| Author | Messages | |
harveykamangwitz
Posts:3
 | | 07/06/2007 4:44 AM |
| Hi all,
As a Microsoft Premier customer, they've suggested we go through an AD Risk Assessment Program. I'm still learning what they do (it's conducted by their Field Engineering team) and what the benefits are...in the mean time, I thought it'd be good to see what my compatriots think of the program. Has anyone been through it? Is it worth it?
Thanks,
Harvey | | | |
| slasitz
Posts:15
| | 07/06/2007 4:53 AM |
| I personally have been through it 2 times as our client pays for
it each year. I actually have found it quite interesting and a good
exercise. It basically does everything that most good AD Admins do but in
a nice central report and is put on by very good field engineers that you tend
to ask a lot of questions from and learn a lot. You also get to have a
copy of the ADRAP tool and can run it anytime you like. If they are good you
will get a nice hardcopy of what the issues are and KB’s pointed out as
to where to go to fix the issues. It is very clean and no changes
are made but is best to run from a server in the domain and requires Enterprise
admin access to get to all domains. There are some prerequisites that have
to be in place or installed to get all the functionality such as visio for the
ADMAP util so we do this from a member server only – and it must have
access to all DC’s in the domain. The only issue is that sometimes the
client will take everything that MSbrings up as issues as the sky is
falling and causes you more headaches and work. Some of the issues with
the report are – when it is installed and run, only that ID will have
access to the reports. Does not seem to create any txt files to take off
and use - most of the info if you want to use it has to be cut and paste
into a doc. I think they did that on purpose.
By in large, I like it and would recommend it.
Steve Lasitz
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Harvey
Kamangwitz
Sent: July 6, 2007 4:45 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
Hi all,
As a Microsoft Premier customer, they've suggested we go
through an AD Risk Assessment Program. I'm still learning what they do (it's
conducted by their Field Engineering team) and what the benefits are...in the
mean time, I thought it'd be good to see what my compatriots think of the
program. Has anyone been through it? Is it worth it?
Thanks,
Harvey | | | |
| cloidl
Posts:0
| | 07/06/2007 6:09 AM |
| Hey Harvey,
We did one at my previous company and I was less then impressed
with the output they provided. I guess it really depends on the engineer
working with you as well as the people on your end providing input. A lot of it
went towards the implementation of Microsoft’s take (MOF) on the ITL
model.
In our case(again at a previous job) they found a lot of issues,
but most of them we had been aware off before, such as insufficient WAN
connections between locations, in part because the input was biased to what
architectural assessment engineers on our end wanted to see.
It was more a political vehicle to show (or not) that Microsoft
supports the way you wanted to do things, which was probably more an management
issue, and unresolved (technical/design) issues from previous acquisitions.
So my experience wasn’t so great, but that doesn’t
mean it wouldn’t be for you and your organization if you have less
baggage.
Christian
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Harvey Kamangwitz
Sent: Friday, July 06, 2007 4:45 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
Hi all,
As a Microsoft Premier customer, they've suggested we go
through an AD Risk Assessment Program. I'm still learning what they do (it's
conducted by their Field Engineering team) and what the benefits are...in the
mean time, I thought it'd be good to see what my compatriots think of the
program. Has anyone been through it? Is it worth it?
Thanks,
Harvey | | | |
| bdesmond
Posts:977
| | 07/07/2007 3:32 AM |
| The KT is part of what they market and the guys that get sent out to do it are supposed to do that. I haven't had a problem telling them no I don't want to have this discussion though.
If you have MOM/OpsMgr and it's fully deployed, the number of things that don't overlap is pretty small. I probably wouldn't recommend this for a shop which has this, although I've seen it be a political tool more than a technical tool - Microsoft says our AD is {busted|great}.
They tell you they need EA rights, in reality I don't think they do anything that does, but the whole thing is costed based on time and if you keep them waiting around for hours on end while tinkering with permissions it won't go as planned. They're happy to supervise you running the tool under your own ID rather than using their own I've found as well.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Laura E. Hunter
> Sent: Saturday, July 07, 2007 9:02 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
>
> My company goes through it every year. It's nice in terms of having
> another set of eyes looking at your directory, since they always point
> out 2 or 3 things that I either wasn't aware of, or noticed months ago
> and then forgot about and then forgot that I forgot.
>
> The only...challenge...I've ever had was one guy who came in and was a
> bit gung-ho on "knowledge transfer". He wanted us to spend two whole
> days together as he, and I quote, "started at the very basics of AD,
> what makes a domain controller a domain controller, what a FSMO role
> is..." yadda ya. Now, for some people that probably would've been a
> useful and welcome process, but I just had to pull the guy aside and
> say "Uhhh, dude? No." :-)
>
> On 7/6/07, Christian Loidl wrote:
> >
> >
> >
> > Hey Harvey,
> >
> >
> >
> > We did one at my previous company and I was less then impressed with
> the
> > output they provided. I guess it really depends on the engineer
> working with
> > you as well as the people on your end providing input. A lot of it
> went
> > towards the implementation of Microsoft's take (MOF) on the ITL
> model.
> >
> > In our case(again at a previous job) they found a lot of issues, but
> most of
> > them we had been aware off before, such as insufficient WAN
> connections
> > between locations, in part because the input was biased to what
> > architectural assessment engineers on our end wanted to see.
> >
> > It was more a political vehicle to show (or not) that Microsoft
> supports the
> > way you wanted to do things, which was probably more an management
> issue,
> > and unresolved (technical/design) issues from previous acquisitions.
> >
> > So my experience wasn't so great, but that doesn't mean it wouldn't
> be for
> > you and your organization if you have less baggage.
> >
> >
> >
> > Christian
> >
> >
> >
> >
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> > Harvey Kamangwitz
> > Sent: Friday, July 06, 2007 4:45 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> >
> >
> >
> >
> > Hi all,
> >
> >
> >
> >
> >
> > As a Microsoft Premier customer, they've suggested we go through an
> AD Risk
> > Assessment Program. I'm still learning what they do (it's conducted
> by their
> > Field Engineering team) and what the benefits are...in the mean time,
> I
> > thought it'd be good to see what my compatriots think of the program.
> Has
> > anyone been through it? Is it worth it?
> >
> >
> >
> >
> >
> > Thanks,
> >
> >
> > Harvey
>
>
> --
> -----------------------
> Laura E. Hunter
> Microsoft MVP - Windows Server Networking
> https://mvp.support.microsoft.com/profile/laura
> Author: _Active Directory Consultant's Field Guide_
> (http://tinyurl.com/7f8ll)
> Author: _Active Directory Cookbook, Second Edition_
> (http://tinyurl.com/z7svl)
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| laurahcomputing
Posts:148
| | 07/07/2007 10:01 AM |
| My company goes through it every year. It's nice in terms of having
another set of eyes looking at your directory, since they always point
out 2 or 3 things that I either wasn't aware of, or noticed months ago
and then forgot about and then forgot that I forgot.
