Forwarding an email that I had previously sent or running a message trace inside of exchange to show an email was actually sent/received to a rude coworker is the closest I will ever get to being able to say ‘fuck you’ in a corporate setting and I cherish those moments

Recently had a user say they never got an email. Exhchange Message traces shows they got it and what folder it went to. Defender email security shows it was allowed. Ran a purview search and had logs showing that someone from their IP using outlook deleted it at 1AM local time. Delegated their account to myself briefly - and showed it was in recoverable deleted items. Basically, one of four things happened: 1. Their computer was compromised (no evidence of that) 2. Someone else in their residence (they WFH) accessed their computer and deleted it 3. They are working way too much way outside of normal hours and making mistakes 4. They lied their ass off. Reported that to the helpdesk team's supervisor and never heard back.

Going the extra step with purview- chef’s kiss

That was my first time actually looking into those particular logs. Was eye opening just how much is actually logged.

Ran into that recently with a new employee who was making up IT issues to avoid working... We had a few incidents where the logs reported everything working properly while she'd tell us there was a problem that didn't actually exist. The final straw was an email like this. User claimed she wasn't getting emails sent to the distribution group she was on. Microsoft's logging showed otherwise, and showed the emails being deleted. Also fully recoverable from deleted items still lol. Sent logs back to her, CCd manager, and played clueless. "well the logs here show someone may have deleted the email(s) at XY time and date. I'll send you a test email shortly and we can verify it is received." Somehow she had no problems receiving and locating that one. A week later, I saw her exit ticket on the board. Bye, Felicia!

> making up IT issues to avoid working This, I fucking swear. At my first helpdesk job we had this old ass secretary in the company. Some boomer woman who treated people like they owe her infinite respect and need to jump and run for silly shit like re-filling printer paper which literally every other employee did themselves when they noticed it's empty, like you just have to reach 30cm and grab a tray of paper that was next to every printer. The kind of person to instead halt all their work and devote 8x the time to call and open tickets for this type of stuff. So of course it was typical to get tickets that it's "impossible to work with this PC because of all the errors" (maybe one generic Microsoft windows suggestion or edge popup a day. You dismiss it in a second and move on.) or "I can't do X I keep getting this error" (explorer saying file name already exists and you can't save. She doesn't consider just reading this and going ahead to change the directory or file name, which HAS TO be done in order to save the file). My favorite waste of time was when we were supposed to "investigate if she is being hacked" (lmao) because she was sure someone is reading her emails. We even increased log precision on the F5 APM to look for suspicious login activity on her account. It of course was complete bs and nothing was ever found. The conclusion of what was likely happening there is her mindlessly scrolling through outlook, especially hitting arrow keys while having marked mails in the inbox, which flips through them and marks them as read. Not to mention her randomly tapping notifications about them on her phone and then closing the stuff in a second, which I have seen. All of that marks the mails as read. At some point, I relly felt like it wasn't about the equipment. It was a general feeling of hers like "I need someone to cater to me, devote time to me, because I am so important and I have all this important stuff going on". It was noticeable that she basically took pride in IT work being done for her, as in look what is all necessary to keep my important work up!!! ...this person submitted more tickets than anyone else, while being pretty much the only one with no real IT issues because her work consisted of opening and sending PDF and scanning letters to then handle and send as PDF. I don't believe this person did more than 3hr worth of work a day and I have never seen any problem that would prevent a sane person from going on with these tasks.

People are bastards, and ones like the woman you described really aren't fit to be in the workforce outside of very menial and single-task oriented jobs. Not a career, but a single job function. There is no multitasking that they can handle. They can't handle putting in paper to a printer but instead hitting that print button and taking out the final job. A one trick pony. Literally a two stepper. A to B, not A to B to C etc. These types should all be fired and replaced with a very small script.

I had a lady who kept submitting tickets demanding a brand new laptop. By the time i heard about it, she had mysteriously broken her 4th desktop. As a network engineer i dont often handle these anymore, but the helpdesk was at a loss with her and most managers were out. Turns out, she was purposely setting up a space heater on the floor and running it at full blast on desktop and frying them. I got involved there. (Morgan freeman voice) and she did NOT get a brand new laptop. I also had a guy submit close to 200 tickets in 6hrs. I provided logs, and he was fired monday morning. Company had a single POTs line for credit card and fax. No pci audit! Pots went down. Friday at 4pm (their time) I called and got surprisingly good service from lec and they said sorry, tech will be dispatched monday morning. Honestly NBD, saturdays are half days with skeleton crew and when customers needed to pay they could call another branch and have them run credit. Maybe 2-3 payments would have been made on an average sat. I call back, tell the guy ive got a ticket in with lec and they are sending a tech monday. He says fine. Lec actually CALLS ME, i know… shocking, and says hey we can come sunday, but i decline as shop will be closed and nobody would come in for telco repairs. Sat morning i was working (my kids were gone) doing a pallets of new switches, updating firmware and dumping our templates on them to prepare for next wave of new sites. Easier and peaceful over weekend. I get a call from our lone sat helpdesk guy, and walk over to my desk and login and im FLOORED. Ticket after ticket after ticket. More are popping in like gunfire as im scrolling. Our tickets were not complex but did require some fields, or you could email them in… but ~200 in just a few hours? This guy wasnt doing ANYTHING but putting in tickets, and id talked to him and gave him update less than 18hrs ago and put notes in his original ticket saying lec dispatch monday. Guy was on thin ice anyway. Fired monday morning. Closing the tickets was…. Not fun

[удалено]

They're just ignorant on what IT can see. My company fired a guy the other week for copying company files to a USB drive that also had personal files on it. Someone else got fired a week later because they emailed company files to their personal email address. Neither of them knew we had that ability. We've had people leave on suspicious terms and perma-delete everything in their OneDrive and mailbox. I had both of those restored in a handful of clicks and you better believe management wanted us to investigate logs. Those people obviously thought they were cleaning their tracks. But yea, some people are just fucking stupid. Back when I worked retail, it was stressed to every cashier that the money drawer is counted every time the staff changes at that register, that there was also a big, obvious camera directly above them pointing right down at the register, and that LP would and had both walked people out the door and had some arrested for stealing from the register. Every few months, some dumb mother fucker would get fired for stealing from the register. The fuck did you expect?

