Hi,

I need to implement MFA for an app. I have two options. First one is to integrate it with Entra ID and use Entra to authenticate the login. The other option is to implement the build-in MFA feature in the app provided by the app vendor.

I have difficult to decide which option is better for long term. Could you share which option you go with your apps and why?

Need help!

Thanks in advance!

I just got a nice Zabbix Warning - "Operating system description has changed" - and thought, okay, might be a Ubuntu update, had that before. No big deal.

But no, 2022 updated to 2025. On 14 VMs. Unwanted.

I mean, i am going to roll back via backup, but... why even? How? Where did i go wrong?

I am second guessing all my life choices now.

Anyone want to share some advice on that transition? Either K-12 or higher ed. I've been in various sysadmin/management roles for the last 26 years and I'm sick of the madness of keeping up on whatever new tech came out last week that someone needs me to have 2 years of experience with. Currently employed, not enjoying the place or the state I live in. Thinking about relocating and one constant (other than healthcare) seems to be teaching. Can almost always find a job somewhere teaching. Specializing in tech education might be a slight bonus, too.

I'm sure it'll be a pay cut but I know that some states have higher teacher salaries (I'm currently in one of the lowest teacher salary states) and might not be a horrible shock.

Anyone have advice or thoughts?

I want to have an employees 3rd monitor not be accessible by normal mouse usage.  It will have daily tasks, weekly goals, KPIs rotating every few minutes and I dont want this monitor to be interactive for them as it will distract their work flow.  I dont need to restrict the employees usage of the monitor due to security reasons, but rather that I dont want them losing their mouse icon when doing their normal work on the 3rd screen, it will be annoying to them.

Is there a way to restrict the mouse from accessing this 3rd monitor?  Is there a 'slideshow' program that allow rotating of browser tabs every few minutes?

If you're still on the fence about DNS TTLs and how it can affect DKIM or SPF evaluation and email delivery, here's why you shouldn't be.

See this timeline starting with extremely low TTLs on DKIM CNAME records in DNS, and the effect it has on receiver authentication validation.

In one graph, this shows the timeline for all DMARC reports not from Microsoft, from which we saw a very positive effect from increasing TTLs on DKIM CNAMEs, and their respective targets. The DKIM failures are almost negligible levels now with all receivers.

In the second, with Microsoft OLC and M365, the effect is not nearly as obvious, as they have a bug currently with how Windows DNS (which the Defender antispam and Outlook consumer services use) evaluates DKIM (and also SPF).

So, in general, you should have your DKIM/SPF records at least at 1 hour. If they don't change often, you can go even higher, to 6 hours, or even 24 hours. The non-Microsoft 24-hour TTL results from that timeline speaks for itself in terms of temperror reduction.

If you're curious about total volume in terms of numbers, this is based on 2.1 billion total direct (non-forwarded) emails in the last 90 days.

TL;DR For email authentication, more DNS cache = more better

Hello there..

Five months ago I managed to escape Helpdesk and work in…. A glorified helpdesk position.

I’m the IT responsible for everything regarding Primary in a British school. Sounds cool, right?

But here are the catches though:

This primary school is divided in three buildings, central one is >100 m from the closest and >400 from the furthest.

They all have shared desktops, “owned” laptops, shared iPads, “owned iPads”. We could be talking about around 400 devices, most of them are “owned iPads”.

Each building has its own network: firewalls, switches, APs, Ethernet cabling.

Until two weeks ago all shared computers were on AD. Now they are in intune.

——

In one building, the network is administered by Aruba. The others, meraki. All switches are meraki. But they were HP until two months ago.

The majority of the shared PCs are located in classrooms: they all have document viewer cameras, and smart boards. The document viewer cameras are of different brands. The smart boards are different generations with significant changes between them. Teachers from one building use app A for the smart boards because they feel like it, teachers from another building use app B for the same reason.