The only...challenge...I've ever had was one guy who came in and was a
bit gung-ho on "knowledge transfer". He wanted us to spend two whole
days together as he, and I quote, "started at the very basics of AD,
what makes a domain controller a domain controller, what a FSMO role
is..." yadda ya. Now, for some people that probably would've been a
useful and welcome process, but I just had to pull the guy aside and
say "Uhhh, dude? No." :-)
On 7/6/07, Christian Loidl wrote:
>
>
>
> Hey Harvey,
>
>
>
> We did one at my previous company and I was less then impressed with the
> output they provided. I guess it really depends on the engineer working with
> you as well as the people on your end providing input. A lot of it went
> towards the implementation of Microsoft's take (MOF) on the ITL model.
>
> In our case(again at a previous job) they found a lot of issues, but most of
> them we had been aware off before, such as insufficient WAN connections
> between locations, in part because the input was biased to what
> architectural assessment engineers on our end wanted to see.
>
> It was more a political vehicle to show (or not) that Microsoft supports the
> way you wanted to do things, which was probably more an management issue,
> and unresolved (technical/design) issues from previous acquisitions.
>
> So my experience wasn't so great, but that doesn't mean it wouldn't be for
> you and your organization if you have less baggage.
>
>
>
> Christian
>
>
>
>
>
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> Harvey Kamangwitz
> Sent: Friday, July 06, 2007 4:45 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
>
>
>
>
> Hi all,
>
>
>
>
>
> As a Microsoft Premier customer, they've suggested we go through an AD Risk
> Assessment Program. I'm still learning what they do (it's conducted by their
> Field Engineering team) and what the benefits are...in the mean time, I
> thought it'd be good to see what my compatriots think of the program. Has
> anyone been through it? Is it worth it?
>
>
>
>
>
> Thanks,
>
>
> Harvey
--
-----------------------
Laura E. Hunter
Microsoft MVP - Windows Server Networking
https://mvp.support.microsoft.com/profile/laura
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| JefTek
Posts:52
| | 07/08/2007 2:29 AM |
| I had a good experience with the ADRAP we did last year, but I attribute it
to the engineer we were assigned. He really explained what was good, bad,
and what we could do to make things better. The ADRAP
tool is a nice centralized tool for checking some common things that may fall by
the way side in a busy shop.
So it sounds like your mileage may vary.
Jef
----- Original Message -----
From:
Tony Gordon
To: ActiveDir@mail.activedir.org
Sent: Sunday, July 08, 2007 11:41
AM
Subject: RE: [ActiveDir] Has anyone gone
through Microsoft's ADRAP?
We also had pretty bad
experience with them, though have to say it was a
while.
"Christian Loidl"
Sent by: ActiveDir-owner@mail.activedir.org
07/06/2007 05:09 PM
Please respond
toActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
Subject
RE: [ActiveDir] Has anyone gone
through Microsoft's ADRAP?
Hey Harvey, We did one at my previous company and I was less then
impressed with the output they provided. I guess it really depends on the
engineer working with you as well as the people on your end providing input. A
lot of it went towards the implementation of Microsofts take (MOF) on the ITL
model. In our case(again
at a previous job) they found a lot of issues, but most of them we had been
aware off before, such as insufficient WAN connections between locations, in
part because the input was biased to what architectural assessment engineers
on our end wanted to see. It was more a political vehicle to show (or not) that Microsoft
supports the way you wanted to do things, which was probably more an
management issue, and unresolved (technical/design) issues from previous
acquisitions. So my
experience wasnt so great, but that doesnt mean it wouldnt be for you and
your organization if you have less baggage. Christian From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Harvey KamangwitzSent: Friday, July 06, 2007
4:45 PMTo: ActiveDir@mail.activedir.orgSubject:
[ActiveDir] Has anyone gone through Microsoft's ADRAP? Hi all,
As a Microsoft Premier customer,
they've suggested we go through an AD Risk Assessment Program. I'm still
learning what they do (it's conducted by their Field Engineering team) and
what the benefits are...in the mean time, I thought it'd be good to see what
my compatriots think of the program. Has anyone been through it? Is it worth
it? Thanks, Harvey
The information contained in this e-mail and any
accompanying documents may contain information that is confidential or
otherwise protected from disclosure. If you are not the intended recipient of
this message, or if this message has been addressed to you in error, please
immediately alert the sender by reply e-mail and then delete this message,
including any attachments. Any dissemination, distribution or other use of the
contents of this message by anyone other than the intended recipient is
strictly prohibited. | | | |
| teoheras
Posts:5
| | 07/08/2007 4:39 AM |
| Interesting...it seems that what makes the ADRAP is the engineer assigned. My company is also a premier customer and we're looking to do an ADRAP and EXRAP before the year ends. Would you guys mind sharing the names of the engineers that you were impressed with. I'll see if my TAM can schedule them for our ADRAP.
Teo
On 7/6/07, Harvey Kamangwitz wrote:
Hi all,
As a Microsoft Premier customer, they've suggested we go through an AD Risk Assessment Program. I'm still learning what they do (it's conducted by their Field Engineering team) and what the benefits are...in the mean time, I thought it'd be good to see what my compatriots think of the program. Has anyone been through it? Is it worth it?
Thanks,
Harvey | | | |
| listmail
Posts:822
| | 07/08/2007 11:21 AM |
| Combination of two things in my experience makes the RAPs.
The first is the quality of the engineer executing the RAP.
They all get the same info, it is how well they analyze it and understand
AD/Exchange as to how good the report is that they generate. You will get the
extremely intelligent knowledgeable analysts who will make the resulting report
fit well into the goals and design of the environment and then you will get the
analysts who may be intelligent but will give you a generic read on the report
which may not make much sense in light of how things are done. There is no
perfect way to run AD nor design AD, it is an extremely complex and flexible
product and different people can and will set it up in different ways and I have
seen many a time where a RAP has reported something as incorrect when in fact it
was not only correct, but the only proper way to handle the specific item in
that environment. I have been on "teams" designed to blow apart the reports
generated for ADRAP and ExRAPs because the results don't make sense in the
environmentand have successfully done so every time it was needed.
The second is implied in the first answer and it is how
"Softian" your environment is. The smaller the environment, the more likely you
will be a homogenius MSFT environment adhering to all of the MSFT ways. The
larger the environment the more likely it will be heterogenious with people paid
to think of BETTER ways to do things for that specific environment which may not
align well with what a generic report would want so the generated report may not
be the best.
