-
Reddit SystemAdmin. Thanks @reddit2telegram and @r_channels.
How we fixed battery-draining calendar loop in our legacy SIS without touching the mainframe
We've been fighting a battle with our Student Information System (SIS) for months. It exports a 4MB .ics file every hour, but users were reporting massive battery drain and "Flickering" events on their iPhones. We couldn't replace the SIS (Mainframe/COBOL legacy), so we analyzed the feed to see why it was choking Outlook and iOS. The Diagnosis: It wasn't just "old code". It was violating RFC 5545 in three specific ways that modern clients hate:
1. The "Time Paradox" Loop: The RRULE had an UNTIL date before the DTSTART date. iOS tries to calculate the recurrence, fails, and retries infinitely. Result: Hot phones, dead batteries.
2. UID Collisions: The system reused UID:1234 for 50 different classes. Google Calendar sees this and constantly overwrites "Math" with "History" then "English", causing the calendar to flicker on every sync.
3. Missing VTIMEZONE: It used TZID=Europe/Berlin but never defined the offsets. Windows guessed UTC, Macs guessed Local. Students were showing up 6 hours late.
The Fix (The "Proxy" Pattern): Since we couldn't patch the source, we put a tiny cleaning proxy in front of it.
* Input: The broken 4MB stream.
* Process: Clamps invalid dates, hashes UIDs to be unique, injects standard VTIMEZONEs.
* Output: 100% compliant stream.
We fixed \~1,100 validation errors instantly. No mainframe downtime required.
If you're fighting "Calendar Agent" battery drain tickets, check your RRULE dates. That was the biggest culprit for us.
https://redd.it/1psm2sx
@r_systemadmin
Is it realistic to land a remote AWS cloud/help desk role with my skills?
I’m trying to break into the cloud field and would really appreciate some honest advice.
I’m aiming for a remote AWS-related role such as cloud support or an AWS help desk position, and I’m wondering if I’m on the right track.
So far, I’ve learned AWS fundamentals including IAM, EC2, S3, VPC, subnets, route tables, IGW, NAT, security groups, and NACLs, along with basic AWS CLI usage. I’m comfortable working with Linux through the terminal, including users, permissions, services, cron jobs, basic troubleshooting, and setting up NGINX. I also use Bash scripting and have Python basics for simple automation.
I’ve been working with Terraform to build infrastructure using providers, resources, variables, modules, and state, and I understand concepts like lifecycle behavior, taint, and count vs for_each.
On the networking side, I’ve studied cloud- and DevOps-focused networking fundamentals such as CIDR, subnetting, routing, DNS, NAT, and firewalls.
I also have hands-on exposure to
virtualization concepts and basic containerization with Docker, supported by practical lab-based learning.
At this point, I’m focusing on building projects and improving my infrastructure design skills.
Do you think this background is enough to start applying for remote AWS support or help desk roles, and what would you suggest I focus on next?
Thanks in advance for any advice
https://redd.it/1pshb75
@r_systemadmin
SSSD access control vs AD GPOs for restricting logon to privileged AD groups – best practice ?
We use SSSD with Active Directory and need to restrict logon on sensitive Linux systems so that only members of a specific privileged AD group can authenticate.
We’re debating two SSSD-based approaches:
- Enforcing access locally in SSSD (e.g. adaccessfilter)
- Relying on AD GPOs evaluated by SSSD
From a security standpoint:
Which approach gives stronger and more predictable control?
How do they behave if AD is unavailable?
Which one is easier to audit and defend in a security review?
Looking for real-world experience. Thanks!
https://redd.it/1psdov8
@r_systemadmin
M365 Non-Profit Premium Donation License Re-assignment How to accomplish?
I have a very small non-profit that I support and they have had O365 licenses for many years now. One of the initial perks were that MS provided 10 licenses of business Premium for free. Started receiving emails from Microsoft last summer about the the donation grant going away on your renewal, welp I am down to a month and need to reassign those 10 users to a paid version which I am willing to do but I cannot figure out for the life of me how to know which users have the donated licenses assigned to them.
