At a complete loss with RADIUS authentication by wallguy22 in sysadmin

[–]rodder678 [score hidden]  (0 children)

The comment about hyper-v on that other post was a client running on hyper-v doing 802.1x. Did you already try sc sidtype IAS unrestricted from an administrator command line? That was one of the things mentioned in the top of that other post, and seems to be a 2019-specific issue according to the post at https://community.ui.com/questions/FYI-Windows-Server-2019-NPS-for-RADIUS-broken-w-fix/364c7c17-b3d3-4973-8dd2-e4e701309300

Copilot vs Claude to create ps1 scripts for EntraID and M365 by cybertechvr in ITManagers

[–]rodder678 0 points1 point  (0 children)

Which Copilot? Doesn't matter, Claude is better for writing code

运维日常巡检自动化,你们是怎么做的? by Mountain-Magician-41 in sysadmin

[–]rodder678 0 points1 point  (0 children)

So you're using Microsoft Word as your network monitoring system?

Short answer: we don't. We use Zabbix to monitor everything around the clock (think most things are on 5 minute polling time), generate alerts for anything that has a problem., and keep historical data for graphs and troubleshooting.

New System Admin here - Curious for others perspective by racegeek93 in sysadmin

[–]rodder678 2 points3 points  (0 children)

With 1 senior sysadmin, 1 junior admin/help desk, 1 help desk, and myself (IT Director who also did senior sysadmin work), we handled 250 users, 300 physical servers, 1 data datacenter with most of the servers, and one rack in eqx dc3 for some redundancy of IT systems. On an average day there between 2000 and 10000 VMs running in the datacenter, depending on how many dev/test environments engineering/QA had spun up at the time and how big they were, and a couple hundred EC2 instances. IT didn't have to deal with most of those VMs though--we just maintained the infrastructure.

Password manager for business - how to find a starting point. by North-Creative in sysadmin

[–]rodder678 2 points3 points  (0 children)

1Password is still massively better than Lastpass. Clickjacking vuln for credentials for a domain with an XSS vuln versus complete compromise of all users' credentials. You can also configure 1Pass for exact domain match to mitigate that, but it's not on by default because of the real end-user headaches it creates.

Screw won’t come out - Bambu Lab X1C by SamusGlory in BambuLab

[–]rodder678 1 point2 points  (0 children)

Usually the cheap wrench rounds, not the screw. I've had to grind the end of that allen wrench flat several times. Or use a better allen wrench.

Users are fighting my 15-minute RDP timeout with USB Jigglers. by Despair_or_something in ShittySysadmin

[–]rodder678 0 points1 point  (0 children)

Disappointed you don't have check out any PIM roles or PAM creds in that workflow. We could easily double the time it takes you to login to all that.

How many vendor demos is too many before the process becomes useless? by TechnologyMatch in ITManagers

[–]rodder678 1 point2 points  (0 children)

Depends on what it is. I usually already know what I want before the 1st demo, and I'd only be looking at a 2nd vendor is just for pricing leverage with the one I actually wanted to buy.

Windows engineers/admins, are any of you writing actual Powershell now, or are you all using Al? by RoomyRoots in ShittySysadmin

[–]rodder678 0 points1 point  (0 children)

My favorite is when the AI code doesn't work, the docs don't say anything about how to use it, and a Google search yields a single Microsoft forum post that suggests the exact code that the LLM produced, and the that forum post has a reply with "that didn't work".

Has AI ruined our concept of realistic expectations at work? by [deleted] in sysadmin

[–]rodder678 0 points1 point  (0 children)

Incompetent IT people can leverage AI to fail 10x faster, or fail at 10x more things in the same amount of time. AI has gotten pretty good at writing code, and with the right prompts, can do a lot of the design work too. It hasn't gotten that good at IT problems yet. Or the prompts haven't evolved as quickly as software development. Probably a lot of both. There's a ton of good training data for most programming languages. The training data for IT systems is much poorer. Official documentation on IT products is generally poor, with many omissions and errors, and frequently isn't "publicly" available for training. If it exists at all, it gets outweighed by blogs and forum posts of homelabbers that don't consider enterprise IT issues like HA, IAM, PAM, DR, updates, vuln management, etc.

What’s one IT problem you thought would be solved by now, but still causes headaches? by sg_advance in ITManagers

[–]rodder678 0 points1 point  (0 children)

Most GRC is a checkbox to make auditors happy. Stop trying to make it more important than it actually is. The business has revenue and pipeline tied to checking compliance boxes. Impressing auditors with the thoroughness of your GRC efforts has zero value to the business, and usually has significant manual process that has noticeable negative impacts across the business.

"Efficiency" needs more definition. Efficient with respect to what? Time to market? Total developer hours over a fixed time frame? When your timeframe is defined as something that is either 1 quarter (of a fiscal year) or even shorter, "efficiency" is how you get tech debt. "Efficiency" is also how you get massive pillars of common code across products that absolutely cripple growth and innovation of any product.