I think the biggest problem is companies who take the RAPs
and use it as the gold standard of this is the one and only way things can be
set up and any deviation is wrong. Let me say straight up again, there are many
ways to do things that are all equally valid and sometimes there are things that
would normally be considered not so good that are perfectly acceptable in
another environment. Microsoft may have written the product but they are not the
end all be all knowledge and understanding of the product, certainly not the
PSS/MCS folks. There are people outside of MSFT better suited to understanding
the MSFT products in specific environments. A good analyst will admit that right
up if asked. Don't get me wrong, there are some amazing PSS/MCS folks but this
isn't the standard, IMO, this is the special case. As ~Eric mentioned before,
you can't train someone into being an amazing analyst, it just doesn't work that
way. You need to get the RAPs and take them as guidance but make sure you look
at all of the answers in the context of what your environment is set up to do.
Another thing to keep in mind, possibly this has changed
recently as it has been a HUGE gripe I have had with the whole process in
general is that there is no true combined AD/Exchange RAP. You have an ExRAP and
you have an ADRAP. They are different things done by different people with
different goals. I have seen actual AD RAPs that said AD was spot on great and
then followed up a month later by an ExRAP which said that AD was completely
screwed and causing massive issues in Exchange with no correlation/combination
between the two and when you ask for them to reconcile the results they sort of
shrug at you. They need an all inclusive RAP.
Yet another thing to keep in mind and something I say to
push them on is how much rights they want when they walk through the door.
Usually they want full Enterprise/Domain/Exchange admin rights and I always like
to ask them, so what do you plan on changing? The idea is that they should just
be gathering info. Why do they need the ability to change shit if they are just
looking? Realistically there are some things that they need higher level rights
to get info about but they haven't convinced me to date that they have narrowed
it down to specifically what and why. If enough people push them back and feed
them the same lines that MSFT is trying to get everyone else into, one of least
user rights to do things, then maybe we can get this fixed. I mean come on, all
the RAP is is a set of scripts gathering info. How many different ways are there
to get the info and do they really know what rights they really need and
why?
If other companies start doing these types of reviews or
really anything and they say, well we need enterprise admin and everything else,
the recommendation from MSFT would be, well you shouldn't be giving out
Enterprise to lots of people. And there is a good reason for that. But this
should also apply to MSFT themselves. As I mentioned before, there are great and
not so great analysts, not all of them are people I would consider giving high
level rights to. Of course they could always say that you could run the scripts,
but what do you know about the scripts being run and how is that any different
from doing that with any other company or vendor. It isn't.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Teo De Las
HerasSent: Sunday, July 08, 2007 4:39 PMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Has anyone gone
through Microsoft's ADRAP?
Interesting...it seems that what makes the ADRAP is the engineer
assigned. My company is also a premier customer and we're looking to do an
ADRAP and EXRAP before the year ends. Would you guys mind sharing the names of
the engineers that you were impressed with. I'll see if my TAM can
schedule them for our ADRAP.
Teo
On 7/6/07, Harvey
Kamangwitz
wrote:
Hi all,
As a Microsoft Premier customer, they've suggested we go through an AD
Risk Assessment Program. I'm still learning what they do (it's conducted by
their Field Engineering team) and what the benefits are...in the mean time, I
thought it'd be good to see what my compatriots think of the program. Has
anyone been through it? Is it worth it?
Thanks,
Harvey | | | |
| TG
Posts:298
| | 07/08/2007 12:41 PM |
| We also had pretty bad experience with
them, though have to say it was a while.
"Christian Loidl"
Sent by: ActiveDir-owner@mail.activedir.org
07/06/2007 05:09 PM
Please respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
Subject
RE: [ActiveDir] Has anyone gone through
Microsoft's ADRAP?
Hey Harvey,
We did one at my previous
company and I was less then impressed with the output they provided. I
guess it really depends on the engineer working with you as well as the
people on your end providing input. A lot of it went towards the implementation
of Microsoft’s take (MOF) on the ITL model.
In our case(again at a
previous job) they found a lot of issues, but most of them we had been
aware off before, such as insufficient WAN connections between locations,
in part because the input was biased to what architectural assessment engineers
on our end wanted to see.
It was more a political
vehicle to show (or not) that Microsoft supports the way you wanted to
do things, which was probably more an management issue, and unresolved
(technical/design) issues from previous acquisitions.
So my experience wasn’t
so great, but that doesn’t mean it wouldn’t be for you and your organization
if you have less baggage.
Christian
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Harvey
Kamangwitz
Sent: Friday, July 06, 2007 4:45 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
Hi all,
As a Microsoft Premier customer,
they've suggested we go through an AD Risk Assessment Program. I'm still
learning what they do (it's conducted by their Field Engineering team)
and what the benefits are...in the mean time, I thought it'd be good to
see what my compatriots think of the program. Has anyone been through it?
Is it worth it?
Thanks,
Harvey
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient
is strictly prohibited. | | | |
| m weerasinghe
Posts:0
| | 07/09/2007 3:53 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
Hi Joe
I haven’t been through an ADRAP yet so I can’t
comment on exactly why the RAP engineer needs enterprise/domain admin credentials.
But for example in the suitability scripts that one needs to
execute to get some info on the environment, there is a WMI test which connects
to the root\cimv2 namespace. They use WMI to query registry values. By default
a normal user cannot connect to this namespace on a domain controller remotely.
As the domain/enterprise admin can, I believe the simplest thing MSFT can do in
these scenarios is to say “please ensure you run the suitability scripts
with enterprise admin credentials and ensure we have the same once we are on
site” (as opposed to ACLing the namespace to ensure normal users can do
the WMI queries required to pass the RAP).
In the worst case scenario if it breaks... who better to fix
other than MSFT? ;-) If you didn’t trust them with the skills or
confidentiality, then why even choose someone from MSFT to do the RAP? Certain orgs
where security is very important ask the engineer to do the needy using equipment
there, give his opinion and walk away. No data is allowed to leave site for
analysis. But they still have to ensure he is security cleared before he is
allowed to touch/see anything .
As for querying AD, you are right. I am yet to find a query I cannot
do due to the normal user credentials used to perform the query.
Cheers
M@
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: 09 July 2007 04:22
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
Combination of two things in my experience makes the RAPs.