I have 10 free licenses and we have purchased an additional 15 licenses of Business Premium for a total of 25. I can see in the admin center the licenses but when and one view shows the 10 donated and the 15 purchased but when I drill down to the users it shows all 25 licenses, I have no way of knowing who is using a donated license and who is using a purchased license.
Is there anybody that has gone through this or know how I figure out who has a paid license and who is using a donated license? I would greatly appreciate it, thanks.
https://redd.it/1ps9p92
@r_systemadmin
ME-ID what is Cognito NewUserPool Amazon in sign-ins
>Application: Cognito_NewUserPool_Prd_19901
>Application ID: urn:amazon:cognito:sp:us-east-2_RnD0m$str1ng
The entries were interrupted and failure
Any idea what user is trying to do here ? Device is a Windows reg'd, rather than joined.
On that topic, is there a way to prevent registering computers (force them all to join/only company assigned PCs), but allow mobile devices (for BYOD)? *tenant is not using Intune*
https://redd.it/1ps2g9v
@r_systemadmin
Managing SaaS sprawl — how do you keep it under control?
Hey folks,
I’ve been noticing a growing challenge in IT teams: SaaS sprawl. Between core systems, niche apps, and now AI tools, it’s easy for your environment to get cluttered.
Some of the pain points I’ve seen:
Multiple tools with overlapping functionality
Unused licenses still being paid for
Difficulty keeping track of integrations and access
Teams getting overwhelmed by too many apps
I’m curious, how do you keep your SaaS stack lean, manageable, and cost-effective? Do you have processes, audits, or tools you rely on to avoid chaos?
One approach I’ve been exploring is mapping existing tools, spotting overlaps, and prioritizing which ones actually add value. It’s not about removing tools arbitrarily, but understanding what your team really needs.
Would love to hear strategies, scripts, or even tools that have worked for sysadmins managing growing SaaS environments.
https://redd.it/1prrpog
@r_systemadmin
Anyone still doing physical data center decommissions?
We’re sunsetting an old on-prem setup and looking at what a full decommission would involve with things like racks, servers, drives, cables, and the works. Curious how folks are handling this today. Do you go with national vendors? Local scrappers?
Also... do you guys typically get paid for the gear or just pay for haul-away and data wiping?
https://redd.it/1prp5mj
@r_systemadmin
Transition to PAM
Hello Everyone,
We’re rolling out a PAM solution with a large number of Windows and Linux servers.
Current state:
1. Users (Infra, DB, Dev teams) log in directly to servers using their regular AD accounts
2. Privileges are granted via local admin, sudo, or AD group membership
Target state:
1. Users authenticate only to the PAM portal using their existing regular AD accounts
2. Server access will through PAM using managed privileged accounts
Before enabling user access to PAM, we need to:
1. Review current server access (who has access today and why)
2. Define and approve RBAC roles
3. Grant access based on RBAC
We want to enforce RBAC before granting any PAM access
Looking for some advise:
1. How did we practically begin the transition?
2. How did we review existing access
3. What RBAC roles did you advise to create
4. How to map current access with new RBAC roles?
Any sequencing advice to avoid disruption?
https://redd.it/1pre86x
@r_systemadmin
My company was acquired
No general announcement has been made. I know because the acquiring company needed an inventory of physical hardware and VMs
We currently run in a datacenter, the acquiring company is strictly cloud. Our workloads are not cloud friendly generally, large sql databases and large daily transfers from clients. We run nothing in the cloud currently.
How screwed am I?
https://redd.it/1prilrh
@r_systemadmin
Group-based permissions in Exchange Online
Hi all,
I wanted to move from user-based to group-based permissions in Exchange Online for shared mailboxes. Since I use security groups for other permission purposes and I wanted to use them for Exchange Online as well. However, I learned that you need to mail-enable them (so I create an extra email address per security group) and then assign them via powershell to the shared mailbox.
