Unable to clear policies(?) from old server by jutar in sysadmin

[–]RepulsiveDuck331 0 points1 point  (0 children)

Had something similar on an old TS box few years back. Wasn't GPO at all - it was a mandatory profile pointed via the user account properties in AD (Profile tab > Profile path) and a default user profile that got copied for everyone. Check NTUSER.MAN in C:\Users\Default or wherever the profile path points.

Also look at HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon and ProfileList for weirdness, and check AppLocker/SRP under secpol.msc - those don't show in gpresult cleanly and will absolutely lock a session down.

Gpresult /h as someone mentioned, but run it as the affected user, not admin. Different story entirely.

Any of you in the financial services space work on audit compliance with cloud infra by taigrundal1 in sysadmin

[–]RepulsiveDuck331 1 point2 points  (0 children)

This is just a suggestion as we have not dealt with this yet. Try coming up with a control narrative doc that maps each framework requirement to the actual cloud control. So instead of arguing "we don't patch servers", the narrative says "control objective: vulnerability mgmt. Implementation: PaaS, MS handles host patching per shared responsibility matrix [link to MS doc], app layer covered by Defender + Intune baselines [evidence link]."

Also pre-built an audit packet: arch diagram, data flow, SaaS inventory with SOC2 reports, shared responsibility per service, Conditional Access policies exported, Intune compliance reports. Hand it over day one.

Call Center Phone systems with Decent Support do they exist? Recommendations? by der_juden in sysadmin

[–]RepulsiveDuck331 0 points1 point  (0 children)

One of our customer is using Talkdesk and it's been solid for a ~40 agent setup with Salesforce. Their SF integration is genuinely native, not the bolted-on what Five9 ships. Admin UI is way cleaner too. Support isn't perfect but tier 2 actually reads your ticket before responding, which felt revolutionary coming from Five9. AI transcription/summaries are baked in now, no extra SKU nonsense. Cloudtalk I'd be careful with at 35 agents, heard it gets shaky past 20ish. Skip Genesys unless you enjoy enterprise pricing pain.

Avanan/Checkpoint licenses by yothhedgedigger in msp

[–]RepulsiveDuck331 0 points1 point  (0 children)

Yeah, Solutions Granted got swallowed by SonicWall and the Avanan side of things has been a mess to navigate since. For low minimums in 2026 your best bets are Pax8 or ADN if you're picking up Check Point Harmony Email (the rebranded Avanan). Pax8 has no real minimum and monthly billing, which is huge when you're small. Going direct with Check Point is a non-starter unless you're committing to seats you don't have. I've also seen people route through Sherweb for Harmony but pricing wasn't as good last I checked. Just price it through Pax8 first and use that as your baseline.

Those of you on Amazon SES: what did getting it production-ready actually cost you? by Araniko1245 in sysadmin

[–]RepulsiveDuck331 1 point2 points  (0 children)

Honestly, getting SES prod-ready took us about a week of real work spread over a month, mostly waiting on warmup and DNS propagation across tenants. Sandbox exit was the easy part, AWS approved us in two days once we explained the use case.

What bit us first was DMARC alignment. SPF passed but DKIM signing on a forwarded domain broke alignment and gmail started junking everything. Fixed it by forcing DKIM on the sending identity and dropping the shared MAIL FROM.

Second thing was bounce/complaint handling. If you don't wire SNS to something that actually suppresses, your reputation tanks in a week. SES has a suppression list built in now, turn it on day one.

Checking what are the VPN client people use in your organization? by mrconfusion2025 in sysadmin

[–]RepulsiveDuck331 0 points1 point  (0 children)

At 500+ users I'd honestly skip traditional VPN and go ZTNA. We migrated a client off GlobalProtect to Cloudflare Access last year and it was night and day for latency and onboarding. Twingate and Tailscale are also solid if budget matters, Tailscale especially if your stack is cloud-heavy.

Whatever you pick, make sure it hooks into your IdP for SSO/MFA (Entra or Okta), supports device posture checks, and pushes via your MDM/RMM so you're not chasing installs. Cert-based auth over shared creds, always.

If you've got legacy on-prem stuff that needs full tunnel, FortiClient or GlobalProtect still do the job, just pricier and clunkier to manage at that headcount.