The first is the quality of the engineer executing the RAP. They
all get the same info, it is how well they analyze it and understand AD/Exchange
as to how good the report is that they generate. You will get the extremely
intelligent knowledgeable analysts who will make the resulting report fit well
into the goals and design of the environment and then you will get the analysts
who may be intelligent but will give you a generic read on the report which may
not make much sense in light of how things are done. There is no perfect way to
run AD nor design AD, it is an extremely complex and flexible product and
different people can and will set it up in different ways and I have seen many
a time where a RAP has reported something as incorrect when in fact it was not
only correct, but the only proper way to handle the specific item in that
environment. I have been on "teams" designed to blow apart the
reports generated for ADRAP and ExRAPs because the results don't make sense in
the environmentand have successfully done so every time it was needed.
The second is implied in the first answer and it is how
"Softian" your environment is. The smaller the environment, the more
likely you will be a homogenius MSFT environment adhering to all of the MSFT
ways. The larger the environment the more likely it will be heterogenious with
people paid to think of BETTER ways to do things for that specific environment
which may not align well with what a generic report would want so the generated
report may not be the best.
I think the biggest problem is companies who take the RAPs and use
it as the gold standard of this is the one and only way things can be set up
and any deviation is wrong. Let me say straight up again, there are many ways
to do things that are all equally valid and sometimes there are things that
would normally be considered not so good that are perfectly acceptable in
another environment. Microsoft may have written the product but they are not
the end all be all knowledge and understanding of the product, certainly not
the PSS/MCS folks. There are people outside of MSFT better suited to
understanding the MSFT products in specific environments. A good analyst will
admit that right up if asked. Don't get me wrong, there are some amazing
PSS/MCS folks but this isn't the standard, IMO, this is the special case. As
~Eric mentioned before, you can't train someone into being an amazing analyst,
it just doesn't work that way. You need to get the RAPs and take them as
guidance but make sure you look at all of the answers in the context of what
your environment is set up to do.
Another thing to keep in mind, possibly this has changed recently
as it has been a HUGE gripe I have had with the whole process in general is
that there is no true combined AD/Exchange RAP. You have an ExRAP and you have
an ADRAP. They are different things done by different people with different
goals. I have seen actual AD RAPs that said AD was spot on great and then
followed up a month later by an ExRAP which said that AD was completely screwed
and causing massive issues in Exchange with no correlation/combination between
the two and when you ask for them to reconcile the results they sort of shrug
at you. They need an all inclusive RAP.
Yet another thing to keep in mind and something I say to push them
on is how much rights they want when they walk through the door. Usually they
want full Enterprise/Domain/Exchange admin rights and I always like to ask
them, so what do you plan on changing? The idea is that they should just be
gathering info. Why do they need the ability to change shit if they are just
looking? Realistically there are some things that they need higher level rights
to get info about but they haven't convinced me to date that they have narrowed
it down to specifically what and why. If enough people push them back and feed
them the same lines that MSFT is trying to get everyone else into, one of least
user rights to do things, then maybe we can get this fixed. I mean come on, all
the RAP is is a set of scripts gathering info. How many different ways are
there to get the info and do they really know what rights they really need and
why?
If other companies start doing these types of reviews or really
anything and they say, well we need enterprise admin and everything else, the
recommendation from MSFT would be, well you shouldn't be giving out Enterprise
to lots of people. And there is a good reason for that. But this should also
apply to MSFT themselves. As I mentioned before, there are great and not so
great analysts, not all of them are people I would consider giving high level
rights to. Of course they could always say that you could run the scripts, but
what do you know about the scripts being run and how is that any different from
doing that with any other company or vendor. It isn't.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Teo De Las Heras
Sent: Sunday, July 08, 2007 4:39 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
Interesting...it seems that what makes the ADRAP is the
engineer assigned. My company is also a premier customer and we're
looking to do an ADRAP and EXRAP before the year ends. Would you guys mind
sharing the names of the engineers that you were impressed with. I'll see
if my TAM can schedule them for our ADRAP.
Teo
On 7/6/07, Harvey Kamangwitz
wrote:
Hi all,
As a Microsoft Premier customer, they've suggested we go
through an AD Risk Assessment Program. I'm still learning what they do (it's
conducted by their Field Engineering team) and what the benefits are...in the
mean time, I thought it'd be good to see what my compatriots think of the
program. Has anyone been through it? Is it worth it?
Thanks,
Harvey | | | |
| bdesmond
Posts:977
| | 07/09/2007 4:04 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
The tool will run those same WMI queries so if they do require
that access you either have to change the WMI ACLs on all the DCs or give up the
rights. The suitability script verifies all the connectivity requirements that
the tool needs.
Just because someone works for Microsoft doesn’t mean they’re
the expert on AD. Same token applies to just if someone works for HP they know
everything about printers, etc. Like others have said here it very much depends
on the knowledge level of the PFE you get onsite for the gig. You can have them
do it all on your equipment, they do install the tool there and run it that way
in fact since it needs to run in context (e.g. no specifying a
username/password to bind under)>
Exchange data is not viewable with straight normal user rights.
You need Exchange View Only type rights to read the data which is easily
delegated with the little wizard in ESM. This changed some in exchange 2007
though.
The actual tool collects a bunch of data from AD but it also
touches each DC hence the WMI and RPC checks.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Matheesha
Sent: Monday, July 09, 2007 2:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
Hi Joe
I haven’t been through an ADRAP yet so I can’t comment on
exactly why the RAP engineer needs enterprise/domain admin credentials.
But for example in the suitability scripts that one needs to execute
to get some info on the environment, there is a WMI test which connects to the
root\cimv2 namespace. They use WMI to query registry values. By default a
normal user cannot connect to this namespace on a domain controller remotely.
As the domain/enterprise admin can, I believe the simplest thing MSFT can do in
these scenarios is to say “please ensure you run the suitability scripts with
enterprise admin credentials and ensure we have the same once we are on site”
(as opposed to ACLing the namespace to ensure normal users can do the WMI
queries required to pass the RAP).
In the worst case scenario if it breaks... who better to fix
other than MSFT? ;-) If you didn’t trust them with the skills or
confidentiality, then why even choose someone from MSFT to do the RAP? Certain
orgs where security is very important ask the engineer to do the needy using
equipment there, give his opinion and walk away. No data is allowed to leave
site for analysis. But they still have to ensure he is security cleared before he
is allowed to touch/see anything .
As for querying AD, you are right. I am yet to find a query I
cannot do due to the normal user credentials used to perform the query.
Cheers
M@
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of joe
Sent: 09 July 2007 04:22
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
Combination of two things in my experience makes the RAPs.