——

Regarding the migration of the shared PCs (>50 devices) from AD and Intune, I did this in all buildings manually in a week and a half (it was my window), and activate the OS. The policies to be applied through intune were designed by an upper IT Tech in coordination with another technician that works on Secondary school keeping me totally out of the conversation. Now all computers are missing smart board integration, office, document viewer software, and who knows what else. While the Secondary tech, the upper IT Tech, and I work together diagnosing office, I had to go to >50 PCs and manually install one of the apps (A/B) previously mentioned with a usb flash drive because making it available through the company portal required months of approval process and teachers needed the app to teach ASAP. I’ve been drowned in tickets and all staff is pissed with me.

——

Regarding administration of devices, until two weeks ago we also had AD, but now we don’t (sadly..), falling all in intune. But iPads are divided in shared, which are administered by meraki, and “owned” which are administered in jamf pro.

——

User accounts are created in AD, in another country (we need to remote into it), and also on M365, and then a lot of other platforms depending on the Year that the student is attending.

——

Teacher accounts have a building assigned on M365 but never gets updated and they get constantly relocated, so we need to open a physical access administration app to know where they really are in order to assign the tickets correctly.

———

I had to manually add to the ticketing system a total of 500 devices and assign them to their user.

——-

I had to manually check 90 iPad SN because one went missing and I was being blamed for it. A teacher had it for months and never told anyone about it.

——-

I’m sure I’m missing a lot more of stuff that happened in just five months.

By the way, all of this was partially explained to me in 9 days.

———

Am I crazy or does this people have no idea of what they’re doing??

This is a nightmare for me, but I need the opinion of other professionals about this because I’m seriously considering quitting to keep my sanity. Am I just not good enough or is it impossible to thrive in this conditions??

Cross posting as not sure if this fits in r/Intune since it has more to do with Group Policy, even though it's affecting Intune

TLDR; Without resetting AD-Joined Windows computers, how can I remove existing GPO policies from the computers, so all settings are purely managed by Intune?

Hey all, we just moved our computers from AD-Joined managed by a Third-Party tool to Hybrid-Joined managed by Intune. Our new computer deployments are Fully Azure-AD joined and managed fully by Intune, but we did not want to reset all 2000 devices so our existing computers are still Hybrid.

I am working on unlinking GPOs so we do not have conflicting policies, but we still have a handful of computers (20-40, not my assigned task) that have not migrated yet (changing service accounts for shared computers as some were not signing in with the right accounts that have Intune licenses) and some servers which will stay AD/GPO managed.

We are currently running into an issue with our Wired Network Auth policy in Intune on Hybrid joined computers. They are failing to get the policy, and from what I am seeing it is because there is an existing Wired Network Auth policy from GPO. We are moving from AD credential sign-ins to NPS to SCEP certificate sign-ins through a RADIUSaaS offering, so I need to get these resolved.

During our test migrations, we were able to resolve this by running the following Powershell command (Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy" -Recurse) to delete all GPOs from registry temporarily, allowing the Intune Policies to apply before the computer retrieved Group Policy again; however, now when I run that command the computers still show they have the wired profile from Group Policy (netsh lan show profiles) and they are still failing to apply the Intune policy.

For those interested, the error codes in Intune for the failed policy are 2016281112 and 0x87d1fde8

We have tried unlinking the GPO, but as we anticipated the computers did not remove the policy, even after a reboot. Copilot suggested creating a blank 802.1X GPO policy that will overwrite the existing policy, and that worked on my test computers when I excluded them from the old and applied them to the new, however, that still leaves a Wired Network profile, so still the same issue.

Without resetting all our computers, how can I remove existing GPO policies from the computers, so all settings are purely managed by Intune?