It seems a bit messy to create an extra email address just for the sole purpose to assign permissions. How do you handle it in your environments?
https://redd.it/1pqgpi8
@r_systemadmin
What was the happiest point in your IT related career?
When I no longer had to check the ticketing system. I will occasionally still put in tickets but nothing will ever be assigned to me.
inb4 "retirement"
https://redd.it/1pqes74
@r_systemadmin
Advice (given and hopefully received)
So I have been unemployed for about 4 months now. It sucks very much and I am having a hard time mentally right now. But, the mental strain isn’t yours or anyone else’s provlem. It’s my own.
So I’d like to give out some advice that probably is common sense to everyone else but I am gonna say it anyways. Trust your gut, if you think you’re on the way out, find a job. Don’t stick around because you think “I can rebound and make this work”. You don’t owe the company anything. And be damn sure that they won’t think they owe you anything. Take care of yourself, and never think that you owe anyone anything.
As for advice needed: anyone got a good job lead? I live in Pennsylvania but at this points I’ll move to bumblefuck
Middle America to have a job again.
https://redd.it/1pq5qqt
@r_systemadmin
SCIM locked behind Enterprise plans - are you kidding me?
I've been going through our list of apps trying to get automated provisioning set up. You know, basic stuff - user gets hired, account gets created. User leaves, account gets nuked.
Except apparently that's not basic stuff anymore.
Every vendor I've looked at locks SCIM behind their Enterprise tier.
So the ability to automatically deprovision someone when they leave the company is a premium feature? Are we serious right now?
I don't need your "Enterprise collaboration suite" or whatever garbage you bundled to justify the price jump. I need to not have ex-employee accounts sitting around for months after someone's been fired. That's it. That's the feature.
And it's not even hard! SCIM is just API calls. My IdP is already making them. Your app just has to... receive them.
These vendors love talking about security. "We take your security seriously!" "Zero trust architecture!" Cool story. Then why are you making me manually CSV import/export users like it's 2005? Why do I have to remember which of our 50+ apps each person has access to when they leave?
You KNOW what happens without automated provisioning? Tickets. Spreadsheets. Forgotten apps. That contractor who left 8 months ago still has admin access.
But sure, tell me more about how committed you are to security while you paywall basic lifecycle management.
At this point I'm tempted to just avoid vendors that pull this crap. If they want to treat basic security features as a cash grab, maybe they don't deserve the business.
Anyone else dealing with this? What are you doing for apps that don't support SCIM at all - just accepting the manual hell? Has anyone actually gotten a vendor to back down on this without upgrading?
https://redd.it/1ppzytp
@r_systemadmin
Best method to keep stored laptops up to date
At my org we have 10 or so Windows 11 Dell laptops that are kept on hand for emergencies/crisis situations. In the event of a situation, these laptops need to be available for immediate use, no waiting around for updates to install etc.
I'm wondering what the best method to keep these laptops up to date would be.
I was considering using a storage cabinet and using Wake on Lan to wake them for monthly/bimonthly updates.
Is this the best way, or is there a better alternative?
https://redd.it/1ppvsei
@r_systemadmin
Godaddy Outage 12/18
Appears to be an issue going on with the GoDaddy nameservers. DNS failing to resolve to a number of domains.
https://redd.it/1ppugb5
@r_systemadmin
exchange on prem to exchange online migration tool
Hi, my company is looking to migrate exchange on prem mailboxes, around 1K mailboxes to exchange online. Any tool recommendations would be greatly appreciated. Thanks
https://redd.it/1psjcvr
@r_systemadmin
NIST reports atomic clock failure at Boulder CO
> Dear colleagues,
> In short, the atomic ensemble time scale at our Boulder campus has failed
> due to a prolonged utility power outage. One impact is that the Boulder
> Internet Time Services no longer have an accurate time reference. At time
> of writing the Boulder servers are still available due a standby power
> generator, but I will attempt to disable them to avoid disseminating
> incorrect time.