The first is the quality of the engineer executing the RAP. They
all get the same info, it is how well they analyze it and understand
AD/Exchange as to how good the report is that they generate. You will get the
extremely intelligent knowledgeable analysts who will make the resulting report
fit well into the goals and design of the environment and then you will get the
analysts who may be intelligent but will give you a generic read on the report
which may not make much sense in light of how things are done. There is no
perfect way to run AD nor design AD, it is an extremely complex and flexible
product and different people can and will set it up in different ways and I
have seen many a time where a RAP has reported something as incorrect when in
fact it was not only correct, but the only proper way to handle the specific
item in that environment. I have been on "teams" designed to blow
apart the reports generated for ADRAP and ExRAPs because the results don't make
sense in the environmentand have successfully done so every time it was
needed.
The second is implied in the first answer and it is how
"Softian" your environment is. The smaller the environment, the more
likely you will be a homogenius MSFT environment adhering to all of the MSFT
ways. The larger the environment the more likely it will be heterogenious with
people paid to think of BETTER ways to do things for that specific environment
which may not align well with what a generic report would want so the generated
report may not be the best.
I think the biggest problem is companies who take the RAPs and use
it as the gold standard of this is the one and only way things can be set up
and any deviation is wrong. Let me say straight up again, there are many ways
to do things that are all equally valid and sometimes there are things that
would normally be considered not so good that are perfectly acceptable in
another environment. Microsoft may have written the product but they are not
the end all be all knowledge and understanding of the product, certainly not
the PSS/MCS folks. There are people outside of MSFT better suited to
understanding the MSFT products in specific environments. A good analyst will
admit that right up if asked. Don't get me wrong, there are some amazing
PSS/MCS folks but this isn't the standard, IMO, this is the special case. As
~Eric mentioned before, you can't train someone into being an amazing analyst,
it just doesn't work that way. You need to get the RAPs and take them as
guidance but make sure you look at all of the answers in the context of what
your environment is set up to do.
Another thing to keep in mind, possibly this has changed recently
as it has been a HUGE gripe I have had with the whole process in general is
that there is no true combined AD/Exchange RAP. You have an ExRAP and you have
an ADRAP. They are different things done by different people with different
goals. I have seen actual AD RAPs that said AD was spot on great and then
followed up a month later by an ExRAP which said that AD was completely screwed
and causing massive issues in Exchange with no correlation/combination between
the two and when you ask for them to reconcile the results they sort of shrug
at you. They need an all inclusive RAP.
Yet another thing to keep in mind and something I say to push them
on is how much rights they want when they walk through the door. Usually they
want full Enterprise/Domain/Exchange admin rights and I always like to ask
them, so what do you plan on changing? The idea is that they should just be
gathering info. Why do they need the ability to change shit if they are just
looking? Realistically there are some things that they need higher level rights
to get info about but they haven't convinced me to date that they have narrowed
it down to specifically what and why. If enough people push them back and feed
them the same lines that MSFT is trying to get everyone else into, one of least
user rights to do things, then maybe we can get this fixed. I mean come on, all
the RAP is is a set of scripts gathering info. How many different ways are
there to get the info and do they really know what rights they really need and
why?
If other companies start doing these types of reviews or really
anything and they say, well we need enterprise admin and everything else, the
recommendation from MSFT would be, well you shouldn't be giving out Enterprise
to lots of people. And there is a good reason for that. But this should also
apply to MSFT themselves. As I mentioned before, there are great and not so
great analysts, not all of them are people I would consider giving high level
rights to. Of course they could always say that you could run the scripts, but
what do you know about the scripts being run and how is that any different from
doing that with any other company or vendor. It isn't.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Teo De Las
Heras
Sent: Sunday, July 08, 2007 4:39 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
Interesting...it seems that what makes the
ADRAP is the engineer assigned. My company is also a premier customer and
we're looking to do an ADRAP and EXRAP before the year ends. Would you guys
mind sharing the names of the engineers that you were impressed with.
I'll see if my TAM can schedule them for our ADRAP.
Teo
On 7/6/07, Harvey
Kamangwitz
wrote:
Hi all,
As a Microsoft Premier customer, they've
suggested we go through an AD Risk Assessment Program. I'm still learning what
they do (it's conducted by their Field Engineering team) and what the benefits
are...in the mean time, I thought it'd be good to see what my compatriots think
of the program. Has anyone been through it? Is it worth it?
Thanks,
Harvey | | | |
| matheesha
Posts:34
| | 07/09/2007 4:23 AM |
| Thanks Brian. I accept the point on not everyone at MS is expert in AD. But hopefully the chap turning up at site to do the RAP should be.
As for exchange, thanks for the info. We have no exchange here where I work (only lotus domino). Hence I have no knowledge on the requirements for exchange queries.
Cheers
M@
On 09/07/07, Brian Desmond wrote:
The tool will run those same WMI queries so if they do require that access you either have to change the WMI ACLs on all the DCs or give up the rights. The suitability script verifies all the connectivity requirements that the tool needs.
Just because someone works for Microsoft doesn't mean they're the expert on AD. Same token applies to just if someone works for HP they know everything about printers, etc. Like others have said here it very much depends on the knowledge level of the PFE you get onsite for the gig. You can have them do it all on your equipment, they do install the tool there and run it that way in fact since it needs to run in context (
e.g. no specifying a username/password to bind under)>
Exchange data is not viewable with straight normal user rights. You need Exchange View Only type rights to read the data which is easily delegated with the little wizard in ESM. This changed some in exchange 2007 though.
The actual tool collects a bunch of data from AD but it also touches each DC hence the WMI and RPC checks.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of MatheeshaSent:
Monday, July 09, 2007 2:53 AMTo: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
Hi Joe
I haven't been through an ADRAP yet so I can't comment on exactly why the RAP engineer needs enterprise/domain admin credentials.
But for example in the suitability scripts that one needs to execute to get some info on the environment, there is a WMI test which connects to the root\cimv2 namespace. They use WMI to query registry values. By default a normal user cannot connect to this namespace on a domain controller remotely. As the domain/enterprise admin can, I believe the simplest thing MSFT can do in these scenarios is to say "please ensure you run the suitability scripts with enterprise admin credentials and ensure we have the same once we are on site" (as opposed to ACLing the namespace to ensure normal users can do the WMI queries required to pass the RAP).
In the worst case scenario if it breaks... who better to fix other than MSFT? ;-) If you didn't trust them with the skills or confidentiality, then why even choose someone from MSFT to do the RAP? Certain orgs where security is very important ask the engineer to do the needy using equipment there, give his opinion and walk away. No data is allowed to leave site for analysis. But they still have to ensure he is security cleared before he is allowed to touch/see anything .
As for querying AD, you are right. I am yet to find a query I cannot do due to the normal user credentials used to perform the query.
Cheers
M@
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: 09 July 2007 04:22To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
Combination of two things in my experience makes the RAPs.