So my wife (once again) ignored my request that when she has any IT prooblems to ask me before she does anything... So now she is signed out of all her Apple products and can't login. Backstory: She decided to change her last name to mine (so that she has the same name as I and our children), did all the paper work but was annoyed about her AppleID. So she decided to contact Apple support and agreed to have her signed out of every device. No alternativ e-mail (luckily her phone number is registered). And now her icloud ID is changed, but no way of resetting the password. And this happens with every family member/friend. I always ask them to just ask before doing anything stupid, and still EVERY SINGLE TIME: "Why didn't you just ask?" Otherside: "Didn't want to bother, thought I could take care of it myself" Me: (screaming internally, SO YOU MADE A SIMPLE THING 3 TIMES HARDER AND NOW I NEED TO FIX IT!!!) Okay, we will fix it somehow.

Am I alone with this problem? Sorry for the rant, just tired of this happening again and again.

EDIT: She could just have asked me for help on changing the name. And I would have helped her. Her homepage got locked up because she did x changes and had to help her get it unlucked. She has locked several phones/computers because of changing passwords. Got almost scammed a couple of times into billing subscriptions. Etc. I love her but would really like if she atleast started to ask: How should I go about doing/chanig xx thin?.

A user at my org has been periodically having their excel files lose hours or a full day of work. I have gone through with them on how to press save before closing documents etc and I am extremely confident they do that every time but it keeps happening.

I have tried both OneDrive and SharePoint. Whenever the data is lost there is no version history, and when I check the auto recover folder it only has a .xlb file from the time they finished working.

I looked it up and it seems like people have been having this issue for years, but no comment from Microsoft and no fix.

Anyone have ideas on where to keep an excel file and how to make sure it does not lose progress?

Maybe a GPO controlled folder that saved a backup copy at every log off or shut down? That's the only thing I can think of. Clearly OneDrive is not stable enough for business use.

Edit: Love how everyone immediately jumps to user error. This has been a consistent issue, I have made sure they have OneDrive working and it works most of the time. IT IS A GLITCH.

I think it might be that we have Folder Redirection GPO set up in our environment, and that causes issues with OneDrive Offline Cache when the user is trying to edit documents that are in OneDrive.

Just wondering if anyone has any insights into this...

I have an existing RDWeb setup that has worked well for years, running about 10 RDS systems behind the RDWeb/Gateway. It's running Duo for MFA, and all is good in the world with it. (Think of this as RDWeb1)

However I would like to add a secondary Web interface, as well as probably another Gateway to give a secondary path of access to specific users. (Think of this as RDWeb2)

The problem I have is that there are a handful of users that cannot run Duo (Don't ask, I get it. Due to "reasons" they can't use Duo. I've fought that fight, and its beside the point), so I would like to set up RDWeb2 to allow access only for those specific users (which would be locked down at the firewall to specific IP addresses, which they have static ips so it's fine) and disallow access for those users into RDWeb1.

I'd rather not replicate the back-end RDS server config and just use the existing RDS pool, but I'm not sure it will be feasible.

I've been looking for information, but everything I'm finding is about adding Gateway/RDWeb for high availability... nothing that talks about segmenting access permissions between the systems.

Anyone have any pointers or possibly links?

PS. Everything is on-prem, not running Azure/Entra or anything like that.

I am in Hybrid mode.

I have my android device (Samsung S24 Ultra) appearing in Entra as Entra Registered.

In Intune under Devices -> Enrollment restrictions -> Android I have it setup to block Android device administrator; and I have gone back and allowed that to test it.

Now from what I have seen online people say that's all I have to do is set the device platform restriction for Android and I should be able to connect using the "company portal intune" app and access the company Outlook etc. But when install he application and log into it I do not get any extra screens, it just logs me in and takes me the main screen with "Apps Devices Support" on the top of it. When click view all I see nothing, when I search I see no apps.

When I tap DEVICES and go into "my android" it says "Your device does not meet (companyname) requirements to enrol and may not be able to gain access to some of (companyname) resources." I have looked high and low to see if there is anything directly tied to this comment and come up empty. When I drill into my phone itself in Entra I see no errors, or anything related.