> The affected servers are:
> time-a-b.nist.gov
> time-b-b.nist.gov
> time-c-b.nist.gov
> time-d-b.nist.gov
> time-e-b.nist.gov
> ntp-b.nist.gov (authenticated NTP)
> No time to repair estimate is available until we regain staff access and
> power. Efforts are currently focused on obtaining an alternate source of
> power so the hydrogen maser clocks survive beyond their battery backups.
> More details follow.
> Due to prolonged high wind gusts there have been a combination of utility
> power line damage and preemptive utility shutdowns (in the interest of
> wildfire prevention) in the Boulder, CO area. NIST's campus lost utility
> power Wednesday (Dec. 17 2025) around 22:23 UTC. At time of writing utility
> power is still off to the campus. Facility operators anticipated needing to
> shutdown the heat-exchange infrastructure providing air cooling to many
> parts of the building, including some internal networking closets. As a
> result, many of these too were preemptively shutdown with the result that
> our group lacks much of the monitoring and control capabilities we
> ordinarily have. Also, the site has been closed to all but emergency
> personnel Thursday and Friday, and at time of writing remains closed.
> At initial power loss, there was no immediate impact to the NIST atomic
> time scale or distribution services because the projects are afforded
> standby power generators. However, we now have strong evidence one of the
> crucial generators has failed. In the downstream path is the primary signal
> distribution chain, including to the Boulder Internet Time Service. Another
> campus building houses additional clocks backed up by a different power
> generator; if these survive it will allow us to re-align the primary time
> scale when site stability returns without making use of external clocks or
> reference signals.
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ACADD3NKOG2QRWZ56OSNNG7UIEKKTZXL/
edit: CBS reports the drift is 4 microseconds
> "As a result of that lapse, NIST UTC drifted by about 4 microseconds"
https://redd.it/1psf780
@r_systemadmin
For compliance/audit people: how do you actually build evidence timelines?
I work with a compliance team that’s constantly scrambling to reconstruct “what happened when” for audits.
Their process is basically:
∙ Get 48hr notice from auditor
∙ Panic-email everyone for logs/docs
∙ Manually build timeline in Excel
∙ Hope nothing’s missing
Is this… normal?
What I’m curious about:
∙ Is this your job? What’s your title?
∙ How often? Monthly? Quarterly? Only when audits happen?
∙ What takes longest? Finding stuff or organizing it?
∙ What would make this suck less?
Context: Trying to figure out if there’s a less painful way to do this, or if manual timeline hell is just the cost of doing business
https://redd.it/1psai1s
@r_systemadmin
Server 2025 issues with Printer Redirection through Citrix Netscaler
Hello,
We currently have a 2025 DC, a Netscaler ADC VPX, a 2025 terminal server, and a 2019 terminal server. We have set up a VPX so that people can log into a portal and RDP to either terminal server, separately. This is just straight RDP, no use of citrix or horizon etc
The Netscaler version is Release : NS14.1 60.52.nc
The 2019 server is working just fine and is able to redirect the client's local printers.
The 2025 server is not showing any redirected printers.
Here are some tests we ran:
Local Desktop ---> VPX ----> Server 2025 = printer redirection fails
Local Desktop ---> VPX ----> Server 2019 = printer redirection WORKS
Local Desktop ---> Jumpbox (has internal access to terminal servers and printers already redirected) ----> VPX ----> Server 2025 = printer redirection WORKS
Local Desktop ---> Jumpbox (has internal access to terminal servers and printers already redirected) ----> VPX ----> Server 2019 = printer redirection WORKS
Local Desktop ---> Jumpbox (has internal access to terminal servers and printers already redirected) ----> RDP(no vpx) ----> Server 2025 = printer redirection WORKS
Local Desktop ---> Jumpbox (has internal access to terminal servers and printers already redirected) ----> RDP(no vpx) ----> Server 2019 = printer redirection WORKS
Is this an issue with how the VPX is able to handle printer redirection with the 2025 server?
and perhaps it only works when "Remote Desktop Easy Print printer driver" has already been used since all the scenarios where it worked was when i logged into my jumpbox where printer redirection already occurred?
