What systems or tools work best for documenting whole environment configurations?

Posted by mnemoniker@reddit | sysadmin | View on Reddit | 25 comments

Today, I added a variable to our environment. I needed to configure a special conditional access policy for one user out of like 200. I know there is a low probability I will remember making this change in 12 months if it causes some issue, let alone the rest of my team who isn't aware of the change. So I'm trying to figure out the best way to document it. This is a topic I've been struggling with for a while, actually. I don't want to write so much I can't find anything, but I don't want to write too little either. We've grown to the point that one person can't keep the whole environment in their head anymore. It's also important to document it because we need to be able to report it, in case a cybersecurity questionnaire asks us, for example. So is this info best documented in a user spec? Master spreadsheet? Pulled from a powershell script? Whatever solution I choose, I will need to remember to update it/account for it every time the environment changes. That's a challenge and basically, none of these solutions are very useful unless I can be sure they are current. How do you guys do it?

Reply to Post

25 Comments

[-]

PMPeek@reddit

IT Glue is a great for keeping track of that stuff and making sure everyone's on the same page.

[-]

Ramonooks@reddit

IT Glue is a really helpful tool for keeping all our IT information organized and in one place.

[-]

PMPeek@reddit

Yes IT Glue is great product.

[-]

BreadfruitNo4604@reddit

IT Glue is excelent for storing as many have recommended in this thread, but use it in combination with a tool that handles automated network discovery, like Network Glue is the fastest and easiest way to document your whole environment.

[-]

TalkNerdy2Me2Day@reddit

IT Glue is the answer. It's a great documentation platform and if you have a Kaseya RMM the integration is amazing.

[-]

Longjumping_Ear6405@reddit

Does your ticketing system have a change request module? Maybe you can use that.

[-]

mnemoniker@reddit (OP)

It does, we use Jira Service Management. However, that seems more attuned to the project mgmt side of change mgmt rather than the documentation side. I just don't see that being the solution for us to make a snapshot of our entire environment but maybe someone else can set me straight.

[-]

CodeConnoisseur_@reddit

There are some excellent documentation tools like ITGlue or hudu. Why not use something like that?

[-]

Longjumping_Ear6405@reddit

Ok then. Safe travels.

[-]

Kind-Background-7640@reddit

I haven't found anything better than this than IT Glue. It's amazing for storing detailed documentation.

[-]

TheFluffiestRedditor@reddit

I wish it didn’t advertise Copilot and AI all over its website. That makes me want to actively avoid it.

[-]

LeastChocolate138@reddit

IT Glue works great especially if you integrate it with an RMM that automatically fills it with the discovered network data.

[-]

Federal_Ad2455@reddit

For Azure you can use https://doitpshway.com/how-to-easily-backup-your-azure-environment-using-entraexporter-and-azure-devops-pipeline It will show who made the change and when. But not sure if it is enough for your use case

[-]

flatvaaskaas@reddit

Interesting read, thank you

[-]

mnemoniker@reddit (OP)

That is cool, especially because the amount of configuration one can do in Azure is so overwhelming. Thanks!

[-]

Federal_Ad2455@reddit

NP. Btw there is the same thing for Intune https://doitpshway.com/how-to-easily-backup-your-intune-environment-using-intunecd-and-azure-devops-pipeline

[-]

pbebbs3@reddit

Don’t test it, deploy to production.

[-]

TonyTheTech248@reddit

An open ticket that's scheduled to be worked when the change needs to be reversed. Or keep the same ticket open for the change.

[-]

deramirez25@reddit

But my SLAs! But I. All seriousness, I would hate to see a ticket open. . I would just keep the ticket resolved and reference it back if needed. Not a great or fool proof system, but it sure has gotten me out of a pickle just by adding a ticket about the change and why and closing it when that was done, with notes.

[-]

MikeWalters-Action1@reddit

You should look at [Netwrix Auditor](https://www.netwrix.com/auditor.html) or even free community version, depending on your environment size: [https://www.netwrix.com/free\_community\_edition.html](https://www.netwrix.com/free_community_edition.html)

[-]

pdp10@reddit

1. Put the change in a central place, with all the other changes, where it won't get lost. This central place will vary based on the nature of the change, but examples are the Git repo for your CM system, or your DSC repository, or an MSAD SysVol. A conditional access policy for one user could be in a RADIUS configuration file, or SAML, etc. 1. Comment the change extensively. Point to other sources of information, like a URL for an issue tracker. 1. Have an issue in the issue tracker that points to the location of the change. Ensure that the issue-tracker is searchable.

[-]

no_regerts_bob@reddit

Liongard automates a lot of the work for documentation and change management

[-]

Super-Garlic-7764@reddit

My company has been using Hypercomply for about a year for this exact reason, and now it's our single source of truth for internal policies. The cool thing is that it uses integrations to automatically keep the knowledge base up to date. They also have a questionnaire product that connects with the knowledge base, which makes reporting super easy.

[-]

Simply_GeekHat@reddit

/remindme 1 week

[-]

bythepowerofboobs@reddit

We use an Etch-a-sketch. Works fine until someone decides to shake it.