My guess is I am missing a step or need to somehow import my phone from Entra into Intune which I haven't been able to find anything directly describing that.

Thanks,

I need a local CA for internal certs. I'm considering building a cloud-init created VM to hold a local CA.

When I created a manual version of this a couple of years ago for a customer, used small step's community package. since that time, small step has put up a wall around their product offering and it feels like they are hiding their community package. I am reluctant to use small step because I would be creating something that looks like it competes with their product offering.

Are there any other ACME capable CAs that are more open?

I’ve started to place our printers in a pentagram while reading from ancient tomes, the building shakes and the Maintenance team had heard complaints of blood dripping out of the walls, but man does this work! The goats are getting expensive though.

Anyone else have any tips and/or tricks?

So as the title says I am looking for a way to block users from signing in to a computer that is disabled in AD even if they previously used it and the system has their credentials cached locally.

Now for the long explanation of our processes: The primary tools I have at my disposal are PDQ and AD. We have 50+ locations spread out across the US. Sometimes we have a computer go missing at a remote site and we have policies in place for offline computers. We initially contact supervisors and such to try and find the machine but sometimes we are told it can't be found. Eventually it gets disabled in AD after some time and it gets reported as lost/destroyed company property against that location.

After it has been disabled in AD we remove it from PDQ because that is licensed per device and we can't keep paying for lost devices indefinitely. We do have a package that while we are trying to track it down (and when we terminate a remote employee) that sets the windows cached credentials to zero and then restarts the PC. So if the computer powers on and connects to the internet between us starting the search for it and deleting it from PDQ it we can force it to use a connection to AD and it also sits in an OU that only allows admins to log in.

The problem is a scenario we have seen and we are trying to 'fix'. A computer was reported lost. Eventually it gets deleted from PDQ and disabled in AD (eventually disabled PCs also get purged from AD after a much longer time). The person who had used it before it became 'lost' claims they just 'found' it in a closet and decided to use it. Since the laptop had their credentials cached they could log in to it. Since it was disabled in AD it wasn't allowed to connect to get a Group Policy update or anything. However since most tools these days are web based it worked for them for a very long time. Then suddenly they called our IT helpdesk about something and we discovered they had been using a disabled reported lost PC for a couple months.

I am trying to find a way to 'brick' a computer in this type of situation. My initial thought was some small script that runs on system startup and checks the last time it checked in with AD, and if that is greater than X days set the logon cache to zero. This would be very similar to our PDQ script we push to remote laptops on employee termination. The problem I have is that I can't find anything to query that is local on the system to do this check. I know there is an AD field, and we use that when initially finding offline systems. But this script will need to run purely locally as it is disabled in AD and can't connected to the domain controller to query that. It could also be not on our physical network at the time if it is a laptop.

Has anybody done something like this before, tried to solve this issue, or know of something that can be checked that is stored on the local PC and doesn't require reaching out to some other system to discover if it has been unable to connect to AD for an extended period of time? My searches also seem to indicate there is no way to set a maximum age on cached credentials either.

We've been running a Nutanix cluster for about 7 years, we've pushed off replacing it with some mid-life memory upgrades but now we're feeling the age with the CPU, memory, and spinning drives so we're finally looking to upgrade.

We're looking to move away from Nutanix since the licensing seems to double at every renewal, and with the hardware we're looking at (All SSD, doubled storage/cores compared to the current cluster), we've been quoted licensing that costs 3 times as much as the hardware, and who knows what it will be in 3 years. We're not using a lot of the fancy features, but do like that it's at least one cohesive package.

The Nutanix environment is a 3 node cluster with an identical 3 nodes in a disaster recovery site in another city, which we replicate the primary cluster to using the built-in data protection feature. We also run free Proxmox on a couple smaller, simple clusters (Using built-in VM replication between nodes with local storage) and I quite like it, but of course one of the many differences between Proxmox and Nutanix is that Nutanix has all the fancy storage backend that handles replicating storage between nodes, dedupe, and replication to the DR site.