Please let me know if anyone has seen a similar issue.
Thank you in advance.
https://redd.it/1ps43pz
@r_systemadmin
Jobs these days asking help desk iso standards as if theyre the security folks
In 1 interview I was asked how I implemented iso 27000. I said i worked alongside my cybersecurity guy to create methods that we lacked in order to get recertification, but seems they wanted me, a "help desk "guy to answer it in a way that was out of my scope for my experience. All for a help desk job.
I never actually implement security directly bit worked with the security team even though I was a 1 man Internal IT.honestly most jobs that was beyond scope of my roles nor would I get access or permission to do it.
But seems basic help desk want this along with security +.
https://redd.it/1prwhly
@r_systemadmin
AD account lockouts happening only between 2-4 AM, can’t find the source 😭
Going crazy with this one. Got a user in accounting whose account keeps getting locked out, but only between 2-4 AM. She is definitely not working at that time and swears she doesn’t have any personal devices connected to company stuff.
What I have tried:
1. Ran Lockoutstatus.exe - points to one of our DCs but security logs just show the lockout, not the source
2. Checked scheduled tasks on her workstation, nothing running at those hours
3. Disabled her account on our wifi controller thinking maybe an old phone, lockouts still happened
The weird part is it started about 3 weeks ago and nothing changed on her end. Only thing that happened around that time was we migrated a few shared mailboxes to M365 but she wasn’t part of that project.
Third morning in a row I’m waking up to her helpdesk ticket. What am I missing?
https://redd.it/1prqfef
@r_systemadmin
Dell enterprise support
Can anyone help with a UK number to call for Dell enterprise support?
My dell support account is fked so cant see our products, the supposed 24/7 number we have (0800 389 0621) is telling us its now out of hours and our account manager isnt responding to contact attempts!
https://redd.it/1prmo3b
@r_systemadmin
Zapier Excel enterprise app - permissions overly broad?
A user asked me to grant admin consent for him to use Zapier to add records to an Excel file in his OneDrive. Upon further inspection, the permissions that this app is requesting seem absurdly broad and unnecessary.
This app would like to:
Have full access to all files user can access.
Allows the app to read, create, update and delete all files the signed-in user can access.
Maintain access to data you have given it access to.
Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions.
Edit or delete items in all site collections
Allows the application to edit or delete documents and list items in all site collections on behalf of the signed-in user.
Sign in and read user profile
Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
There doesn't seem to be any way to limit the app's access to just one excel file or just one folder, or even to limit it to just the one user's personal OneDrive. The fact that the app could access all SharePoint files in all sites which the user has access to is quite concerning. While I know that Zapier is a reputable software company, it still seems irresponsible to allow such excessive permissions. Has anyone crossed this bridge before? Any suggestions? The boss wants me to make this work but also appreciates security.
https://redd.it/1prelzy
@r_systemadmin
Weekly 'I made a useful thing' Thread - December 19, 2025
There is a great deal of user-generated content out there, from scripts and software to tutorials and videos, but we've generally tried to keep that off of the front page due to the volume and as a result of community feedback. There's also a great deal of content out there that violates our advertising/promotion rule, from scripts and software to tutorials and videos.
We have received a number of requests for exemptions to the rule, and rather than allowing the front page to get consumed, we thought we'd try a weekly thread that allows for that kind of content. We don't have a catchy name for it yet, so please let us know if you have any ideas!
In this thread, feel free to show us your pet project, YouTube videos, blog posts, or whatever else you may have and share it with the community. Commercial advertisements, affiliate links, or links that appear to be monetization-grabs will still be removed.
https://redd.it/1pqhesh
@r_systemadmin
Edge 143 blocks SSO for domain hosted apps
Edge 143 has removed Intranet Zone auto logon functionality that has existed since the dawn of Internet Explorer. Chrome 143 as well.