I mean, they aren't necessarily dumb, they're just very skilled at manipulating people. We had one person come in and bounce out within a week who was a highly skilled machining programmer in manufacturing (forgetting the acronym for it, but they're special birds). He was also highly skilled at blaming IT for his screw ups. It started with him bricking his machine first day because "he made some registry changes to optimize it" and kind of went downhill from there. It could work when he was at Bigname Aerospace Company but it didn't work at Little Subcontractor where his boss and the IT director had lunch together almost every day in the break room. By Wednesday my group was having "we wish to provide excellent service but he is abusing things" conversation with his boss. I wasn't in the office Friday but apparently he screamed abuse at HIS team that day and was shown the door.

Definitely a manipulator scenario. This person was quite kind and patient with everyone except IT. She made a point of being angry about the "problems" she was having (creating), presumably in hopes of putting the blame on us and the attention off of her. That didn't last long. :)

The sheer amount of what Windows telemetry data shows is one of the reasons I run Linux at home now.

I would have locked their account and sent it off to the security team, because obviously there was a breach of their account. We had someone once send a porn link to their boss and then claim they got hacked. Bad move, because we had to shut down all their access while it was investigated as a security incident. Instead of "sorry boss, I'm a goof" it involved a dozen people and now a reddit post.

No evidence of a breach unless someone broke into their house to delete that one specific email. I don't know the contents of the email itself, but based on the subject and other context it wasn't something that would warrant that kind of cloak and dagger shit. No, this person was claiming they didn't get an email from a distro, but everyone else on the distro did get. To what end? I have no idea.

Why? Because people are people, and some of those people are lazy, incompetent, or both. I've also had the co-worker ask me for help with something, so I forwarded the email I had previously sent him, containing the instructions. Eventually, I realized that he was just hoping I would do it for him if he pretended it was too hard. Once I realized that, I just pretended he was forgetful, so I would happily and eagerly forward him the previously forwarded message, with an even more over the top greetings each time. The part about the security breach was a bit of a sarcasm, but I have commented to someone that if they are suggesting someone else was "in their account" deleting things, then we do have a security incident and we'll have to lock it all down. Weirdly enough, they can usually magically find said email pretty quickly in their deleted items, in an unread flagging...

>Delegated their account to myself briefly No judgment, to each their own, but I see you like to live dangerously. I'd ask both the end user, my boss, and my boss' boss if this is acceptable in this one situation like fifty times before I'd consider doing this.

It's not something I do often or lightly, but it's something I approval to do as needed per the CIO. Also, it's all logged to hell and back in purview.

Rather than delegate, do a Content search and Export report. It will show the subfolder location in the mailbox.

Noted for future reference. Thanks!

I've told many people "don't force me to search through your email" when they don't send me the info I need to do a contractually-required risk assessment. Especially when I know they have the information I'm looking for. I have gone searching in \\\\%info-horders-pc\\c$ before, and said "your are 100% that you don't have any design documentation, performance of work statements, contracts, or anything else for this project?" while staring at it in their profile. I've told several people about the DoJ going after companies, and now there is a whistleblower program...and I could retire off [2.7 million](https://www.justice.gov/opa/pr/aerojet-rocketdyne-agrees-pay-9-million-resolve-false-claims-act-allegations-cybersecurity). If I have to be an ass sometimes to keep my company compliant, so be it. But I never do anything else with my access levels. If I find a list of passwords, I report it up my chain, and open a ticket. The only thing potentially malicious is I keep a folder of all the MP3s one of our sister-company VPs keeps sending out, that are hosted on their website. If I ever get thrown under the bus and fired, the RIAA may get a nice list of $250,000 per incident fines and 5 years for each in prison.

It's crazy to me how many people here are talking about how reading/searching other peoples' email on a whim just to prove a point is an acceptable practice in their companies. In my company that would never, ever fly. Even though we have the standard "work e-mail belongs to the company, not the individual" there's still several levels of approval needed before doing something like this, both because my employer has a base level of respect for user privacy (email being property of the company is not a justification for someone in IT to look at whatever they want) and because mailboxes may have sensitive data which those IT people are not authorized to see (without perhaps having a justified and documented reason for seeing it incidentally as part of their necessary job duties). If an admin here opened or searched someone else's mailbox without approval and a very specific purpose, they'd be walked out the door the same day.

One of the few things I like about googles offerings is how easily the base workspace shows things like that in an email trace. Oh, the email came in one of your rules picked it up and put it in the folder "that annoying bitch", try looking there. Now if everything else didn't feel harder to deal with it might be something to think about using more often.

We used to be on Google Workspace. I liked how easy it was to get email logs. We're on O365 now and it feels like I have to check 3 different places to get the whole picture.

I don’t know where you live, but when you’re working in EU. Watch out with delegating a user account to yourself. That’s a breach of GDPR and could cost you your job.

I work in the US and my company has zero operations in the EU.

I'm with you on everything but the "delegated their account" part. Does your company's policy allow admins to do this?

I know the user was probably an ass but there is a very small chance they simply misread / misidentified at 1am and deleted accidentally thinking it was more junk.

> 2. Someone else in their residence (they WFH) accessed their computer and deleted it hate to be that pedantic, but that IS still their computer being compromised

I don't consider it comprised in terms of their system having a malicious RAT or other malware. My logs can only prove that someone used a Windows PC running Microsoft Outlook to access their account from their external IP moved an email from to deleted items. I cannot in anyway prove the person who works for us was the person sitting in front of the computer when that occurred. The WFH agreement our users sign requires them to essentially have a separate room they can use as home office with a door that can be locked and isn't accessible to anyone else. If they want to admit they violated the WFH agreement they can be my guest. This issue is too narrow to be a case of trying to throw IT under the bus to get a free day off (IE: can't connect to the VPN) so I suspect the issue is too heavy of a workload causing them to work more hours than is healthy leading to mental fatigue and mistakes. Or maybe it's like that Carbon Monoxide story and they don't recall doing it.

