KickedAbyss

Most normal AD don't allow root gpo to apply to the DC OU. Heck your server OU also shouldn't. This sounds like either a fake story, or a very poorly engineered AD

Underrated comment right here. "The tool says vulnerable" okay but context, friend. Same with exploits that require console access - like my guy if they have console access, we're already in trouble.

I get your feelings on it. Personally, I can't get off hybrid-exchange fast enough. I am 100% okay shoving Msft under the bus on Exchange, because it's a pain to manage/upgrade/maintain, generally. For other things? That's something I'm not sold on. We have a few of our line-of-business apps in 3 different clouds (one cloud per solution, not one app between multiple), all managed by the vendors. In those instances, it's kinda bemusing when there are performance issues or outages, because as IT we are still 'blamed' but in reality, the Owners of those LoB Apps are the ones who pushed for 'the cloud' and thus we happily pass the buck. Doing it smart is the hard part. i.e. not putting all your eggs in one basket. In a perfect world, I would modernize a business application into a Container based/Kubernetes type cloud-native solution, and spread it between two different clouds in two different regions, in either an active/active or at very least active/passive manner where failover is very simple and quick. You mitigate your risk by leveraging multiple 'hosts' no different than you would either a DR site, or even just a local cluster/replica. When people complain about things like bandwidth, it's easy enough to float an ISP upgrade quote to the CFO and watch them have angry outbursts, because at the end of the day, you're basically shifting costs around, not getting rid of them. That's not always true, of course. Some apps don't need much bandwidth, and thus are fine for the cloud on a connectivity level; but it also adds complexity to securely cross-connect systems, when they aren't all inside your datacenter on the same VLANs. But even that can run you into things like physical ingress of fiber lines - where the hated North American fiber seeking back-hoe can always do you in and kill all connectivity to your 'cloud'. We have some in VP level leadership who HATE "legacy" solutions like on prem file servers for example, yet we do not have technology (affordable technology) to truly move 'everything' to a cloud, especially when dealing with large files (Video, CAD, etc) that have to be transferred with frequency between client & server or server & server. At the end of the day, the cloud isn't going away. Our job at this point appears to be mostly doing our best to inform leadership the pro/cons of moving specific workloads to the cloud, or keeping them onprem.

Does he pay you on the side? If so, sure. If not, eh... Hard call.

Our VP of IT has his MBA and isn't given a seat at the table. So I call BS on this.

How did you figure pricing

Nice.

Azure update manager is utter crap, too

You could submit a waste identification request. How could we have proactively avoided these costs. How could we have better budgeted with proper numbers. What is our procedure around investigating alternate solutions to products when they're priced higher than we are comfortable paying. Etc etc. Our renewal is next year, and I've got (3)R740xd I'm about to deploy in a proxmox solution as a PoC, but I fully expect we'll renew. We're already on vsphere+ licensing so VVF won't be insanely higher. Biggest issue for me is the C-Level obsession with cloud. Already provided an estimate for lift and shift to my boss, who's dead set against the cloud for 70% of our workload. And we've already moved most out stuff that works well in the cloud (relatively) so moving everything is hilariously high. Like, even if we replaced our entire infrastructure and put it in a 5 year outlay, cloud would still be 4-5x more easily.

Hey, he knows a guy they can contract consultation from in the meantime... =D

So, if you want to impress a C level while also doing a damn good job, start by filling out a NIST Special Publication 800-37 self audit. I'm not joking. You 100% will have blank sections. Those are areas for improvement and results in a gap analysis of your current environment vs where you want to be. Go another step further and find a NIST specific to your industry. For example, NIST IR 8183 is a cybersecurity framework focused on the manufacturing industry. I started my last job with my boss on vacation so I spent the first week going through it, and quickly got a lay of the land purely from doing that.

This is where you use HR as an impact toy. Bad manager, bad.

Sadly, ring networks still exist today in many manufacturing systems.

Pretty sure it's open source, so I'd almost 100% guarantee if they dropped it then the open source synology app store would host it. Heck there might be others on that one since syno allows other repository

But honestly for really small teams? https://www.synology.com/en-us/dsm/packages/osTicket?os_ver=6.2 buy a syno and use it for your all in one server for all things.

/s

Service Now, obviously.

This. No matter how much school you've had, nothing beats living in the life of IT. IMHO everyone should start at an MSP or help desk no matter their schooling.