The first is the quality of the engineer executing the RAP. They all get the same info, it is how well they analyze it and understand AD/Exchange as to how good the report is that they generate. You will get the extremely intelligent knowledgeable analysts who will make the resulting report fit well into the goals and design of the environment and then you will get the analysts who may be intelligent but will give you a generic read on the report which may not make much sense in light of how things are done. There is no perfect way to run AD nor design AD, it is an extremely complex and flexible product and different people can and will set it up in different ways and I have seen many a time where a RAP has reported something as incorrect when in fact it was not only correct, but the only proper way to handle the specific item in that environment. I have been on "teams" designed to blow apart the reports generated for ADRAP and ExRAPs because the results don't make sense in the environmentand have successfully done so every time it was needed.
The second is implied in the first answer and it is how "Softian" your environment is. The smaller the environment, the more likely you will be a homogenius MSFT environment adhering to all of the MSFT ways. The larger the environment the more likely it will be heterogenious with people paid to think of BETTER ways to do things for that specific environment which may not align well with what a generic report would want so the generated report may not be the best.
I think the biggest problem is companies who take the RAPs and use it as the gold standard of this is the one and only way things can be set up and any deviation is wrong. Let me say straight up again, there are many ways to do things that are all equally valid and sometimes there are things that would normally be considered not so good that are perfectly acceptable in another environment. Microsoft may have written the product but they are not the end all be all knowledge and understanding of the product, certainly not the PSS/MCS folks. There are people outside of MSFT better suited to understanding the MSFT products in specific environments. A good analyst will admit that right up if asked. Don't get me wrong, there are some amazing PSS/MCS folks but this isn't the standard, IMO, this is the special case. As ~Eric mentioned before, you can't train someone into being an amazing analyst, it just doesn't work that way. You need to get the RAPs and take them as guidance but make sure you look at all of the answers in the context of what your environment is set up to do.
Another thing to keep in mind, possibly this has changed recently as it has been a HUGE gripe I have had with the whole process in general is that there is no true combined AD/Exchange RAP. You have an ExRAP and you have an ADRAP. They are different things done by different people with different goals. I have seen actual AD RAPs that said AD was spot on great and then followed up a month later by an ExRAP which said that AD was completely screwed and causing massive issues in Exchange with no correlation/combination between the two and when you ask for them to reconcile the results they sort of shrug at you. They need an all inclusive RAP.
Yet another thing to keep in mind and something I say to push them on is how much rights they want when they walk through the door. Usually they want full Enterprise/Domain/Exchange admin rights and I always like to ask them, so what do you plan on changing? The idea is that they should just be gathering info. Why do they need the ability to change shit if they are just looking? Realistically there are some things that they need higher level rights to get info about but they haven't convinced me to date that they have narrowed it down to specifically what and why. If enough people push them back and feed them the same lines that MSFT is trying to get everyone else into, one of least user rights to do things, then maybe we can get this fixed. I mean come on, all the RAP is is a set of scripts gathering info. How many different ways are there to get the info and do they really know what rights they really need and why?
If other companies start doing these types of reviews or really anything and they say, well we need enterprise admin and everything else, the recommendation from MSFT would be, well you shouldn't be giving out Enterprise to lots of people. And there is a good reason for that. But this should also apply to MSFT themselves. As I mentioned before, there are great and not so great analysts, not all of them are people I would consider giving high level rights to. Of course they could always say that you could run the scripts, but what do you know about the scripts being run and how is that any different from doing that with any other company or vendor. It isn't.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Teo De Las HerasSent: Sunday, July 08, 2007 4:39 PMTo: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
Interesting...it seems that what makes the ADRAP is the engineer assigned. My company is also a premier customer and we're looking to do an ADRAP and EXRAP before the year ends. Would you guys mind sharing the names of the engineers that you were impressed with. I'll see if my TAM can schedule them for our ADRAP.
Teo
On 7/6/07, Harvey Kamangwitz wrote:
Hi all,
As a Microsoft Premier customer, they've suggested we go through an AD Risk Assessment Program. I'm still learning what they do (it's conducted by their Field Engineering team) and what the benefits are...in the mean time, I thought it'd be good to see what my compatriots think of the program. Has anyone been through it? Is it worth it?
Thanks,
Harvey | | | |
| paultwilliams
Posts:0
| | 07/09/2007 7:59 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
Guys, is the RAP what used to be the health check, or is this
something different? If different, what’s different?
Thanks,
--Paul
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Matheesha
Weerasinghe
Sent: 09 July 2007 09:23
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
Thanks Brian. I accept the point on not everyone at MS is
expert in AD. But hopefully the chap turning up at site to do the RAP should
be.
As for exchange, thanks for the info. We have no exchange
here where I work (only lotus domino). Hence I have no knowledge on the
requirements for exchange queries.
Cheers
M@
On 09/07/07, Brian Desmond
wrote:
The tool will run
those same WMI queries so if they do require that access you either have to
change the WMI ACLs on all the DCs or give up the rights. The suitability
script verifies all the connectivity requirements that the tool needs.
Just because
someone works for Microsoft doesn't mean they're the expert on AD. Same token
applies to just if someone works for HP they know everything about printers,
etc. Like others have said here it very much depends on the knowledge level of
the PFE you get onsite for the gig. You can have them do it all on your
equipment, they do install the tool there and run it that way in fact since it
needs to run in context ( e.g. no specifying a username/password to bind
under)>
Exchange data is
not viewable with straight normal user rights. You need Exchange View Only type
rights to read the data which is easily delegated with the little wizard in
ESM. This changed some in exchange 2007 though.
The actual tool
collects a bunch of data from AD but it also touches each DC hence the WMI and
RPC checks.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Matheesha
Sent: Monday, July 09, 2007 2:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
Hi Joe
I haven't been through an ADRAP
yet so I can't comment on exactly why the RAP engineer needs enterprise/domain
admin credentials.
But for example in the
suitability scripts that one needs to execute to get some info on the
environment, there is a WMI test which connects to the root\cimv2 namespace.
They use WMI to query registry values. By default a normal user cannot connect
to this namespace on a domain controller remotely. As the domain/enterprise
admin can, I believe the simplest thing MSFT can do in these scenarios is to
say "please ensure you run the suitability scripts with enterprise admin
credentials and ensure we have the same once we are on site" (as opposed
to ACLing the namespace to ensure normal users can do the WMI queries required
to pass the RAP).
In the worst case scenario if
it breaks... who better to fix other than MSFT? ;-) If you didn't trust them
with the skills or confidentiality, then why even choose someone from MSFT to
do the RAP? Certain orgs where security is very important ask the engineer to
do the needy using equipment there, give his opinion and walk away. No data is
allowed to leave site for analysis. But they still have to ensure he is
security cleared before he is allowed to touch/see anything .