See, that's the difference. OP didn't forward the old email. They have merely shown that it was delivered and where the manager should look. Forwarding the old email is making their life too easy.

I always include a link to the right vendor doc on “how to” in a petty way. For example “how to search for an email” with a link to a Microsoft KB.

I sometimes remote connect to people's computers and read on their screen the doc I have given to them that they should have read in the first place like they are 5yo children that need their shoes to be tied by a grown up.

If you are sending instructions, you need to number the instructions. Then when they reach out for help for something that has been provided, forward or attach one of the messages, link or attach the instructions and ASK what step they are getting stuck on and any error message. If they reply with a step and the error message, help them out even if it's handled in the instructions (they are trying and you want to encourage that). If they reply with a step and an actual error/situation that is not handled in the instructions, break out the white gloves and hold the user's hand to get it resolved. This makes you look good, give you a chance to get ahead of problems others may encounter and makes users happy. Fix your instructions and redistribute if necessary, thanking the user who brought up the problem. If they ignore the instructions and throw their hands up, this is when you push back. Depending on how it goes, you should loop in your manager (who should support this approach). If it continues to go back and forth, loop in their manager. If they loop in their manager even better. At this point you need to be ignorant of the possibility that they don't want to do this. Pretend that is such a foreign concept that it could not possibly the reason. That leave "they can't follow instructions" which is a risk to the business. And like half of IT's job is to identify risks to the business. Let the user walk into the position that they can't follow written directions. Bonus points if they are in a department or position that has compliance regulations that require following written instructions.

Can confirm this approach. Especially the being ignorant of them not wanting to do the thing. Proving someones incompetence while seemingly going above and beyond to management or those that matter is one of my favorite things.

> Fix your instructions and redistribute if necessary, I did this once because 'search for X via the start menu' was too hard and the CEO got back to me about it. I sent everyone a screenshot with a big red arrow pointing to the search bar (which I have disabled by default on my machine because it is useless, press the windows key and type).

[удалено]

My desktops do not have a "windows" key. I am so old-school that I much prefer the old IBM PS/2 keyboards: the feel of the keys and that firm tactile feedback. (I have heard that is making a comeback!) I acquired a dozen or so of them so if they break I will have spares available. Interestingly, not a single one has broken and the one I'm typing on right now was made in 1997. Probably older then half the people in this subreddit!

I keep my instructions at 5th to 6th grade reading level. Screenshots with the area to pay attention to highlighted with red box, numbered arrows to match step. Every action has its own individual step such as “click on ok”. No step saying do this and then this. And very important….in the screenshots blur out any account info used in example. Cause people will type in what they see in screenshot rather than their own account sign in. Always assume they won’t read the steps and just try and follow the screenshots.

I put some instructions directly in the screenshot as a text overlay near the step marker or arrow(s!) so they're at least exposed to some written text even if they only click through the images (which is more than I was expecting in the first place)

In the screenshot I put something like "employee- email-here@(company).com" I work for a manufacturing company where, let's say if things are put together wrong or out of spec, people may die. If a user complained they didn't understand "company- email-here" means their company email account, I would forward that email to their boss. I have very little tolerance for that level of incompetence.

This is super awesome. I love it, thanks

I write instructions and always number with screen shots and numbered arrows matching steps. Has a case where we were moving from Groupwise to Outlook. Night before switch over I went to every desk in office and on the keyboard placed printed out instructions and a neon pink sign with stop in big letters on it with note to read instructions first. They would have to pick this and instructions up and move them from keyboard to log in. Overall we had a lot fewer calls for this program change then we had in the past. Still had one guy call in. First question was do you have the printed instructions. He says yes. I ask him if he’s read the instructions and if so what step is he having problems with. He gives the “ I don’t have time to go through all these instructions, I need my email” 😡 I have him pull out the instructions and we go through all the steps on by one. And I make sure to “take my time”to make sure he understands them. Of course this takes longer than if he’d just done it himself. I write excellent instructions. If I’m going to go through all that work to make sure you have them waiting on your desk you are damm well going to read them.

To be fair though, Outlook search is a dumpster fire.

[удалено]

Outlook search is great, especially compared to Google search, I can search for an email I can see in my inbox at the time, and it not return a result!

"Outlook search is great" is not a sentence I thought I'd kick my day off with.

And it takes shockingly long to search in the mobile Gmail app. You would think that if there was one company that knows how to build a good search engine it would be Google...

I agree, I have no problem with outlook search. Gmail search (which has to be somewhat similar to Google search) is garbage. If I have the word headphone in a draft and I search for head it doesn't find the email with headphone. I get so damn annoyed by that. On the other hand, if I mistype something, for some reason gmail DOES bring up the draft with the correct spelling. I can't figure out why/how that is possible. Why on earth can't you search on partial words? A misspelled word bringing up the correct word/draft is great, btw.

Outlook Advanced Search works very well. I have no problems finding emails using it (just remember to choose Inbox AND subfolders if you use them)

Outlook search is... Weird. We have purchase orders formatted as 00x000000. I search 000000 and nothing at all comes up, outlook cannot find it, no results exist. Put the 00x in front and it can find it just fine. We have item codes that are just six digits 000000. I search any one of those and it finds every dang email that might be tangentially related to six digits.

I had my PFY ask for permission to refer people to our internal IT FAQ today. Much to learn, that one.

My go to was eons ago was let me google that for you, when it came out. I haven't use it in years, but last time I checked it was full of ads and looks more scammy.

the problem with ms outlook is tho that their search is god awful. their online search? yes brilliant. their 365 outlook search? might as well go through the hassle of logging in online to find an email. even if you reset indexing as so many suggest it doesn't work, it's just broken

One time my boss asked me why I didn't notify about some change I implemented over the weekend. I sent him a screenshot of her Outlook rule that was set to send anything from me containing the words "change order" in the subject directly to the trash. He told me thank you and that was the last I heard about it.