For us to consider Proxmox as a replacement for our primary clusters, I've been searching for a replacement for the storage component of Nutanix that will somewhat mirror our current setup, and so far I've found Starwind VSAN and tried out the free version on a few spare old machines, and it seems to do alright, but lacks the replication between clusters.

Is there another storage solution that would work for this? Should I look at VM-level replication with another tool like Veeam? SANs have been a blindspot for me since I've always assumed they're for huge orgs, but do standalone SANs make sense for relatively smaller environments (Under 10TB of disk utilized, about 60 VMs)?

I am not sure how exactly to search for this online, so I'm asking for help here. My org recently transitioned from Google Workspace to M365. We have alias set up for a bunch of previous employees that are on their replacement's accounts. Now when we search using the email address of the previous employee, all it shows is the new employee's name.

So as an example bob@company.com left and was replaced with Molly@company.com. We made an alias on Molly's account that is bob@company.com, so if anyone emails Bob then Molly gets it and can handle the email. Now when someone types bob@company.com in the Outlook classic or Outlook web search box it auto populates Molly's name. Then when you hit enter all the results show Molly's name. So the only way to tell who the actual sender was is to look at the message details or see what the email signature says.

This makes sense, since our tenant wouldn't even know the name of the previous employee. This obviously confuses some of our folks. Is there a way to either setup the GAL with something so it ties those past employees names to their email addresses so when folks search it shows the name of the previous employee, or is there a way to set this so when searching email alias show the email address in the results and not the name of the person with that alias?

Hey,

I've got an issue that is causing me to pull my hair out a bit at the moment. This might be a bit of a long one, but want to make sure I've covered the environment, the issue and what we've done thus far.

I am working in an environment where we have a bit of a mixture of device types as we're currently in a transition phase of moving from the "old world" to the "new world".

We've got old devices running Windows 10 and connected traditionally to on-prem Active Directory. We then have a bunch of Windows 10 devices that are connected in hybrid mode with on-prem AD & cloud Entra... and then we have the problem children Windows 11 devices that are Entra joined only.

We are seemingly only having this problem on the Windows 11 Entra-joined devices, the other appear to be OK, so I'll focus on their setup specifically. It may be worth mentioning that they are Intune-managed & configured with Windows Hello and users primarily use a fingerprint reader for biometric login rather than manually entering their password.

We've got an issue where a fair few users are having issue with their AD accounts getting locked out, often pretty much instantly. We're finding that in most cases, but not all the time, there is a corresponding event viewer entry from LSA with event ID 40960 along the lines of:

The Security System detected an authentication error for the server SERVER-NAME. The failure code from authentication protocol Kerberos was "The user account has been automatically locked because too many invalid logon attempts or password change attempts have been required. (0xc0000234)"

Where I say SERVER-NAME, the server listed here and the format it's listed in does vary from message to message. I've seen cases such as:

• server-name$@domain.tld
• server-name
• cifs/server-name
• cifs/server-name@domain.tld
• cifs/cifs (This one is always the most helpful! /s)
• HTTP/webmail.domain.tld

In some cases, the server-name is a domain controller... but in the majority of cases, the server-name is an on-prem print server that the user has printers mapped to.

For some cases, we've been able to simply remove the printers from the user's device and remap them to another server. We have 7 clustered print servers, so it's not like we're limited for choice... Sometimes this eliminates the problem entirely, sometimes it temporarily fixes it for a week or so, or in some cases, it doesn't make a blind bit of difference.

The most recent one I've been looking at, the logs were spammed with these print server entries... so I deleted the printers and tried to connect to a different print server. Insta-lockout when putting in a different print server name. Tried a third print server, insta-lockout. If I ignore printers entirely and attempt to open a mapped network share, it hesitates for a moment, locks out the account but weirdly just opens the share anyway. When this happens, we're usually greeted with 8x bad password attempts on the DC.