As for querying AD, you are
right. I am yet to find a query I cannot do due to the normal user credentials
used to perform the query.
Cheers
M@
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of joe
Sent: 09 July 2007 04:22
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
Combination of two things in my
experience makes the RAPs.
The first is the quality of the
engineer executing the RAP. They all get the same info, it is how well they
analyze it and understand AD/Exchange as to how good the report is that they
generate. You will get the extremely intelligent knowledgeable analysts who
will make the resulting report fit well into the goals and design of the
environment and then you will get the analysts who may be intelligent but will
give you a generic read on the report which may not make much sense in light of
how things are done. There is no perfect way to run AD nor design AD, it is an
extremely complex and flexible product and different people can and will set it
up in different ways and I have seen many a time where a RAP has reported
something as incorrect when in fact it was not only correct, but the only
proper way to handle the specific item in that environment. I have been on
"teams" designed to blow apart the reports generated for ADRAP and
ExRAPs because the results don't make sense in the environmentand have
successfully done so every time it was needed.
The second is implied in the first
answer and it is how "Softian" your environment is. The smaller the
environment, the more likely you will be a homogenius MSFT environment adhering
to all of the MSFT ways. The larger the environment the more likely it will be
heterogenious with people paid to think of BETTER ways to do things for that
specific environment which may not align well with what a generic report would
want so the generated report may not be the best.
I think the biggest problem is
companies who take the RAPs and use it as the gold standard of this is the one
and only way things can be set up and any deviation is wrong. Let me say
straight up again, there are many ways to do things that are all equally valid
and sometimes there are things that would normally be considered not so good
that are perfectly acceptable in another environment. Microsoft may have
written the product but they are not the end all be all knowledge and
understanding of the product, certainly not the PSS/MCS folks. There are people
outside of MSFT better suited to understanding the MSFT products in specific
environments. A good analyst will admit that right up if asked. Don't get me
wrong, there are some amazing PSS/MCS folks but this isn't the standard, IMO,
this is the special case. As ~Eric mentioned before, you can't train someone
into being an amazing analyst, it just doesn't work that way. You need to get
the RAPs and take them as guidance but make sure you look at all of the answers
in the context of what your environment is set up to do.
Another thing to keep in mind,
possibly this has changed recently as it has been a HUGE gripe I have had with
the whole process in general is that there is no true combined AD/Exchange RAP.
You have an ExRAP and you have an ADRAP. They are different things done by
different people with different goals. I have seen actual AD RAPs that said AD
was spot on great and then followed up a month later by an ExRAP which said
that AD was completely screwed and causing massive issues in Exchange with no
correlation/combination between the two and when you ask for them to reconcile
the results they sort of shrug at you. They need an all inclusive RAP.
Yet another thing to keep in mind
and something I say to push them on is how much rights they want when they walk
through the door. Usually they want full Enterprise/Domain/Exchange admin
rights and I always like to ask them, so what do you plan on changing? The idea
is that they should just be gathering info. Why do they need the ability to
change shit if they are just looking? Realistically there are some things that
they need higher level rights to get info about but they haven't convinced me
to date that they have narrowed it down to specifically what and why. If enough
people push them back and feed them the same lines that MSFT is trying to get
everyone else into, one of least user rights to do things, then maybe we can
get this fixed. I mean come on, all the RAP is is a set of scripts gathering
info. How many different ways are there to get the info and do they really know
what rights they really need and why?
If other companies start doing
these types of reviews or really anything and they say, well we need enterprise
admin and everything else, the recommendation from MSFT would be, well you
shouldn't be giving out Enterprise to lots of people. And there is a good
reason for that. But this should also apply to MSFT themselves. As I mentioned
before, there are great and not so great analysts, not all of them are people I
would consider giving high level rights to. Of course they could always say
that you could run the scripts, but what do you know about the scripts being
run and how is that any different from doing that with any other company or
vendor. It isn't.
joe
--
O'Reilly Active Directory Third
Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Teo De Las Heras
Sent: Sunday, July 08, 2007 4:39 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
Interesting...it seems that what makes the ADRAP is the engineer
assigned. My company is also a premier customer and we're looking to do
an ADRAP and EXRAP before the year ends. Would you guys mind sharing the names
of the engineers that you were impressed with. I'll see if my TAM can
schedule them for our ADRAP.
Teo
On 7/6/07, Harvey Kamangwitz
wrote:
Hi all,
As a Microsoft Premier customer, they've suggested we go through an AD Risk
Assessment Program. I'm still learning what they do (it's conducted by their
Field Engineering team) and what the benefits are...in the mean time, I thought
it'd be good to see what my compatriots think of the program. Has anyone been
through it? Is it worth it?
Thanks,
Harvey | | | |
| slasitz
Posts:15
| | 07/09/2007 9:16 AM |
| The ADRAP engineer that I had was excellent – his name was
Mohammad Chami
Steve L
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Teo De Las
Heras
Sent: July 8, 2007 4:39 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
Interesting...it seems that what makes the ADRAP is the
engineer assigned. My company is also a premier customer and we're
looking to do an ADRAP and EXRAP before the year ends. Would you guys mind
sharing the names of the engineers that you were impressed with. I'll see
if my TAM can schedule them for our ADRAP.
Teo
On 7/6/07, Harvey Kamangwitz
wrote:
Hi all,
As a Microsoft Premier customer, they've suggested we go
through an AD Risk Assessment Program. I'm still learning what they do (it's
conducted by their Field Engineering team) and what the benefits are...in the
mean time, I thought it'd be good to see what my compatriots think of the
program. Has anyone been through it? Is it worth it?
Thanks,
Harvey | | | |
| amulnick
Posts:163
| | 07/10/2007 3:03 AM |
| Wait. Everyone at HP is not a printer expert? Huh. That's a let down.
I bet everyone at Microsoft is not a Windows 98 expert either right?
:)
joe, I think you have made some really good points about the way that
information can and may be used. The folks that do the assessment are
often quite capable people. I've seen many that are very good. You
did hit the nail on the head though when you talked about the way that
an ADRAP and ExRAP may conflict with their assessment. To me, that
echoes the way the products come to life and some gaps in the comm
between the AD and Exchange team coders/architects. It happens right?
I look at it like this: you as the customer are going to get the 0300
phone call. You may call Microsoft as Mateesha pointed out, but it
*could* be too late at that point to do anything other than mop up the
oil slick left behind.
I agree with joe. Treat your vendors, even the ones that wrote your
apps, as if they are an outsider that do not know about your
environment nor why you have made the decisions you have made. They
will naturally want to know that information anyway (right?), but it's
the rare company that can provide that information for a 3rd party so
better to be safe and only provide the least privilege needed to do
the job. Even if they tell you it's a lot, ask why - you may be glad
you did.