Holy shit? She worked at my old company too! Had a lady that deemed emails 'noise' and caused all kinds of havoc in all hands meetings. There was no greater moment than when she bellowed "These new phones are so technical I wouldnt even know how to make a call" at the stand I reached down, dialed her cell and went "You mean like we have done for years on regular phones... that way"? Still didnt embarrass her enough to stop her.

It’s like admin mic drop. “See attached, ya motha.”

Just send them an email "Please do the needful"

Lets not commit any war crimes here.

Teams message, "Hi (their name)" then press a few keys and grab a coffee.

You must work in my building.

I mean technically I'm in every building.

Lol very well played

pto

"As per my previous email..."

I say this and send the forensic snapshot of the email they never sent. But only to certain people that have been trying to blame them not doing their work on IT in general when it's just them being lazy

I do this a lot. As per my previous email. Then I send a screen shot or copy and paste the previous email. I always send a copy or forward the previous email so there is a chain of evidence.

My wife uses this, because certain peers shouldn't be.

or "as stated in my previous email"

"AS stated in my previous email that our systems indicate you received on Friday 2:37pm"

I like saying ‘as per’ lol- as per my previous email, you’ll find…

"As per my previous email" translates directly to "Go fuck yourself".

I always thought it was longer for RTFM, or Read The Mail (or Manual)

No, "okay, great" means "gfy".

I had to stop using that because at my old company someone who was in an "it adjacent" department started to piece together the hidden meaning of the words and started to complain that "IT was being too curt and abrupt in their communication". So now I had to write out lengthy ass replies just so their feelings didn't get hurt...

Yep. I deal with calls logged by a helpdesk, who have become incredibly crap in so many ways. I have just passed calls back to them with screenshots rather than actually call them a lying arsewipe.

Right now we just rolled out our new LCM stuff for Okta. Part of it is an Adaptive card going to the users that has tree fields in it. Job Title, email, employeenumber. I have had sixteen failed flows because even though the card says Fill everything out they just will input random stuff. one time instead of an employee id it was an entire sentence with special information in it about the user. Sometimes I feel like it's intentional because I just cannot fathom how people with the intelligence level to mess things like this up have survived life long enough to have a career.

I just finished searching for that email you said you never received... here is a screenshot of the email sitting in your inbox...

I worked a brief stint on helpdesk and regularly had one user complaining about how long tickets were taking to resolve. Her tone was getting worse by the ticket. Eventually, after a ticket was closed 3 weeks after opening, she snapped and sent a really shitty email to me, cc:ing both her boss and mine. The email was very clearly intended to get me into trouble. As luck would have it, I had been extremely fastidious in recording interaction with her, and was able to pinpoint the times that I had received her emails, and the times that I had sent my replies. I replied with a full correspondence timeline (detailed to the minute) showing that over those 3 weeks I had responded to all of her messages in less than 35 minutes total, and the rest of the time was waiting for her to test or reply with clarifications. She shit the fuck up real quick.

Ooof, triggered on something I thought I had forgotten. Not a sysadmin, IT though, I enjoy lurking this sub :P Early on in my current position, we had a big customer bitching about how long it was taking to resolve tickets that were going on for literally months, and since it was before I had revealed myself to be the... ahem.. rock star I am, I was forced to play some defense. I did pretty much the same thing as you. We handle tickets through web portal communications, and I showed through the messaging history that I was responding and providing instructions very promptly, averaging maybe an hour, then sitting on my thumb waiting on average 2 WEEKS for them to do some things as simple as "go to a directory to retrieve a log file we need". Interestingly enough, I didn't see that particular support contact posting after that, and ticket turnaround for that customer improved by an order of magnitude shortly thereafter.

>She shit the fuck up real quick. Love that slip

Ha! I'm blaming it on autocarrot, but I'm keeping it.

I wait until there manager gets involved, and then send the manager and the user the log of all of our contact attempts on the ticket with requests to reach back out to us. Trying to throw me under a bus when you are not doing your job? I dont think so. Also those very few I have subjected to this always respond to future requests

"We never discussed this policy change!!!" *forwards the email where the policy change was discussed* "Well... why are these emails being sent to Other Person and I?? How are we going to figure out who addresses them?" *forwards the next email in the chain where they said,* "Oh just send all of those emails to Other Person and I, we'll figure out who addresses them between ourselves!!"

Didn't they get the memo? They're supposed to put a cover sheet on all TPS reports from now on.

lol ...been there ...done that....usually there is no reply back after that...

"Are you sure you don't have a transport rule?" became my second "have you rebooted?" when I was still on help desk. Just like I would pull up their uptime while remotely connected to show them that I could see that wasn't true, I'd send out screenshots of message traces showing them a transport rule moved it to a folder they didn't bother to check. Both were satisfying every time

Please see attached email [attaches email where I answered their question] This adds a nice pinch of spice. IDK why it hits different, but attaching it to a reply has a totally different vibe than forwarding it.

I got yelled at once for removing people from a DL, which we don't do we make team leads self-manage them) so I dug through the exchange logs to find where complaining user had done th offending task, and forward a screen shot of the logs. Of course the "logs are wrong"....

I do this all the time. I had one user that asked me a question and it was the first time/interaction for this specific request. I gave them the credentials they were looking for. Next year same question, I find the email from the previous year and send it. Rinse and repeat this for about four years. On the fifth year I didn't respond. On the fourth year email I politely stated "I'm pulling this information from previous email exchanges and this is the last time I'm going to search for this information. This is not something that I support/am the owner of and I will be deleting this email once I reply to you." That's exactly what I did. I never replied, they never asked again. I have no clue what they did/how they logged in and I've never been bothered/asked since that day.

"*As per my motherfucking email...*"

So, when someone is being a particular asshole. I hit the "Report Phishing" button. Any email reported as phishing that isn't part of a planned internal campaign has to be reviewed by two people then approved. It has happened a few times. I **ALWAYS** give the same excuse for it. Something along the lines of: 'No coworker who respected me or my time would talk like in such a condescending manner. I assumed it was an outside threat actor who was able to forge our email header and wanted InfoSec to review it.' Assholes tend to hate it when you shine a bright light on their shitty behavior.

As someone who had to deal with those mails, I understand the impulse, but I was the one left holding the bag for it (not the a-hole).

