diff --git a/docs/SUMMARY.md b/docs/SUMMARY.md
index afba3cca..c5d504d2 100644
--- a/docs/SUMMARY.md
+++ b/docs/SUMMARY.md
@@ -9,6 +9,8 @@
     - [Debian](deploying/debian.md)
     - [Docker](deploying/docker.md)
     - [NixOS](deploying/nixos.md)
+- [Administration](administration.md)
+    - [Media](administration/media.md)
 - [TURN](turn.md)
 - [Appservices](appservices.md)
 - [FAQ](faq.md)
diff --git a/docs/administration.md b/docs/administration.md
new file mode 100644
index 00000000..604954b1
--- /dev/null
+++ b/docs/administration.md
@@ -0,0 +1,3 @@
+# Administration
+
+This chapter describes how to perform tasks you may want to do while running Conduit
diff --git a/docs/administration/media.md b/docs/administration/media.md
new file mode 100644
index 00000000..2df88002
--- /dev/null
+++ b/docs/administration/media.md
@@ -0,0 +1,30 @@
+# Media
+
+While running Conduit, you may encounter undesirable media, either from other servers, or from local users.
+
+## From other servers
+If the media originated from a different server, which itself is not malicious, it should be enough
+to use the `purge-media-from-server` command to delete the media from the media backend, and then
+contact the remote server so that they can deal with the offending user(s).
+
+If you do not need to media deleted as soon as possible, you can use retention policies to only
+store remote media for a short period of time, meaning that the media will be automatically deleted
+after some time. As new media can only be accessed over authenticated endpoints, only local users
+will be able to access the media via your server, so if you're running a single-user server, you
+don't need to worry about the media being distributed via your server.
+
+If you know the media IDs, (which you can find with the `list-media` command), you can use the
+`block-media` to prevent any of those media IDs (or other media with the same SHA256 hash) from
+being stored in the media backend in the future.
+
+If the server itself if malicious, then it should probably be [ACLed](https://spec.matrix.org/v1.14/client-server-api/#server-access-control-lists-acls-for-rooms)
+in rooms it particpates in. In the future, you'll be able to block the remote server from
+interacting with your server completely.
+
+## From local users
+If the undesirable media originates from your own server, you can purge media uploaded by them
+using the `purge-media-from-users` command. If you also plan to deactivate the user, you can do so
+with the `--purge-media` flag on either the `deactivate-user` or `deactivate-all` commands. If
+they keep making new accounts, you can use the `block-media-from-users` command to prevent media
+with the same SHA256 hash from being uploaded again, as well as using the `allow-registration`
+command to temporarily prevent users from creating new accounts.