As part of testing, I've got a Windows Explorer window open and I'll unlock the account on the DC. Refresh it a few times (using LockoutStatus.exe for quick view) and prove it's still not locked for a minute or so... then double click a shared drive. Immediately refresh the account, 8x bad password attempts and a locked account. Instantly.

At this point, it appears to be firmly something to do with how it's authenticating with on-prem services. We do not appear to be having the same issue with AD-joined or hybrid AD/Entra devices... it's purely on the Entra-joined devices as far as I'm aware.

We have gone through the usual troubleshooting steps of checking the source of the account lockout (Definitely the user's W11 device), checking for cached passwords in credential manager (sometimes there are a handful, but we've cleared them out to no avail), checking the apps running on the device.

The thing that seems to be confusing me the most is that it appears to be a cached credential is incorrect, or a token somewhere has expired so is getting rejected... but from what we can tell of cached passwords, there aren't any. Or if there are, clearing them out makes no difference whatsoever. I get the feeling I'm missing a cache somewhere.

We cannot seem to work out where the cached password is being pulled from, or why it's seemingly being rejected.

I'd normally suggest a profile rebuild at this point, but due to various internal political reasons that are above my paygrade & I've failed to argue against, we do not have the authority to do this... so the only option is to send a wipe via Intune & set the device up from scratch. Obviously, this works but is the most nuclear approach you could probably imagine for an issue like this so understandably, both the users and the support techs aren't particularly willing to use this as a long-term "solution".

So the question is, what do I do next? Any ideas on where I can start looking?

One theory that a colleague has popped up with, I'm not entirely convinced by but we're looking to explore is... fast boot. We've had a couple of other, unrelated issues that we've attributed to fast boot being enabled and due to further internal politics, we've not been able to turn it off despite tests proving it saves a whopping 12 seconds boot time on these specific devices..

The theory here is, that according to documentation, LSASS will store user credentials in memory and, from what I can tell, can't be accessed or directly cleared (please correct me if I'm wrong, as I'd love to be able to clear it directly). With fast boot, shutting the machine down doesn't truly "shut down". It puts it into more of a hibernated state, so I get the feeling that memory is not necessarily getting cleared and therefore, LSASS is not clearing it's cache & eventually, the tokens it holds are no longer valid... thus, major lockout spam.

The other theory here is, fast boot is disabled in Group Policy that both the W10 AD & hybrid joined devices are pulling down. The Entra devices are not pulling this policy down. This formed part of my argument to disable it, but you know, politics.

I've asked our first liners to try doing a proper restart of the machine, specifying that it should be a restart & not a shutdown, then power on again, to ensure a proper OS boot has occurred. So far, none of them are sure if this has ever been done and we know that users often don't understand that "Log Off", "Restart" and "Shut Down", then turn back on are doing three different things...

Does any of this theory make sense? Could fast boot be our problem? I don't know enough about LSASS to know if I'm barking up the wrong tree here, and don't know enough about the finer details of fast boot to know how LSASS & it's memory cache is treated during fast boot.

I'm considering putting together a small unauthorised test with a particularly problem user to disable fast boot on their device and see what happens. If it turns out to be the issue, I'm hoping I can throw the problem ticket in the political fire as yet another reason we want to disable it.

So, yeah... that's my issue and my untested theories... Does anyone have any input into whether any of this makes sense? Anything I might have missed? Anyone had the same sort of issues in this scenario and how did you potentially solve them?

I'm pulling my hair out. Thankfully, I've got a lot of it... but come back in a week and I might not!

Thanks in advance!

How do you retain skills well enough to find a better job, that you don't use enough to retain? I have tried to learn Kubernetes and some cloud skills, but I don't use them enough to remember all of the important details, just in a small web lab I pay for. I know that people here swear that on-prem isnt dead, but it most definitely is dying and every corporation I'm interested in working for wants kubernetes experience and extensive cloud skills. Maybe I'm just too stupid and not cut out for this anymore. Obviously no employer is going to hire someone and give them any time to train up.