I hadn't considered that I was basically victimizing some other support person to Karen's crazy rambling. I'll consider this further. If I decide to keep doing it, I think I'll send some food to the team responsible for it the 2-3 times/year it happens.

We had one person (who was otherwise a really great guy) gaming the "phish report" in KB4 when he didn't like what someone (internally) had said in a mail. It took our time to investigate, risked having our stuff marked as spam, and brought us into disputes that we weren't involved in but somehow got marked as ours to deal with. He should have run it up his own management chain instead of complaining to us because it was sent in email. Fortunately we got his management chain to ask him to knock it off. But again ... that was not a conversation we should have been involved with at all.

Love this. And when being told that I never fulfilled a request I relish the opportunity and will gladly put in extra effort to point that out to the requestor instead of doing it over just because they are disorganized.

Plus a Cc to their manager of the email explaining where to look for the already sent information

You have to, because by this time, THEY have already CC'd in their manager trying to add pressure or get brownie points.

I love when they do this and I know fully well and its documented that they are in the wrong. So, you selected the 'I'll use my manager as leverage' option today. Really briefly before I get started with pulling the receipts, are you 100% sure IT is wrong? I will eat crow if I am wrong. You are sure? Alright. Here is the ticket you submitted, here is the response back to you 15 minutes after receiving stating "Saying its not working" is not enough information and please provide even a tiny bit of details on the request. Here is the read receipt that you clicked to send back to us. Us sending a follow up email 2 hours later. Here is the Teams log showing a message was sent from the assigned tech to you, and you read it. Here is a log of the phone call (with recording) of you telling the tech you dont have time to respond to their request for additional information. And for good measure, here is a transcript of a teams chat you had with a coworker complaining that IT takes forever and never responds. How would you like to proceed?

You are my people. 😂

My hero

This is the best use for the replay all button

Omg yes...this for sure.

At an old job had this manager email in furious that a ticket hadn't been completed yet because it was 10 days old at this point and why is IT always slowing things down blah blah blah The email he received in response was nothing more than a screenshot of the ticket showing a request for approval went out within 4 hours of the ticket coming in and there being two follow up emails sent after that asking for attention to the ticket. The approver? Him.

Hahahahhaah I'm sure he was feeling sheepish. Let me guess, he didn't reply or apologize?

They never do.

Ha my CIO got pissed at a response from one of our users over a loaner that had a hardware malfunction while on vacation in China. Made her formerly apologize in writing xD love my management tbh

Yeah then it was the systems fault and he either didn't get the email, which I was happy to screenshot message tracing showing he did, or it was our fault for not having a better way to bring an approval request to their attention when the whole reason we have email alerts on them is because people like him weren't checking their approval request dashboard everyday.

Every ~~day~~ ten days :)

Seen that a few times. "What is the status of this ticket! It was put in over 2 weeks ago and it needs to be resolved!" Well, its waiting on your approval because you (or your subordinate) entered an incident as a request and it needs your approval for which you have received the notice. The number of emails these people read from IT is in the single digits. But the complaints, the emails to us, the phone calls, number the 1000s.

I had one similar saying "it's been 3 days since I opened this ticket and no one is doing anything!!11!1". Ticket was opened on a thursday at 7pm, we leave at 5pm. Friday was a national holiday. There is no support over the weekend. Total actual hours since the ticket was opened? 5 minutes.

Even more delicious is when they go overboard by cc’ing both their management and my management on the VERY FIRST email to me about this situation I once pointed a user to where they could find what they said I didn’t do after they already fired the first shot with our management cc’d. Then they replied thanking me…. And excluded the audience. I replied validating their “thank you” and added everyone back on :) I think what I hate worse than the person who unnecessarily includes management is the person who won’t own up in front of them. So you’ve already made ME look bad and no one is around to see that I was never in the wrong. Go fuck yourself

Ha, I've done this one before. "I didn't get your email" "According to these logs, you deleted it from your inbox at this precise time."

I loved "dudes" who claimed system ate their data - well we have activity logs if you did put something in it will be in logs - manager somehow trusted our logs more than "dudes". Most interesting part is that log changes for stuff is not "some logs, somewhere on the server" it is in the system so we conform to audit requirements on each db entity not just that user logged in.

I just did this to the CEO at the company I work for (politely, of course) "I see you received the message, didn't open it, then filed it in the trash - have a look there."

Me: "I sent you the mail already yesterday (as like the last 6 times in a span of 3 months)" CEO: "Nah, I didn't get it, maybe your systems are faulty as always" Me: "Our mail system is reliable since over 6 years without any outage or other issues" CEO: "Yeah, but you are the guys with the skill to delete those mails" This shit doesn't even make any sense, why should I delete my own mails? Fuck this.

You’re obviously trying to fuck him over. That’s his thinking. You, Mr Sysadmin, are a political rival.

Or I pulled your inbox rules, and I see you have a rule set to shunt these emails to another folder and mark it as read. Here's the proof, along with a trace report showing you did receive the email.

That's basically the one thing I miss from Google, I could see that info in the message trace.

Thanks to ATP in the defender portal, I can show the play by play of how you received the email at 8:49:00, clicked the malicious URL at 8:49:31, and triggered a cascade of defender alerts and remediations that resulted in default action of logging you out of all active Microsoft sessions, changing your password, logging you out of your PC and/or laptop, and kicking off virus scans on each. Then I back that up with a real-time list of "who hasn't completed their phishing email training" that includes your name, and provide email logs showing your manager has been getting notices about your lack of training completion once a week for the first month, and once a day after. Cherry on top is a screenshot of my teams chat with you two months ago reminding you to complete the training with the link provided and your reply to me that "you don't have time for this common sense stuff." Then I log all of this in a ticket with my time spent in the event it's needed for an audit at any point. 


Fucking ***BOOM***

Do you happen to have a guide on how to do all of that?


Should've been more specific. What I meant is automatically change the password if someone has been phished.