1099 the crap out of it 🤣 We layed off one of our employees, who then went and opened her own contract company... Who we ended up hiring a couple months later haha

Okay but what about the movie Outsourced based on totally true romance

Okta or Cloudflare

I support this answer.

Yep. I'll use it for like, adding logging syntax on occasion or commenting. I don't trust it to the code logic and especially not powershell commands as it will absolutely make shit up. And then I will only use it for generic, I don't put anything remotely proprietary.

We block GPT because we can't trust users not to put things in it that they shouldn't...

Speak for yourself, our csam is actually very good. Then again we have a very large Microsoft account via our parent company (which is like over a $60 billion revenue company) so maybe we get a better assignment. I think though that you have to pay for Unified Support to get one.

Well played...

CustomerSuccessAccountManagers have been around for a long time at Microsoft. I first just typed it out and realized how bad that looked so added the actual name.

Yep, it satisfies and is required for a CMMC/NIST item.

Yeah the dual networks was way more am 3 issue for them. But I've seen domain trust and similar issues multiple times from using public dns in clients. https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/best-practices-for-dns-client-settings#windows-server-member-servers https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/dns-client-resolution-timeouts#what-is-the-default-behavior-of-a-dns-client-when-two-dns-servers-are-configured-on-the-nic I've also seen evidence that it'll keep using the 2nd DNS if it had a faster lookup, which in many cases it will over an internal that has inherent latency by sending the request to an external itself. I've also seen that you can reliably use public if you have filters on your edge that catch requests for internal resources, though I've not tried that myself.

You never want a client of a domain to have anything but domain DNS server set. Windows DNS isn't sequential - it's not like it'll try the DC first and then to the public, it might just randomly pick the public dns. The exception being maybe an Entra authenticated client.

There has been a definite uptick in user dissatisfaction over not deploying it. I consider that a win. Then again we also blocked access to all other AI.

We just today went through what we want to have page overnight with a new system (Everbridge). I said all I care about is my primary Datacenter vcenter/hosts are offline, and if UPS time on battery is > 5 minutes (which would indicate Generator issues) 🤣

I'm confused. Aren't all printer issues automatically SevA with 1hr SLA? Or, is that just if it's the marketing department. /s

Even our large locations where we run NPS on the DC (and thus GUI, and required because Microsoft is stupid) I rarely see more than 6gb usage. Especially where it's core, 4gb is fine.

Uh.... What? EDR on a DC is critical. There are so many situations where a bad actor can perform malicious actions against or on a DC via a horizontal attack. We had a pen test where that happened and our EDR alerted and stopped the action. Even if it only alerted, that would be worth it. To say nothing of Defender for Identity which requires install on all DCs.

Unless I have to, it's always core. It still annoys me that NPS requires a GUI

Because orchestral musician is a crappy field, and teaching band is a small field of opportunity

Get a customer success account manager? Unified support is better. And cut corners by learning TSS LOG Gathering.

Why does an intern have domain admin

Microsoft loves confusing licensing. SQL and most of the rest are just as bad. If you haven't seen it, https://m365maps.com/[https://m365maps.com/](https://m365maps.com/)

Outbound spam filter most likely. Their email got flagged and gets sent to a DL.

In order, it's the network, dns, or an expired cert. That's all an admin needs to know, ever.


Ceph cluster, obviously.

Large public clouds don't care. They provide reports you can create and systems you use to monitor. You screw up it's on you. Smaller private ish clouds, it depends. Some are greedy, some would rather keep a client vs lose one. IMHO I'd leave that cloud if they truly didn't provide any reporting or warnings.

Welcome to the cloud. The person responsible for the bill is whoever pushed you into the cloud without properly planning. Because a key element of anyone going cloud is ensuring 100% you have accurate and LIVE cost analysis both before and after migration. Repatriation is a thing for a very good reason.

You just suddenly got a new iPhone 69? And a new phone number? And now all your MFA magically doesn't work?! Oh no. Emergency new iPhones. (one time I was okay with this type ticket was when a coworker had his stolen in Mumbai)

SAP has entered the thread...

It's become alert fatigue but it also gives an easy way to identify legitimate internal emails!

I've seen same day plenty of times on under warranty stuff, but I've also seen Parkplace rush ship international... I don't want to know what it costs to rush ship from California to the EU but I'm sure it's not cheap.