So now if you go to an Intranet zone site instead of passing through and automatically logging you in with your Domain Credentials it will require you to manually enter your credentials.
Although it is supposed to “prompt” for local access, I have only seen the prompt on Chrome and usually only for a second. Otherwise it is automatically blocked.
Microsoft released an emergency ADMX GPO setting that lets domains opt out for 2 more versions until 146.
You can add every single domain using any kind of SSO to another GPO setting but that requires a lot of effort in large multi domain organizations.
They released this just before Christmas so as to create a massive amount of P1’s right when everyone is on vacation.
Just posting this as an FYI if anyone starts getting calls that Citrix, RDS, custom domain apps, anything that uses domain authentication just stops functioning.
Luckily I caught this a few days ago and was able to do 13 emergency changes yesterday for 14 domains that I manage to do the opt out and then we get the fun task of tracking down thousands of SSO webservers that need to be individually added to each domain.
Gotta love Microsoft. They definitely keep me employed.
https://redd.it/1pqeo9p
@r_systemadmin
Here's how you make a ton of money rolling out "AI"
Last quarter I rolled out Microsoft Copilot to 4,000 employees.
$30 per seat per month. $1.4 million annually.
I called it "digital transformation."
The board loved that phrase.
They approved it in eleven minutes.
No one asked what it would actually do.
Including me.
I told everyone it would "10x productivity."
That's not a real number. But it sounds like one.
HR asked how we'd measure the 10x.
I said we'd "leverage analytics dashboards."
They stopped asking.
Three months later I checked the usage reports.
47 people had opened it. 12 had used it more than once.
One of them was me.
I used it to summarize an email I could have read in 30 seconds.
It took 45 seconds.
Plus the time it took to fix the hallucinations.
But, I called it a "pilot success."
Success means the pilot didn't visibly fail.
The CFO asked about ROI.
I showed him a graph.
The graph went up and to the right.
It measured "AI enablement."
I made that metric up.
He nodded approvingly.
We're "AI-enabled" now.
I don't know what that means. But it's in our investor deck.
A senior developer asked why we didn't use Claude or ChatGPT.
I said we needed "enterprise-grade security."
He asked what that meant.
I said "compliance."
He asked which compliance.
I said "all of them."
He looked skeptical.
I scheduled him for a "career development conversation."
He stopped asking questions.
Microsoft sent a case study team. They wanted to feature us as a success story.
I told them we "saved 40,000 hours." I calculated that number by multiplying employees by a number I made up.
They didn't verify it. They never do.
Now we're on Microsoft's website.
"Global enterprise achieves 40,000 hours of productivity gains with Copilot."
The CEO shared it on LinkedIn.
He got 3,000 likes.
He's never used Copilot.
None of the executives have.
We have an exemption.
"Strategic focus requires minimal digital distraction."
I wrote that policy.
The licenses renew next month. I'm requesting an expansion.
5,000 more seats.
We haven't used the first 4,000.
But this time we'll "drive adoption."
Adoption means mandatory training.
Training means a 45-minute webinar no one watches.
But completion will be tracked. Completion is a metric.
Metrics go in dashboards. Dashboards go in board presentations.
Board presentations get me promoted.
I'll be SVP by Q3. I still don't know what Copilot does.
But I know what it's for. It's for showing we're "investing in AI."
Investment means spending. Spending means commitment.
Commitment means we're serious about the future.
The future is whatever I say it is.
As long as the graph goes up and to the right.
\--From Peter Gimus' post on X: https://x.com/gothburz/status/1999124665801880032
https://redd.it/1pq7ush
@r_systemadmin
Are you looking at keyboard response rates? Amazon is.
They found a laptop being controlled by N Korea by monitoring keyboard input rates.
https://www.tomshardware.com/tech-industry/cyber-security/north-korean-infiltrator-caught-working-in-amazon-it-department-thanks-to-lag-110ms-keystroke-input-raises-red-flags-over-true-location
https://redd.it/1pq34wy
@r_systemadmin
Not taken seriously because of my age.