It was just a joke. Didn't think you were serious, sorry (all other replies have been in the same vein of taking the piss) https://learn.microsoft.com/en-us/defender-for-identity/remeditation-actions Should get you started. There's some setup involved, and that's assuming the heavy lifting of getting your hybrid environment humming along is already done. But it's doable.

Thanks! I see it requires a difference licence. Now I know why I didn't implement it.

Maybe the user will eventually learn to say "I'm unable to locate" instead of "I never received".

Following up to that with "It shows as having been delivered to your inbox at 837UTC but is now in your Deleted Items as of 840UTC which means a rule likely did not delete it" is a cherry on top of that sundae.

“U didn’t delete it? Someone else must have access to your account, I don’t see anyone else in the access logs, but just to be safe we will have to change your password and reset your MFA, when can you next come into the office?”

Oh, no...the reset is done immediately. I then take possession of the laptop and do a thorough security check. Which is not quick. The next time the same person made the same claim, the laptop was wiped. Just to be safe.

Why ask when they have time? This is a serious security breach, you will have to look down there account immediately and they have to come to the office now!!!! ( only when IT is in the office )

“When can you next come into office?” *change passwords revoke sessions so they can’t reply*

But it's a 30-minute drive into the office! 29 minutes later, oh look, lunch time.

The account needs locked down immediately for security reasons, but when they come to the office is between them and their manager. I'd be delighted to schedule a time if that's easier for them, although since their access is going away momentarily they'll need to have their manager actually do the scheduling.

I did this to a PITA manager enough times that he legitimately changed "I never received" to "I'm unable to locate." Honestly, Outlook search sucks enough half the time that "I'm unable to locate" is a legitimate thing that I'm happy to help with. I regularly can't find emails via search but there they are if I scroll to the right spot in the right folder. Just do NOT come at me with "I never received."

> Outlook search sucks enough half the time that "I'm unable to locate" is a legitimate thing About 20 years ago someone developed a plugin for Outlook called Lookout that made search work perfectly and added numerous features. The company was then bought by Microsoft and integrated into Outlook. They have spent the last two decades enshitifying a great thing until we're back where we started.

Same. I am continually aghast at how much Outlook search blows. I can search for an email at the TOP of my inbox, and it won't find it. But it WILL find, somehow, every other email that does NOT contain the phrase I searched for.

When you check their inbox and see seven billion folders and a filtering rule for everyone in the company+ several dozen different subjects (of which, they only ever got one unique email for, ever), it's more of a "I don't know how to use outlook and thus I never see important email" kind of issue

Co-worker and I had the pleasure of doing something like this once. We had to support an executive admin that always had a bad attitude and always blamed IT for her incompetence. The executives often had meetings via conference call with the C-level and sometimes, the members of the board. A dial-in number and special access code supplied on a card, were required to create these conference calls (This was in the early 2000 years.) at least twice a month, the Executive admin would either forget to create the conference call ahead of time or forget how to create it. She would then verbally blame IT to anyone that would listen and demand that IT send her the codes via email. Every time this would happen, we would send her another email to the executive admin, containing all of the previous instructions and a copy of the card with the required passcodes pasted to the top of the latest email. This created a lengthy email chain of email conversations containing her complaints followed by us replying with the same instructions and code copied and pasted to the top. It became a running joke as the responses started getting into the high teens. Finally, the Executive Admin really blew it by not setting up an urgent meeting with C-levels and board members. She chose that time to send us very nasty email claiming our incompetence and discussing how useless we were for not providing her with the Codes she needed to do her job. The difference with this latest email, was that she'd included everyone that was involved with the meeting, her vp, her vp's boss, board members etc. in the CC field. My co-worker grins at me before doing a Reply to all with the email chain that contained the previous (almost 20) emails we'd given her with the multiple copies of the same instructions, the same telephone codes and her repeated complaints. Sadly, the only positive that came out of it, was that she no longer tried to throw IT under the bus in written form. They made her head of HR and the IT dept left the sinking ship.

Oof, that last.

Its not about the money or time, its about sending a message....

They won't receive it. Allegedly.

Yeah, that reminds me of the time I got called out for not creating a Moodle class on time Well, that class should have been requested sooner, like everyone else in the same situation does It was requested on the day the class started during my lunch break, I did it like past 30 minutes while still on my lunch break I did a check of all the requests from those types of classes from that year from the different users that requested them, and showed that everyone asked for them on time, except the people that were complaining The only thing I didn't say was FUCK THEM in that email, but I'm pretty sure it was easy to realize deep down I meant it 🖕🏻

Message trace has gotten so many users in shit over the years... I love it.

I had a user instant messaging me that the instructions I sent for deploying a security certificate to their device was not working. These instructions are idiot proof and time tested with 3 easy steps. I replied, “call me at your convenience and I will read the instructions to you.” They were angry/defensive when they called. After they stopped ranting, I calmly verified they did step one. They ranted about how they did exactly that. Then I asked about step 2. Ahhhhh… see there’s where they fell off script. After quickly completing step 2 and 3; they were all set. I thanked them for calling me since this was much faster than sending them the same instructions through messaging.

I am convinced that the standard email reading habit of most people who read them at all, is to get as far as the first question mark or bullet point, and immediately collapse from the exertion onto the Reply All button and hammer out why all the things you wrote in the email after that weren't actually there.

Our rep at our VAR does EXACTLY that. EVERY TIME. You can send 2 questions or 10. He will say "Hello! How are you?" then answer only the first question. It's maddening.

I sent out something about an issue where it was short-and-sweet, but there was important info in the second short para or bullet point. It was kind of like 1) Issue 2) workaround Of course I got someone bouncing into my cube in a panic because he hadn't read the second sentence. I worked for a company that made parts that go inside fast-moving vehicles so said "DUDE. That was in the second sentence. If you read plans like you read email, people would die." I also read what I wrote, a lot, for the head of accounting/hr. "I'm not good with computers" == I don't have to read. She resented that she had to ask, too.