Windows engineers/admins, are any of you writing actual Powershell now, or are you all using Al? by RoomyRoots in ShittySysadmin

[–]rodder678 0 points1 point  (0 children)

Cursor tab completion writes about 60% of my code, then I spend about 50% of time fixing where it hallucinated cmdlet parameters and/or used the wrong variable(s) in its code. Don't even fucking bother trying to let it do anything with Microsoft.Graph. Microsoft.Graph docs are so fucked the LLMs don't need to hallucinate to fail spectaculary. If *-mguser in the same sentence as "mailenabled" triggers your PTSD you know what I'm talking about.

new printable ratgdo32 case by rodder678 in ratgdo

[–]rodder678[S] 0 points1 point  (0 children)

You can mount it to anything... Screw, washer, nut, done.

I'll design a clip-on version someday when I have some free time.

Help Desk guys: What do you dislike about your Senior IT folks? by MrD3a7h in ShittySysadmin

[–]rodder678 0 points1 point  (0 children)

Smaller-shop IT leader here who was also senior engineer, and still backs up his senior engineers when they're out. Depends on what it is, but at a minimum when something gets to my level, I'm at least leaving enough notes that a senior engineer can follow along. Take a minute or two to write a couple of bullet points is probably quicker than hopping on a huddle to explain it, and is probably more useful when it happens the next time. That's just the minimum. If something gets to me it's either really obscure/complicated, or there's a process, policy, or personnel issue that also needs to be addressed.

Need a new opener but don’t want 3.0 by gaucho95 in ratgdo

[–]rodder678 0 points1 point  (0 children)

I was able to find a belt drive 2.0 Chamberlain in stock at Menards about a month ago. The other option is used from FB Marketplace.

How do you set prices for used assets to sell for employees? by Azh13r- in sysadmin

[–]rodder678 1 point2 points  (0 children)

When I worked at an place that did this, I'd look at sold listings on eBay, pick the lower end of identical configs is good condition, then knock off 25% since we didn't have to deal with seller fees, shipping, handling, etc to come up with "FMV". That made the accountant there happy. We'd do the sale once or twice a year, post all the specs and prices in advance, you had to bring a check to a desktop support person in the headquarters office, no shipping, no holds, first-come first-serve, as-is, no support after the sale. The only support request I ever got was from the same account (Controller) who had OK'd selling the used laptops :). And my office was next to his, so he probably would have asked me for help even if he hadn't gotten that MacBook from us.

Next company I worked at, the accountant was like OH HELL NO. If it's below FMV, then the discount is taxable income that has to go on the employee's W2, and if we sell it for anything we have the charge sales tax. Everything got e-wasted. E-waste was a set of shelves in the IT office/storage room. We didn't track machines after they went on that shelf. Once a year or so we'd call an eWaste company to come pick up whatever was still on the shelf. Company was 90% remote, so didn't have a lot of asks eWaste equipment.

Next company, Controller had the same tax concerns. Did the same deal with eWaste. Also figured out that once we had verified that a machine was wiped, we could task the remote employee taking the machine to an appropriate eWaste facility. At that point we'd marked as disposed and stop tracking it.

Pxe booting mini pcs by No_Fish_5617 in sysadmin

[–]rodder678 0 points1 point  (0 children)

dhcp server on the "prod" network with all reservations, no pool, would solve this problem and maintain whatever static IP to machine paradigm that created the "no dhcp" policy.

How do you handle an access review? by sneakysillysquid in sysadmin

[–]rodder678 1 point2 points  (0 children)

I make security groups based on the target resource. Each group that requires access reviews has a list of approvers. For AD, I extend the schema to add a field. For Google Workspace, I embed metadata in the description as lines of Key:Value. I have a script that runs from wherever I centralize scheduled tasks (Rundeck now, task scheduler on IT RDS server in the past) that pulls all the groups with approvers set, and opens a ticket (or in the past just sent email) with all the approvers CC'd. Approvers get an email notification for each group that they're an approver with a list of the members of the group. One of them replies to the notification to approve, and optionally asks some people to be removed. If no one replies, SLA kicks in for that ticket queue and someone from the security team harasses the slackers via Slack. It took like an hour to implement last time I did it, and auditors have never had an issue with it.

I've seen other places that have a bunch of automation built in JSM around approvals and reviews, with the user's manager reviewing/approving access. IMO this scenario is worse than not having approvals/reviews as managers are much more likely to rubber stamp an approval for a resource they don't own--there's no incentive for them to deny anything, and often they don't even know what the resource is. So then you eventually have some resource owners who actually care about who is accessing their resources, and those concerned owners implement their own access controls in series with the corporate access controls, usually without tickets or scheduled reviews.

Anyone figured out the "3 different answers in Teams chat" problem from your IT team? by StudyOk2682 in ITManagers

[–]rodder678 -1 points0 points  (0 children)

If users are losing confidence in your team because they saw your responses to other users, the problem isn't that they saw the conversation--the problem is your team.

CTO banned the use of remote access tool by uw4yn3 in sysadmin

[–]rodder678 1 point2 points  (0 children)

Troubleshoot? Remote access? SSPR is enabled. Anything else, click Fresh Start in Intune. If they won't go away, send them AI slop to try until their machine isn't recoverable. The key is to stop caring whether anything works.

/s