Sup guys I am 20 years old working a Jr. Sys Admin position. Half the time I'm dealing with customer support, the other half is networking and infrastructure projects. I have my main 3 CompTIA certs (A+, Network+, Security+) and a CCNA. Ever since my first office job I feel like no one takes me seriously. I expected this for interviews, so I would wear a wedding ring and clothes that generally made me look older than I am. Once I am actually in the workplace and start conversing with co-workers that ask me my age, I make the mistake of telling them. As soon as they hear how old I am suddenly they stop taking me seriously. Support becomes that much worse with people making unreasonable requests, escalating with my manager for any reason they can find, or straight up just ignoring me. I love being the guy that fixes shit and I don't belittle people who I know aren't tech-savvy but this shit is so unbearable. This is more a vent post but from now on I'm just going to tell people I'm 24-25 because of this. My resume is good for someone my age since I started helping out an MSP when I was 14 (after-school, weekends, or during summers). It might also be a medical workplace thing, other people my age in research assistant positions also go through the same bullshit.
https://redd.it/1ppzm76
@r_systemadmin
Trying to decide between a Samba, TrueNAS Community Edition, and NextCloud AIO for file storage
Hi everyone,
I am planning to set up a self-hosted file server for a small organization (\~15 employees) that will still allow for remote access. I'd like to use a free and open-source setup if at all possible. We'd need to be able to connect to it from Windows, Mac, and Linux computers. It would also be nice to be able to edit files simultaneously, though this isn't a must-have feature.
These are the three options I have in mind (though I'm open to others):
1. Samba share on a Linux desktop (Seems like the simplest option overall. I would plan to use Wireguard to grant remote users access to it.)
2. NextCloud AIO (I have an installation at home that has been working well. I like that it offers many of the same capabilities as our current cloud-based setup along with a friendly UI, along with the ability to share files publicly via a link. I was nervous initially about setting up port forwarding, but 2FA, brute force protection, and strong passwords can help mitigate this risk.)
3. TrueNAS Community Edition (I'd like to give TrueNAS a try, but it may be overkill for our use case. As with Samba, I'd plan to enable remote access via Wireguard.)
Any thoughts on which option might be ideal for us--along with your experiences of using these tools at a small business--would be much appreciated.
https://redd.it/1ppshai
@r_systemadmin
Small org PSA: if you don’t have this “boring” documentation, you don’t have a system
I’ve walked into too many environments where everything “works” until the one person who knows it goes on vacation. This isn’t about fancy tooling. It’s about a handful of boring docs that turn tribal knowledge into something survivable.
If you only document one thing this week, make it the stuff that prevents panic.
The minimum set I think every shop needs:
1. Access map
Who can access what, where creds live, how to request access, and how to remove it. Include break-glass accounts and where MFA recovery lives.
2. Inventory that actually matters
Not a 600-line spreadsheet of every laptop. The things that can take you down: firewalls, switches, hypervisors, domain controllers, identity provider, backups, DNS, email, key SaaS, and who owns each.
3. “How to restore” backups
Not “we have backups.” Actual restore steps. What gets restored first, where the keys are, how long it takes, and the last time a restore was tested.
4. Top 10 runbooks
Password reset, VPN down, internet down, storage full, cert renewal, user offboarding, mailbox issues, printer hell, critical SaaS outage, and “website is down.” One page each is enough.
5. Change log for the scary stuff
Firewall rules, DNS changes, cert changes, routing, SSO. Just a running note of what changed, when, and why.
6. Incident cheat sheet
Who to call, where status pages are, where logs live, where to look first, and how to communicate internally. The goal is to reduce “what do we even do” time.
One practical tip: write it as if future-you is half asleep at 3am and slightly angry at past-you.
What’s the one doc/runbook you wish every environment had on day one?
https://redd.it/1ppubjd
@r_systemadmin