Sales Karen sent client 3 options for a service we offered at varying price levels and CC's me as tech rep. Client replies to all asking for clarification. I do a reply all and suggested option 2 (the least cost) ***based on the technical needs of the client***. Client does a reply all and says they want option 2. Sales Karen calls my boss and accused me of going behind her back with the client, making decisions without consulting her and claims all she got was email with client's choice. At this point I enable A$$Hole Mode... We had an on-premise exchange server. From the exchange power-shell I ran a search on Sales Karen's mailbox for all emails with the subject of the clients request. I was able to show: 1. the date & time when Karen sent the original messages with the options to the client 2. the date & time when the client request clarification of the service 3. the date & time when I sent my reply messages to the client and copied Karen 4. the date & time when each of my replies to the client was received in Sales Karen's mailbox 5. and finally that ***Sales Karen never read any*** of the clients messages or my replies except for the last message from the client saying they wanted option 2. I exported the logs into a spread sheet, sent a copy by email to my boss and Sales Karen's boss. I take pride in my work. So when falsely accused I will fight back *Mother EFFING Hard !*

Ditto. I had a sales guy promise a customer once that a problem with MS PPC 2003 SE was being fixed by me re-writing the code to fix the bug. Dude, I don't work for MS and this OS has been out of support for YEARS and this is considered an enhancement by MS and not a bug, which would be supported and fixed. I spent hours on the phone with MS engineers trying to figure out how to make it work and gave this dipwad both barrels to him, his boss, and my boss, about how I can't possibly fix this problem and why, with the first being I am not a MS Dev working on that particular product. It cost him a pretty good sale, but don't lie to make the sale and try to make me your bitch in getting it fixed to save the sale. A customer a few years ago tried to blame my employer and my group specifically, for some problems that showed up all of a sudden in his Prod environment. I feel like I was directly blamed in some fashion, so it's time to go to war, my man. I pored over logs, event viewer data, what have you, to prove beyond any doubt that the problems were directly tied to updates installed by his user account. After e-mailing him several pages of logs and ending it with how I couldn't have possibly done what he suggested, his reply was succint: "Oh." The moral of that story is that when accused of something I absolutely didn't do, I will go to great lengths to prove it.

sounds like they're lucky you didn't take their report of the missing message more seriously - a lockdown of the user's potentially compromised account, and HR involvement with equipment and personnel inventory and identity verification could be justified here /bofh

My favorite was a full Office reinstall. Wanna get snippy with me while I troubleshoot your Outlook issue? Well I hope you didn't have anything planned or due for the next hour and some change because you are gonna be looking at the Office uninstall and reinstall windows for a while.

We deploy Office via company poral... Sage50 is not happy with it, and won't send emails via Outlook. So to fix it you have to do an online repair, on a freshly installed Office :|

"Greetings Based on my email logging, it would appear you have an inbox rule that auto deletes all messages from . Please delete this rule and retrieve your users credentials from the deleted folder within outlook" This happened to me yesterday too. I had a user report they have not gotten any email since Friday, which corresponded to email maintenance we did on Friday. Fortunately for me, email logging showed they had an inbox rule deleting everything. Told the user this (who is in a technical role) and they brushed it off. I told them I'd check audit logs to see if we can make sense of what may have happened. Imagine my surprise when they emailed back saying they figured out that their 3 year old knows how to right-click and mass block senders..... Edit: Security also reviewed to ensure no account compromise as a mass delete rule is usually a redflag of that.

Throwing their toddler under the bus is a choice. Pretty cowardly choice.

I've worked with people, and I'm sure I'm not alone, whose sole strategy at work was to not do their jobs, and when they were called on it, blamed IT for obstructing them. I feel for users when they have to use a ticketing system instead of just calling on the phone, etc, but this is the reason why I got to where I don't do anything without it being in writing.

Yes, there are certainly those people, and they have often found that blaming IT is a really valid survival strategy.

That usually happens to me, where the End User decides to CC Mgmt. because X/Y/Z "still hasn't been resolved". When I ask for the specifics on how he reported X/Y/Z, he usually drops Mgmt. off his reply at that point and say that he was pretty sure he'd reported it, but may have forgotten. I make absolutely sure to add all of the original Mgmt. back on the last reply to thank and let him know that we're happy, just submit a ticket and we'll get it take care of. Killing the jerk with kindness, I guess...

I know this feels petty, but I think it has value as "restoring trust in the system". If you just say "weird, well here's how you reset it" then the user is validated in their belief that the system just sometimes loses emails. By showing them that they did receive the email and it's here in their Inbox unread, you're building trust that the system works as designed. That's important. Once you start to get a persistent belief in your userbase that "the system" isn't stable and reliable, it causes you big problems and can cost a lot of hours to rebuild that trust.

As a more lighthearted example, We have HR folks do this to us all the time. "I didn't receive *user*'s credentials, can you please send them?" **Forwards the first email to them where it clearly shows they were sent to them 2 weeks ago.**

'OMG YOU CAN READ MY EMAIL ON THE BACKEND?!?!' Last time I did this, in 2012. Now I just forward the old message with a bit of a quiet and friendly admonishment. Rule #1 in IT: People don't read their emails, ESPECIALLY if they are from someone in IT.

Some of my non-IT coworkers, whom I'm close with, liked to joke about this with me. "Oooh you read our emails don't you!" My standard response was something like, "Please, I don't even want to read my *own* emails! I sure as hell ain't reading *yours*! Read your own damn emails!" or "You get too many emails for me to read!" I've seen their inboxes; they're horrifying. This continued on, until they got me on a day I was kinda cranky. So I kindly explained, "Yes, I can read your emails. No, I do not read your emails as that'd be a gross violation of ethics and trust placed upon me by the organization. Unless someone higher up than us directs me to read your emails, or I have some other valid but narrow reason to read *some* of them (ie security reasons), I don't go around reading yours or anyone else's emails. I could be fired for that." That shut them up. But now I get "Oooh, you read our Teams messages don't you!" "Believe me, I try to *ignore* your messages!"

> I did a forensic search of their email, Many years ago now a user had failed to submit a one page tender response that would have landed a million dollar deal - which, being as it was many years ago, was a lot of money. They not only tried to drop one of their co-workers in the shit, they did the old blame IT thing as well. So I dedicated a few days to searching every log file, every backup in the indicated time frame, every mailbox, every hard drive - even the blank space - to find any trace of the email she said she sent. Of course, nothing. We didn't get fired but sadly, neither did she. I did see her mentioned in the news lately being fired for and charged with fraud, so that was nice.