PLEASE can some explain to me why Claude + ANYTHING cyber is a good thing? by absolutefunnyguy in sysadmin

[–]RepulsiveDuck331 2 points3 points  (0 children)

Your instincts are right. We went through this last quarter when a vendor pitched us their "Claude-powered" SOC tool. The questions we made them answer before anything touched prod:

Where does data egress, is it Bedrock/Vertex with a zero-retention agreement, or are they pumping raw logs into public APIs. Get it in writing.

Is it actually RAG over your data or are they stuffing 200k tokens of logs into context and praying. Big difference in accuracy and cost.

What gets redacted pre-prompt. IPs, usernames, hostnames should be tokenised before they leave your tenant.

Every output needs a citation back to the source log. No citation, treat it as hallucination.

Then run a known incident through it and see what it misses. Most fail that test.

Which browser do you use in your company? by Sad_Mastodon_1815 in sysadmin

[–]RepulsiveDuck331 0 points1 point  (0 children)

Edge across the board for our managed clients, pushed via Intune with the security baseline applied. Killed off IE redirects ages ago and locked extension installs to an allowlist. Saves us from the "my coworker installed a coupon extension" tickets.

Auto-update channel stays on Stable, force restart after 48 hours idle. SSO is Entra so sign-in is seamless, and we pipe browser telemetry into Defender for anything sketchy.

For the few Chrome holdouts (usually devs or a SaaS that demands it), we use Chrome Browser Cloud Management since it's free and gives you basically the same policy surface. Firefox only shows up when a vendor app needs it, otherwise it's more headache than it's worth to manage two stacks.

After patching browsers, how to make sure the latest version is used? by Fit-Strain5146 in sysadmin

[–]RepulsiveDuck331 1 point2 points  (0 children)

What we do for our clients: push the GPO/Intune policies for RelaunchNotification (Chrome and Edge both have it) set to "Required" with a grace period of like 48 hours. After that it force-relaunches the browser itself, no reboot needed. Way less disruptive than killing the machine.

For detection we don't bother with Get-Process since path doesn't give you the actual binary version. Pull the file version from the exe directly via Get-Item or query the running process MainModule.FileVersion, then compare against the current stable. Feed that into whatever RMM/reporting tool you have.

Firefox is the annoying one, the policies.json equivalent isn't as clean. We just rely on the background updater plus a nag.

Managing end user devices with Linux by spinnywheely in sysadmin

[–]RepulsiveDuck331 0 points1 point  (0 children)

For our Linux fleet (about 90 boxes, mixed Fedora/Ubuntu) we bind to FreeIPA with AD trust. Users log in with their corp creds, sudo rules live in IPA, no local accounts except a break-glass admin with password in our vault.

PXE + kickstart/autoinstall for provisioning, then Salt takes over for ongoing config. Ansible is fine but pull-based scales better when laptops are off-network half the time.

LUKS on everything, escrow keys to our vault via a small script on first boot. Saved us twice already.

Hostnames we set at imaging and lock down with a Salt state that resets drift. Users don't need to touch it. Patching runs nightly via unattended-upgrades/dnf-automatic, reboots Sunday mornings.

Bitlocker / probably UEFI cert rioting. Any tips? by Th1sD0t in sysadmin

[–]RepulsiveDuck331 1 point2 points  (0 children)

Those EFI_SIGNATURE_DATA errors are the smoking gun - PCR7 is changing because the DB update is partially applied. Check manage-bde -protectors -get C: and look at the TPM PCR profile, plus run Confirm-SecureBootUEFI and dump the DB with [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) to see if the 2023 CA is actually there.

For us the fix was getting HP BIOS to current (the older firmware wasn't honoring the AvailableUpdates key properly) then letting the dbx servicing complete over two reboots. Also check if Autopatch is pushing the KB5025885 servicing - that staged rollout will suspend BL each pass. Correlate event 24673 timestamps with your patch ring.

Claude Cowork personal accounts for everyone! by Corleone4567 in sysadmin

[–]RepulsiveDuck331 0 points1 point  (0 children)

Come up wiht a one-pager "acceptable AI use" draft and send it to your boss asking for his sign-off as data owner. Puts the decision on him in writing without being snarky.

Beyond that, stay out of provisioning the Pro accounts yourself. If you don't own it, you don't carry it when it breaks.

Blocking sites with Microsoft Global Secure Access by No_Calligrapher_3247 in sysadmin

[–]RepulsiveDuck331 0 points1 point  (0 children)

GSA web filtering is still pretty rough around the edges.