A very weird issue that I can't seem to solve. We have rough 40 Server 2022 VMs on a monthly reboot schedule. Anytime this reboot schedule goes off, there will be a few servers completely randomly that will not properly reconnect to the network and get stuck on "Identifying" and the only fix is to either disable/re-enable the NIC or reboot the server.

I've created a Test server and attempted to replicate the issue but am unable to.

Looking through event viewer I thought that it had to do with NLA services and I tried applying the fixes in this article that seemed promising but they don't seem to work. It should be noted this does not happen with any of our 2019 or 2016 servers.

https://learn.microsoft.com/en-us/answers/questions/400385/network-location-awareness-not-detecting-domain-ne

If anyone has ever encountered this or has ANY suggestions, I'm all ears.

Thanks

Hi everyone,

I'm looking for feedback from organizations that have moved from using traditional Active Directory (AD) identities to Azure-only cloud accounts (Azure AD Accounts - AZA) for cloud workloads. Specifically, if your teams ended up managing both AD and AZA identities, I'd love to hear about your experiences and any challenges you faced.

In particular, I'm curious about: Developer Experience: How did dev teams adapt to the change? Did they face challenges switching to AZA accounts for Azure / cloud workloads, especially if they still needed AD access, and how this impacted their workflows ? Any issues with maintaining access to both on-prem and cloud resources?

Thanks !

Not a sysadmin but do work in the cybersecurity space. This post is sort of a rant and b!tch session but I wanted to illuminate a huge reason why bitwarden is less secure than lastpass. It FUCKING sucks to use! Its such a miserable user experience to use that writing down passwords on post-its is a superior technology to the user. Blah-blah... bUt wHat abOuT pOlicy?... wHaT aBoUt tHe SeCuriTy tRainIng?... yeah I get it, but what is the CISO going to do? come to employees desks in their homes (remote) and scold them for their passwords written everywhere?

The company I worked for switched over from lastpass, which was a joy to use, to bitwarden about a year ago after the 'incident' and its sucked ever since.

bitwarden isn't nearly as seemless as lastpass

bitwarden doesn't update passwords well so the passwords that are in there are outdated or need to manually be updated

managing password collections for service accounts sucks compared to lastpass

sending secure files, notes, etc... all better with lastpass. I can't think of a single aspect that bitwarden does as good, or better, than lastpass.

If I had to guess 20% of employees are using something else like a text file on their desktop or just hand writing it down. Lots of plaintext password sharing going around.

Hi sysadmins, i will deploy a server for use with Microsof Dynamics SL for work in remote desktop enviroment,
Actually i have 4 VM With Windows Server 2012 R2 whit 18GB RAM each and E5-2630V3 6vcpu assigned each, its a dell r430 with 2 HD hard drives (NO SSD), satrt to freze and stop working.
Review the most hard users its taking about 300mb in his sesion.

Im need 4 virtual server for 30-40 users each. You can give me some recommendations for specs?

Thank you!

We have had this issue wince April, but when on-premise users click the PAB they get the "No headers found error."

• Important information:
  • We are a Hybrid org
  • We are also GCC
  • The extension is deployed via manifest file in both 365 and EXCH 2019
  • the damn thing used to work fine

Have been deep diving this with their support and they indicate that the REST API is in preview mode.

Researching the error I found the following stating that the REST API should not be used:
https://techcommunity.microsoft.com/t5/exchange-team-blog/the-end-of-the-rest-api-for-on-premises-mailboxes-preview/ba-p/3221219
https://techcommunity.microsoft.com/t5/exchange-team-blog/reminder-end-of-rest-api-for-on-premises-mailboxes-preview/ba-p/3828889

Now they are essentially telling us to take it up with Microsoft, when I explain that MS says to not use RESt for on-prem, they repeat telling us to take it up with MS.