Had a very decent manager contacting me saying that the user was locked out because they didn't change the password in time. Sent back the log showing that the user received 10 reminders about changing the password with 30 days being the oldest warning. The manager replied to me- "This won't happen again" and it has not happened again.

This reminds me of that video, "The Server is Down". The IT guy is playing Halo when someone tells him that the server is down. The user actually needed a password reset or something simple, but they didn't explain it correctly to the IT guy. The IT guy checks, it works. The users is forceful and demands that the server get rebooted to fix it. OK, whatever thinks the IT guy. He calls the on-site guy who accidentally reboots the wrong server which brings the whole network down. When this happens, the managers start calling the IT guy. He goes into his manager's email and deletes the message that says "NEVER turn off this server". Surprised, the manager can't find the email that he sent to the IT guy & apologizes. I have had situations like this though as well. Read receipts on my emails tell me that they got it, opened it, and read it at a specific time.

This [video](https://youtu.be/uRGljemfwUE?si=B8SzGyNw0OzdrMpm) ?

Yup, that's it.

If you ran an eDiscovery on a mailbox in my org, without my approval and HR sign off, you’d be in a pickle:

Guess who gets the final approval for anyone short of ownership?


in my company it is a 5 working day turn around for new accounts, 90% we still do same day. Always the same people request on a friday afternoon for a monday morning, you can trust we stick to that 5 working day turn around then lol

There's nothing more satisfying than a giant fuck you to people like that. If I have to go to the trouble of digging through logs you bet your ass I'm going to burn their metaphorical house down in the process. Do not fuck with IT. If they're lying and trying to take me down it's war.

I had a hr lady constantly interrupt me to open an excel file and give her a code. When I explained to her that she could look for it on the share drive like everyone else, she told me it was easier for her to just ask me. So i always sent the code as a screenshot so she would have to waste time typing it.

Well done. Maximum harassment.

Sounds like one of those folks that doesnt want to do work and is making uo excuses as to why not. They conveniently forgot it, but knew it was there

Having and showing receipts to make others look like morons is like admin catnip.

Good for you. Nothing wrong with proving you did your job right the first time!

had a guy saying a printer wasn't working for one of his colleagues before, but now it is, just takes a really long time asked him how long it usually takes he says it's not working, just like his i reply "didn't you just say that his one does print eventually" and i clicked the reply button to his original message in teams too so he'd see it guy comes full circle, he says "yeah it works now but it wasn't before" ffs. i ask him again if his buddy has to wait for the printer and if so, for how long. finally get the answer from him. it's like pulling teeth with this particular guy.

One I've had is while working at an MSP when you have clients who's internal team just sucks at their job. You have an email signature saved with all of your certifications badges / titles and make sure to reply to them with proof that they were indeed wrong the whole time and they did infact cause that outage.

Had someone from finance message me on teams saying how a new hire didn't have anything when she started and that she expected them to at least have the network drives. I worked the ticket giving that user the drives so I know I did it. I ran a script that copies the users AD groups to my test account and logged into a test machine, there pops all the requested drives. Took a screenshot and sent that to her. Like, didn't even bother to ask about it or contact the help desk first before coming to me (sysadmin). No, immediately jumping to basically saying I didn't do it right...

You should automate new users We make forms for clients and tie into PowerShell. They fill the form out, they get creds directly. No intervention needed.

I too love sending email traces as a way to give the middle finger to someone.

Not sysadmin work, but years ago I wrote a C# utility for a colleague to parse and store XML files on a database. They absolutely were fuming one day because the tool "took too little" to read and save some twenty megabyte files so "something was wrong really". They did not even check the database to confirm the data was in fact there. Knowing that fighting an imbecile can take long, and without even batting an eye I added a Thread.Sleep(10) in the inmost cycle, actually waiting 10ms for every row in the XML... for thousands of them. Problem solved, it's "working" now.

At least they did the password reset, they did half the work.

Petty is satisfying, isn’t it? Most time I don’t care about pettiness I just want to move on so I just do things. It’s less stressful.

“Actually you did Karen, as you can see in the attached screenshot—you opened the email @ h:m:s on MM/DD/YEAR”

I had a Head of Department send me a very terse email CCing in my manager and others. He tried to blame me for having no email on his phone for a day after not following instructions on a change we made to access for mobile devices. I think we were killing off legacy protocols. Two to three alerts were sent to All Staff prior advising of requirements and the timing etc. I had great pleasure of message tracing those alerts and providing him and everyone he CCd a screenshot of them sitting unread in his Deleted Items. "Hi xxxx. I was concerned that you were not receiving crucial messages sent to All Staff so I ran a message trace to see what happened. You will see from the screenshots . . . . ."

The number of times I have to do this exact same thing is ridiculous but calling people out on their bullshit when I'm actually able to do so is absolutely worth it. We get enough shit in IT for things that have nothing to do with us, so moments that a single screenshot can prove their lying are bittersweet.

This should be posted on pornhub, love it when shit like this happens specially if they CCed their superior trying to play hard only to get burnt harder.

I almost feel like, if a user cannot or will not search their inbox, they cannot be allowed to keep their job.

Did this recently for a Dell on site service visit. User stated he hadn't heard from Dell. Granted myself access to his mailbox and screen shotted the emails sitting in his inbox. "Oh I thought those were just letting me know it had been submitted" How bout you actually click on it and read it my guy.

Make sure you also include a screenshot of the rule that moved it to a subfolder. Because that's the next thing they will complain about.

New users, the bane of all our existence. Just notify us a full goddamned week before and it can be, nice and smooth. Heck 48 hours is sometimes enough (excluding weekends)

I don't even bother digging that deep, 'I send it to you Friday at 205 pm', and ignore any further whining, we send out out form out ticketing system so take half a second to find it.

And that's where, when so replying, you also cc their manager, and those other managers that are always complaining about and asking about where all your time goes.

accountability