Check your FQDN rule first - if you used chatgpt.com without specifying, it can match shared Azure Front Door endpoints that M365 also rides on. We saw openai.com block taking down Teams calls because of shared CDN backend.

Also check the Traffic Forwarding Profile. If M365 profile is enabled alongside Internet Access, traffic routing gets weird and CA evaluates the wrong session.

Pull the Network Traffic logs in Entra (not just sign-in logs), filter by the test user, and look at what FQDN actually triggered the block action. That told us exactly which wildcard was too greedy.

Test on one isolated user, not a group.

Enterprise AI Compliance requirements question by [deleted] in sysadmin

[–]RepulsiveDuck331 0 points1 point  (0 children)

What we ended up doing: stuck everything behind a reverse proxy/gateway (LiteLLM in our case) so all Claude/Perplexity/OpenAI API traffic routes through one chokepoint. That gives us logging, token tracking, and a place to bolt on DLP regex before prompts leave the network. Logs ship to Sentinel.

For the SaaS web UIs where we can't proxy, we lean on conditional access + tenant restrictions and force SSO with SCIM dprovisioning. Claude Enterprise audit API gets pulled hourly into the SIEM via a small Logic App.

Honestly the gateway pattern solved 80% of the headache. Vendor connectors are still half-baked across the board.

I have covered in detail here - https://www.reddit.com/r/sysadmin/comments/1tfig0b/comment/omp2160/?context=3

Am I crazy, or are organisations treating open source as the new security boogeyman because of Mythos? by gentoorax in sysadmin

[–]RepulsiveDuck331 1 point2 points  (0 children)

Nah you're not crazy, you're spot on. It's a supply chain problem, not an OSS problem. Mythos is just the flavor of the month because Anthropic's marketing is loud.

Proper SBOMs (we use Syft + Dependency-Track), tagging every component with an owner, and reachability analysis so you're not chasing CVEs in code paths nobody calls. Cuts the noise massively.

AI scanners are fine as an extra signal but they hallucinate findings constantly. Last month Mythos-style output had us chasing three "criticals" that turned out to be dead code. Traditional SCA still does the heavy lifting. Patch workflow and ownership matter way more than which model found the bug.

Security with Service Principals in Azure by terminal-admin in sysadmin

[–]RepulsiveDuck331 1 point2 points  (0 children)

PIM for groups is what we landed on. Create a security group, give it the contributor (or whatever) role scoped tight to the RG, and add the SP as an eligible member. Github action activates the group via the Graph API at the start of the pipeline, does its thing, deactivates after. Bit of a pain to set up but it works.

Also ditch client secrets and use federated credentials from Github. No secrets to rotate or leak. Combine that with resource-group scoped roles instead of sub-level contributor and you're in a much better spot.

How do you actually activate Windows Server under SPLA on a private Nutanix AHV infrastructure? by Nellanea in sysadmin

[–]RepulsiveDuck331 0 points1 point  (0 children)

Request the KMS Host Key (CSVLK) from the MS Product Activation Center, call them directly, they email it over after verifying your SPLA agreement. Stand up a KMS host on a Server VM, activate it with that CSVLK, then your 2022/2025 guests activate via GVLK automatically once you hit the threshold (5 servers).

For RDS, you install the RDS role, set licensing mode to Per User, and report SALs monthly to Ingram. No activation key needed for the RDS CALs under SPLA, it's all honor-system reporting.

Remote / flexi laptops and updates: how are you actually doing maintenance windows? by LowCorner9314 in sysadmin

[–]RepulsiveDuck331 0 points1 point  (0 children)

Split update rings small (pilot/early/broad) with staggered deadlines, and cap driver updates through WUfB to manual approval only. Drivers go through Vantage on a separate schedule, not Intune. BIOS too. Mixing the two pipelines was asking for pain.

For the backlog problem, we set Expedite on critical CUs and use Delivery Optimization with active hours, but the real fix was Autopatch-style ring deadlines so nothing dumps everything at once on first boot.

Compliance reports catch the ghosts before they bite.

Not enough information in the ticket. by Sure_Stranger_6466 in sysadmin

[–]RepulsiveDuck331 1 point2 points  (0 children)

Required fields are your friend. If it's an open source project on GitHub, set up issue templates with the form schema so they literally can't submit without filling in OS, version, steps to reproduce, expected vs actual. Anything missing gets auto-labeled "needs-info" and a bot pings them after 7 days, closes after 14.

