renewal. Now that we’re moving from perpetual sockets to the Broadcom subnoscription model (VVF/VCF), there are two specific "gotchas" I’ve run into that can seriously mess up a budget if you aren't careful.
1. The 16-Core Minimum "Floor" Broadcom requires a minimum of 16 cores per physical CPU. If you’re running older hardware with dual 8-core or 12-core chips, you are still billed for 32 cores per host. This "ghost cost" is a major OpEx jump for smaller environments that were previously socket-heavy.
2. The vSAN Ennoscriptment Gap The difference in storage ennoscriptments between the tiers is massive:
VVF: Includes 100GiB per licensed core.
VCF: Includes 2TiB per licensed core. If you have high storage density but low core counts, the "Add-on TiB" SKUs for VVF can actually make the full VCF stack cheaper.
How I’m Auditing This: Don't rely on manual counts. Use PowerShell 7 (PS 5.1 throws too many errors with the modern modules) and the Broadcom audit noscript.
Get-FoundationCoreAndTiBUsage -DeploymentType VVF Get-FoundationCoreAndTiBUsage -DeploymentType VCFI've built a logic map and a web estimator to help my team visualize the "VVF + Add-on" vs. "VCF" break-even point. I'm happy to share the link or the raw logic if anyone is currently stuck in spreadsheet hell trying to justify these numbers to their CFO.
Curious if anyone else has found a "sweet spot" for core-to-storage ratios that makes VVF still make sense on larger clusters?
https://redd.it/1pua2ay
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
NTFS Permissions
Hoping someone has insight on this problem because it is not making any sense to me. I am trying to setup up permissions so that users cannot rename a folder. I disable inheritance, set the user group to read only for (this folder, subfolders, or files), and any user is able to rename the folder. If I change to (subfolders and files), then users are not allowed to rename but they also cannot open the folder. How is it then when I try to apply read permissions to (this folder), the user with these permissions applied can rename the folder?
https://redd.it/1pu6c50
@r_systemadmin
Hoping someone has insight on this problem because it is not making any sense to me. I am trying to setup up permissions so that users cannot rename a folder. I disable inheritance, set the user group to read only for (this folder, subfolders, or files), and any user is able to rename the folder. If I change to (subfolders and files), then users are not allowed to rename but they also cannot open the folder. How is it then when I try to apply read permissions to (this folder), the user with these permissions applied can rename the folder?
https://redd.it/1pu6c50
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Is there any backup software option that hasn’t gone completely off the deep end with pricing?
Local Gov IT here, on the hunt for a new backup software for better visibility and Linux support. I have 5 VMs on a single HA host pair and 4 job-specific “servers”, each with <500GB data, and a Synology SAN with ~25TB total data. Primary backups are on-prem to a separate building on the same property as my MDF, plus weekly (soon to be twice-weekly) runs to removable drives which get stored off-site.
Talked with Acronis and Veeam, and they’ve both apparently lost all touch with reality and basic common sense. Apparently it somehow has become accepted practice to charge by total data capacity even for on-prem? Not sure how the software or support team is doing anything different for 10GB or 10PB, but the quotes I’m getting of $4k/year and up are just ridiculous. Our current software cost around $750 one-time with a 20% yearly maintenance and still works fine 6 years later. I’d glad keep it going except that I now need Linux backup which they don’t offer.
Are there any solid options that haven’t become extortionists in the SaaS price gouging frenzy?
https://redd.it/1pudr0h
@r_systemadmin
Local Gov IT here, on the hunt for a new backup software for better visibility and Linux support. I have 5 VMs on a single HA host pair and 4 job-specific “servers”, each with <500GB data, and a Synology SAN with ~25TB total data. Primary backups are on-prem to a separate building on the same property as my MDF, plus weekly (soon to be twice-weekly) runs to removable drives which get stored off-site.
Talked with Acronis and Veeam, and they’ve both apparently lost all touch with reality and basic common sense. Apparently it somehow has become accepted practice to charge by total data capacity even for on-prem? Not sure how the software or support team is doing anything different for 10GB or 10PB, but the quotes I’m getting of $4k/year and up are just ridiculous. Our current software cost around $750 one-time with a 20% yearly maintenance and still works fine 6 years later. I’d glad keep it going except that I now need Linux backup which they don’t offer.
Are there any solid options that haven’t become extortionists in the SaaS price gouging frenzy?
https://redd.it/1pudr0h
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
So what do you do when people won't listen to you?
What do you do when somebody comes to you with a problem and you try to explain it and they won't listen to your solution. And then they go and try their own idea which doesn't work it just makes me furious like why did you come to me in the first place and ignore my advice. Especially since I've been doing this years longer than you have
https://redd.it/1pue3n4
@r_systemadmin
What do you do when somebody comes to you with a problem and you try to explain it and they won't listen to your solution. And then they go and try their own idea which doesn't work it just makes me furious like why did you come to me in the first place and ignore my advice. Especially since I've been doing this years longer than you have
https://redd.it/1pue3n4
@r_systemadmin