Am I missing something? Is there some setting that I need to set in our tenant that I just cannot find?

Is anyone else having this issue with the KnowBe4 PAB?

Hi everyone!

First time posting on this sub ;)

I've been a developer for almost 15 years and most recently I switched into management. As I look into the current state of things with AI getting increasingly better at creating code, I see a lot of us (managers, programmers) being out of work in a couple of years.

I'm looking to bullet proof myself by adding some sys admin knowledge to my belt. I've bought the "Unix and linux system administration handbook" some years ago and that should be enough to get most of the knowledge I'll need. But that book is a monolith of a book and I would like to strat with something smaller that can give me a head start without diving into all the details (for that I can use the Handbook later).

My goal is to have something lighter and faster first and than dive deeper with the handbook.

Do you have any recomendations on a book that gets into the essentials of sysadmin without getting into too much detail? (bonus points if it is a more practical/hnds-on type of book).

Thanks in advance!

So Windows 11 24H2 was RTM'd last month and Server 2025 has been released in the last few days.

In my work, we're required to provide support from day-zero of when MS drops new versions of their OSs.

But it seem to be impossible to be notified that they have released.

I appreciate that endless news/blogging outlets provide information when new versions are available, but I really want to be notified (preferably by by MS themselves) when new versions are available.

I'm not fussed about hotfixes, sec updates, etc., (I may be in the future) but for now I'm just wanting the full releases.

So how do you fine folks get notified when they are available?

Hey everyone!

I'm in my last year of my bachelor’s program, and I’m considering getting some certifications to help kickstart my career. I've been looking into Azure and Microsoft certifications because I think cloud and IT infrastructure are good fields to dive into.

But with so many certs out there, I’m struggling to figure out which ones are the most valuable right now, especially for someone fresh out of college. I'd ideally like something that’s widely recognized by employers and gives a solid foundation. Here’s what I’m wondering:

1. Which certs are best for someone with a technical background but minimal hands-on experience?
2. Are there entry-level certs that employers see as especially valuable?
3. How useful is it to get more than one Azure/Microsoft cert at the start?
4. If anyone’s been in the same boat, what certifications did you get and were they worth it?

Thanks in advance for any advice or experiences!

Hey r/sysadmin,

I've been using Comodo Firewall for years and am quite happy with it for my personal setups. Now, I'm looking to install a similar firewall solution on a backup server running Windows Server 2022. The catch is, Comodo Firewall isn’t compatible with Windows Server OS, so I need a solid alternative.

Here's what I'm looking for:

• OS Compatibility: Must work smoothly on Windows Server 2022.
• IP Whitelisting: I want to restrict access so only specific IP addresses can reach this server.
• Ease of Use: One of the reasons I liked Comodo was the ease of configuration. Ideally, the new software should have a manageable UI for quick rules setup.

If you have experience with a free firewall that fits these needs, I'd really appreciate your input!

Any recommendations? Thanks in advance for your help!

Hey guys, I'm getting a bit frustrated with this situation and I feel like I've read every Microsoft article related to it. I've successfully installed and setup the CA on my server, but after installing the Web service and Web Enrollment, they both give the same error when I attempt to configure them: the parameter is incorrect 0x80070057 error invalid parameter. I saw one forum where the guy suggested changing a registry key, which i tried, but still no success. Does anyone have any experience with this, or suggestions, or any kind of way to get around this? Or even if it's something I'm doing wrong, I would appreciate any and all help. Thanks!

I've seen that KB5044284 is upgrading servers automatically to 2025.

We've had 2 client servers (one running 2019, one running 2022) automatically upgrade to 2025 overnight. We've blocked the offending update in our RMM but we now need to get the servers which have upgraded rolled back.

Anyone had any success with this or am I going to be spending tonight restoring from backup?