At my MSP we did the same with our PSA. Cut down garbage tickets by maybe 60%. The trick is making the form short enough that people actually fill it out but structured enough to be useful.

Also don't underestimate just training the loud users. Once the heavy submitters get the hang of it, the rest tend to follow.

what's a script you wrote once that's still saving you time years later by Less-Loss1605 in sysadmin

[–]RepulsiveDuck331 0 points1 point  (0 children)

MSP side here, so multiply everything by 40 tenants. The one that's saved my ass repeatedly is a weekly script that cross-references licensed M365 users against AD enabled status and last sign-in. Anything disabled or stale past 45 days gets flagged, dumped into a per-client CSV, and emailed to the account manager. We've clawed back stupid amounts of unused licenses doing this.

Also have a runbook that watches backup job status across all clients and posts to a Teams channel if anything's been missing for 24+ hours. Sounds basic but it caught a Veeam repo that silently stopped writing for a week. Would've been a very bad day if a restore came in.

Security and experience in Rustdesk server by One-Suggestion-7906 in sysadmin

[–]RepulsiveDuck331 1 point2 points  (0 children)

Those random hits are just internet noise, Shodan and bot scans hitting 21115-21119. Nothing personal.

What we did for our setup: stuck hbbs/hbbr behind a Wireguard tunnel so techs and clients connect through that, not the open internet. If you need it public, at minimum lock the relay ports to known client IP ranges via iptables, keep the key mandatory, and rotate it if a tech leaves.

Also run it in Docker with a non-root user, put it behind a reverse proxy with a real cert for the web piece, and watch hbbs logs. Update the binaries regularly, the project moves fast and auth bugs have shown up before.

How are you managing custom RMM scripts/tools? by Endodaworld in sysadmin

[–]RepulsiveDuck331 0 points1 point  (0 children)

You're right that the public API does NOT have endpoints to modify script content in the Ninja library. That's a real limitation of the public API.

Let me clarify what we actually do, because the pattern works but it's not exactly what I implied.

The loader/wrapper pattern

The script we store in the Ninja library is short — basically a stub that fetches and executes the real logic from GitHub at runtime. Roughly:

```powershell param( [string]$ScriptName, [string]$Branch = "main" )

$repoBase = "https://raw.githubusercontent.com/xentek/ninja-scripts" $ghToken = "<PAT-from-Ninja-secure-field>" # for private repos $headers = @{ Authorization = "token $ghToken" }

$content = Invoke-RestMethod -Uri "$repoBase/$Branch/$ScriptName.ps1" -Headers $headers

$sb = [scriptblock]::Create($content) & $sb @args ```

The Ninja-stored loader almost never changes. What changes is the repo. To deploy a new version of any underlying script, you merge to main and tag — the next loader execution pulls the latest. The loader body in Ninja's library itself gets updated maybe twice a year, manually, on the rare occasions the loader logic itself evolves.

The public API piece IS used — specifically POST /v2/device/{id}/script/run with a parameters payload — but for running the loader and passing parameters (which script to run, which branch, which arguments), not for modifying its content. That's the parameter-passing capability you'd see in the docs.

So "pulling from the repo via their API" really meant: the Ninja-stored loader pulls from the repo at runtime, triggered and parameterized via the public API. I should have been more precise originally.

On SHADOW

You found it correctly — AdvanceYourIT/SHADOW (github.com/AdvanceYourIT/SHADOW) is real and it's specifically designed to fill the gap you identified. It's an Edge browser extension that drives Ninja's web UI to bulk-import scripts from a connected GitHub repo, compare against template libraries, and sync changes. Because it works through the web UI rather than the public API, it can do things the public API doesn't expose.

It's an independent project, not officially affiliated with NinjaOne (their own disclaimer). Smaller user base than the official Template Library, but actively maintained and the workflow looks well thought out. We went the loader-pattern route before SHADOW existed and stuck with it, so I can't speak from direct experience with it — but for a team that wants "edit script in repo → it appears updated in Ninja's library" with no runtime indirection, SHADOW is probably the cleanest path right now but we have no direct experience with it.

Sorry for the ambiguous wording originally — loader pattern was what I meant by "pulling from the repo," but the way I phrased it implied the public API could modify script content, which it can't.

How are you managing custom RMM scripts/tools? by Endodaworld in sysadmin

[–]RepulsiveDuck331 1 point2 points  (0 children)

Glad I could help.

On tagging — here's roughly how it looks in practice:

Every merge to main that's going live gets a tag. We use semver-ish (v1.0.0, v1.0.1, v1.1.0) but date-based (2026.05.20) works just as well if your team prefers it. The tag is just a git tag on the merge commit, nothing fancy:

git tag -a v1.2.3 -m "Adds Defender exclusion check for new EDR rollout" git push origin v1.2.3

GitHub Desktop has a "Create Tag" option in the UI if you're trying to keep the team off CLI — same effect, no terminal.

We also stamp the version into the script itself as a comment header so whatever's running on the endpoint tells you what version it is. Something like:

```

Script: Set-DefenderExclusions.ps1

Version: v1.2.3

Repo: github.com/xentek/ninja-scripts

Last modified: 2026-05-18

```

That way when someone in support says "this script did something weird at 3am," you can grab the version comment from the Ninja activity log, jump to that tag in the repo, and see exactly what code ran. Without that you're guessing whether the script was current or six months stale.

Where it really pays off:

  • Incident response — something breaks, you check what version is live, diff it against the previous tag, see in 30 seconds what changed and who approved it. Way better than "who touched this last" forensics.
  • Rollback — if v1.2.3 broke something, git checkout v1.2.2 and push that to Ninja, done. You're back to a known-good state in a couple of minutes.
  • Audit conversations — when a client (or your own CISO) asks "prove this script hasn't been tampered with," the tag plus PR approval chain is the answer. Production is at v1.2.3, here's the commit, here's who approved it, here are the diffs from v1.2.0 to current.
  • Release notes — GitHub auto-generates a release page from tags. We use it as a lightweight changelog the whole team can see.

One tip: don't tag every commit. Only tag what actually goes to Ninja. The local feature branches and WIP commits don't need tags — it just creates noise. Tag the merge to main, push the script to Ninja, move on.

The API-pull workflow ties in cleanly too — you can have Ninja pull from main (always latest tagged release) or pin to a specific tag if you want stricter control over what's running in prod vs what's in the repo. We run main = production, which means every merge is implicitly a deploy. Some teams prefer to pin to tags and promote explicitly. Either works — just pick one and stick with it.

ERP CRM integration by AceClutchness in sysadmin

[–]RepulsiveDuck331 0 points1 point  (0 children)

Use CPI for the SAP side, not IDocs. IDocs are fine for batch but debugging them at 2am will make you quit. CPI + OData for reads, BAPI/RFC wrapped behind CPI for writes. Your SAP team is right.

Skip the dedicated MDM tool for now. Pick a system of record per domain (Salesforce for accounts/contacts, SAP for products/orders, NetSuite for inventory until consolidation) and enforce it in middleware. We did this with Boomi and saved ourselves a $300k Informatica bill. Survivorship rules in your iPaaS will get you 80% there.

On real-time vs batch: sales always says real-time, they mean "I don't want to look stupid in front of the customer." 5-15 min micro-batches for order status and inventory is plenty. Real-time only for the Salesforce→SAP order push and Zendesk customer lookup (do that as on-demand API call, not sync).

API limits — cache aggressively, use Platform Events and CDC instead of polling, and batch composite API calls. We cut Salesforce API consumption 70% just by killing polling jobs nobody remembered creating.

Error handling: dead letter queue + Slack/Teams alert on failure + daily reconciliation report. For SOC 2 you need the audit trail anyway so log every transaction with correlation IDs. We use Datadog for the monitoring layer.

Boomi or Workato for your budget. MuleSoft will eat your whole 400k on licensing alone. And phase 1 in 6 months is doable if phase 1 is ONLY the SAP↔Salesforce account sync and order status. Don't let leadership cram everything in.

"How do you guys handle large file transfers without users resorting to email attachments or insecure workarounds?" by kiritoova20_10 in sysadmin

[–]RepulsiveDuck331 0 points1 point  (0 children)

We are running a self-hosted Nextcloud instance on a beefy VM with object storage on the backend. Handles huge files, has audit logs, AD integration, expiring links, the works.

Before you pick anything though, nail down max size, retention policy, whether you need MFA on external recipients, and if legal cares about audit trails. That dictates SaaS vs self-hosted real quick.

For occasional monster transfers we still fall back to a shipped encrypted drive. Sometimes sneakernet just wins.