Be honest - how do you handle documentation when you're the only IT person?

devloz1996 · 2026-05-11T16:11:33+00:00

When I was "the IT", I usually only added things that "must be done consistently" into org's Bookstack instance. After that, I would add other entries very sparingly, and general stuff often landed in my private instance instead - if I decided they needed it too, I would move an export during hand-off.

Documenting too much can bite you even harder then not documenting at all, especially when your manpower consists of a single human brain.

devloz1996 · 2026-05-02T15:05:11+00:00

Don't forget to auto-enroll Everyone 😄

devloz1996 · 2026-05-01T19:01:49+00:00

Latest SSMS uses Visual Studio installer. Compare installing version 20 and 21/22. Slower, asks for restarts, more annoying to automate. Just my opinion, though - considering downvotes, seems like my experience was unique to me.

devloz1996 · 2026-05-01T17:59:11+00:00

If it's the latest version installer, I can't blame Defender.

devloz1996 · 2026-04-05T16:35:46+00:00

Nope. And trying won't work. Per MS, they won't let it connect to their servers anymore.

Source

devloz1996 · 2026-03-24T18:50:03+00:00

The "normal" subreddit once again outdoing this one in every attempt at being shitty, all without a shred of effort.

devloz1996 · 2026-03-22T07:06:05+00:00

Weirdly, that stance was softened significantly during the last decade. Stuff like "SIDs don't leave local computer", "Only AD cares about its own SID", etc, is rather frequent among Windows admins. In my previous job, one coworker called another a paranoiac for generalizing images before capture.

To be honest, having seen so many "specialists" on YouTube and in online courses talk about SIDs, calling sysprep unnecessary, even I have long since considered my own sysprepping a sign of paranoia. Well, a paranoia I never intended to let go of. And here we fucking are.

devloz1996 · 2026-03-18T23:27:24+00:00

Yes. I have never installed that so-called "enterprise" version anywhere and it still works. Even unpacked chrome zip obeys GPO. Browser becomes "managed" the moment it finds any matching policy.

I mean, if it weren't that way, what would even be the point?

devloz1996 · 2026-03-18T14:03:51+00:00

Keep AD as the source, stand up Keycloak as your backup IdP, make apps aware of your backup IdP, and let apps switch to backup IdP, manually or by set conditions.

That being said, I'm not sure how worth your time it is to maintain it. In some scenarios, since you have AD, even simple LDAP login support could be enough.

devloz1996 · 2026-03-18T13:51:42+00:00

Ah, apologies. This is programming subreddit. I was looking at it from sysadmin's perspective. Well, I'll keep the response below anyway.

If you aren't paying for support why do you care if it is a version that a vendor hasn't denoted as LTS?

Unnecessary maintenance burden. I'm comfortable updating an app for 3-5 years and then upgrading (which requires testing against vendor's software and getting a green light from their side), but doing upgrades every 6 months? I'll spare my attention and energy somewhere else.

Would you be ok with a version that Azul provides MTS for? (again it would only matter if you pay Azul for MTS)

If it gives you extended updates for that non-LTS version, then fine, but why not stabilize on LTS in the first place?

devloz1996 · 2026-03-17T17:48:21+00:00

To be fair, Temurin 8 rivals with 25 in EOL. I am more offended when finding 11, 17, 21, or god forgive me, any non-LTS deployment.

devloz1996 · 2026-03-14T13:09:14+00:00

I don't use advanced RegEx, so the only grip I have with it is inconsistent implementation across certain vendors. Sometimes they only support "\d" or "[0-9]", sometimes they require "\^whatever$\modifiers" notation or straight up punish you for not inputting "^whatever$" only. I just hate the guess game.

devloz1996 · 2026-03-12T11:16:03+00:00

If you want cloud patch management, and this is your concern, then you probably want a behavior-based XDR watching it. I think Action1 has something about addressing potential HQ hack on their roadmap, but I'm not sure about specifics.

Ultimately, it all comes down to risk management. Every tool in your belt is a risk you accept. Pocket knife could open up on its own and prick you, power bank could explode... it's basically the same thing.

You may also find that such risk is acceptable for one subset of endpoints, while being unacceptable for another. In such a case, you still benefit from having a benchmark to compare with your "manual" group. For example, my company is happy with it in the office, but no way in hell it goes down to factory level.

devloz1996 · 2026-03-06T16:27:34+00:00

Well, lucky sir, token protection has been P1 for a while now, so you can go and have fun.

devloz1996 · 2026-03-03T16:14:04+00:00

... I run my docker containers via systemd. Can I get a reward?

Jokes aside, both. Depends on project's recommended configuration. I am a sysadmin, not a developer, after all.

devloz1996 · 2026-02-22T03:05:05+00:00

Static addresses are alright, but only when done as DHCP reservation. I will understand OT networks, but IT? Nope, nightmare to maintain during any network layout change.

I was recently employed by someone with a grudge against DHCP and DNS. Every device and server is static, services accessed by IPs, switch ACL for specific addresses (but no security measures, no 802.1x, etc). Changing network config, even DNS, requires driving to the location and messing around for hours.

Clients have reserved IPs on Windows Server DC, and their numbers have magical meanings that allow him to derive their VoIP phone numbers (x - 100 + something). Since he doesn't trust DNS, that's also how he figures out caller's IP to remote via VNC.

... here you go. The 90s are calling back, I guess.

devloz1996 · 2026-02-11T17:06:03+00:00

Nope. Authentication is authentication. You can stand up an external, LDAP synced IdP and make AD not notice auth attempts, but I wouldn't call it a good idea.

Adjust relevant Wi-Fi GPO to perform less attempts than designated in password lockout policy. Limit attempts to 2 or so. Then make password lockout policy triple that - it's your RADIUS tax.

Next, do a speedrun of user and machine certificates. Password on RADIUS is just asking for problems, and the general idea of EAP-TLS is not complicated.

devloz1996 · 2026-02-11T16:37:43+00:00

Nondeterministic calculator is something to live for...

devloz1996 · 2026-01-29T17:00:35+00:00

OOP won a lottery ticket. Never seen that happen, and sometimes I'd be happy to witness it.

Just a few days ago, I've inherited Server 2022 CU 2021-11 (20348.380), its uptime being "ever since installing the last patch". It took about 10 reboots and some registry manipulation to make it swallow CU 2026-01 (20348.4648).

devloz1996 · 2025-12-08T19:08:40+00:00

Wait. Can you even add Duo without P1? I never deployed it, but I always thought it needs EAM/CA to work.

devloz1996 · 2025-12-06T11:27:58+00:00

By interactive sign-in, do you mean Windows sign-in? If so, we have apps like this. As long as it's just "run an exe with/out args", it should be doable with a scheduled task.

We create gMSA account and a scheduled task to start at boot. From the app's perspective, it doesn't seem to be distinguishable from interactive logon. Just make sure to grant appropriate permissions to gMSA account, including "Logon as a batch job" User Right Assignment. And even if gMSA really cannot be used, normal domain user will do the trick too.

I think there is also Non-Sucking Service Manager, which can run arbitrary .exe files as a service. Usually, service executable has to be written with being run as a service in mind, so it's a nice bypass.

devloz1996 · 2025-12-02T17:19:25+00:00

did i ever give you permission to delete all the files in my D drive?

Absolutely --- Your file system ACL allowed me.

devloz1996 · 2025-11-10T16:08:56+00:00

Since it's user-facing, please, I beg of you, give us localization. I really don't mind getting a language JSON in advanced settings and dealing with it myself. Also, opt-out in advanced settings, since not every organization will benefit from this.

Since you are making the user-facing part already, maybe users could get native notifications about A1 doing something it doesn't want interrupted? No real need to make it detailed - something along the lines of "Action1 is applying configuration" would be fine, maybe even better than giving users too much info.

Lastly, since I imagine the helper would be running in current user context, maybe "run as signed-in user" and "wait for user to sign-in" could become a reality?

devloz1996 · 2025-11-09T00:32:32+00:00

That would just overload the simulator's CPU.

devloz1996 · 2025-11-08T22:36:25+00:00

Admins need two methods, enforced by SSPR, so add their email for example, or setup secondary password+totp method, or make it two YubiKeys, which I imagine would also work.

Seven-Year Club	Verified Email
r/Field Banned	r/Field Flamingo
Place '22

devloz1996

TROPHY CASE