Hey joe, we also agree that *somebody* should do a combined
AD/Exchange RAP. If Microsoft isn't going to, perhaps a third party
vendor should do that for them. Maybe even a printer expert? ;)
-ajm
On 7/10/07, joe wrote:
>
>
> Hopefully, but there is no guarantee. Certainly I have seen reports where
> that wasn't the case. For the most part, from the many reports I have seen
> now, it is mostly boilerplate. Occasionally you will get something specific
> that takes some oddity of the environment into account.
>
> My point on pushing the point on Enterprise Admins is that they shouldn't
> need those rights to generate a listing of info. This goes back to my audit
> admin posts from previously. If enough people make life difficult for PSS on
> this, it won't just be customers asking for it. There really is no reason
> you ever should have to give PSS Enterprise or even Domain Admins and if you
> did and they did mess something up, I am not so generous to believe that
> whomever did it would be so good at fixing it.
>
> When I go into an environment I ask for normal user and Exchange View. If
> someone locked their environment down (say to "protect" info about specific
> users/groups) then I ask to be in the group that has read access to that as
> well. That way, regardless of what I do, I can't hurt things. If I need
> something that cannot be gathered with those rights, I almost always give
> specific instructions of what I need and how to get it unless I have been
> told just to supply a script or something like that. It always makes me itch
> a little though that someone would allow me to supply arbitrary scripts to
> run with admin level rights. Me who has no deep knowledge nor understanding
> of your environment and you are just willing to take anything I give you...
> Not very smart. This goes for MSFT as well. A lot of assumptions have to be
> in place to just allow that to happen and assumptions are very bad for AD
> and security.
>
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
> ________________________________
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> Matheesha Weerasinghe
> Sent: Monday, July 09, 2007 4:23 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
>
>
>
> Thanks Brian. I accept the point on not everyone at MS is expert in AD. But
> hopefully the chap turning up at site to do the RAP should be.
>
> As for exchange, thanks for the info. We have no exchange here where I work
> (only lotus domino). Hence I have no knowledge on the requirements for
> exchange queries.
>
> Cheers
>
> M@
>
>
> On 09/07/07, Brian Desmond wrote:
> >
> >
> >
> >
> > The tool will run those same WMI queries so if they do require that access
> you either have to change the WMI ACLs on all the DCs or give up the rights.
> The suitability script verifies all the connectivity requirements that the
> tool needs.
> >
> >
> >
> > Just because someone works for Microsoft doesn't mean they're the expert
> on AD. Same token applies to just if someone works for HP they know
> everything about printers, etc. Like others have said here it very much
> depends on the knowledge level of the PFE you get onsite for the gig. You
> can have them do it all on your equipment, they do install the tool there
> and run it that way in fact since it needs to run in context ( e.g. no
> specifying a username/password to bind under)>
> >
> >
> >
> > Exchange data is not viewable with straight normal user rights. You need
> Exchange View Only type rights to read the data which is easily delegated
> with the little wizard in ESM. This changed some in exchange 2007 though.
> >
> >
> >
> > The actual tool collects a bunch of data from AD but it also touches each
> DC hence the WMI and RPC checks.
> >
> >
> >
> >
> > Thanks,
> >
> > Brian Desmond
> >
> > brian@briandesmond.com
> >
> >
> >
> > c - 312.731.3132
> >
> >
> >
> >
> >
> >
> > From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> Matheesha
> > Sent: Monday, July 09, 2007 2:53 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> >
> >
> >
> > Hi Joe
> >
> >
> >
> > I haven't been through an ADRAP yet so I can't comment on exactly why the
> RAP engineer needs enterprise/domain admin credentials.
> >
> >
> >
> > But for example in the suitability scripts that one needs to execute to
> get some info on the environment, there is a WMI test which connects to the
> root\cimv2 namespace. They use WMI to query registry values. By default a
> normal user cannot connect to this namespace on a domain controller
> remotely. As the domain/enterprise admin can, I believe the simplest thing
> MSFT can do in these scenarios is to say "please ensure you run the
> suitability scripts with enterprise admin credentials and ensure we have the
> same once we are on site" (as opposed to ACLing the namespace to ensure
> normal users can do the WMI queries required to pass the RAP).
> >
> >
> >
> > In the worst case scenario if it breaks... who better to fix other than
> MSFT? ;-) If you didn't trust them with the skills or confidentiality, then
> why even choose someone from MSFT to do the RAP? Certain orgs where security
> is very important ask the engineer to do the needy using equipment there,
> give his opinion and walk away. No data is allowed to leave site for
> analysis. But they still have to ensure he is security cleared before he is
> allowed to touch/see anything .
> >
> >
> >
> > As for querying AD, you are right. I am yet to find a query I cannot do
> due to the normal user credentials used to perform the query.
> >
> >
> >
> > Cheers
> >
> >
> >
> > M@
> >
> >
> >
> >
> >
> > From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> joe
> > Sent: 09 July 2007 04:22
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> >
> >
> >
> >
> > Combination of two things in my experience makes the RAPs.
> >
> >
> >
> > The first is the quality of the engineer executing the RAP. They all get
> the same info, it is how well they analyze it and understand AD/Exchange as
> to how good the report is that they generate. You will get the extremely
> intelligent knowledgeable analysts who will make the resulting report fit
> well into the goals and design of the environment and then you will get the
> analysts who may be intelligent but will give you a generic read on the
> report which may not make much sense in light of how things are done. There
> is no perfect way to run AD nor design AD, it is an extremely complex and
> flexible product and different people can and will set it up in different
> ways and I have seen many a time where a RAP has reported something as
> incorrect when in fact it was not only correct, but the only proper way to
> handle the specific item in that environment. I have been on "teams"
> designed to blow apart the reports generated for ADRAP and ExRAPs because
> the results don't make sense in the environment and have successfully done
> so every time it was needed.
> >
> >
> >
> > The second is implied in the first answer and it is how "Softian" your
> environment is. The smaller the environment, the more likely you will be a
> homogenius MSFT environment adhering to all of the MSFT ways. The larger the
> environment the more likely it will be heterogenious with people paid to
> think of BETTER ways to do things for that specific environment which may
> not align well with what a generic report would want so the generated report
> may not be the best.
> >
> >
> >
> > I think the biggest problem is companies who take the RAPs and use it as
> the gold standard of this is the one and only way things can be set up and
> any deviation is wrong. Let me say straight up again, there are many ways to
> do things that are all equally valid and sometimes there are things that
> would normally be considered not so good that are perfectly acceptable in
> another environment. Microsoft may have written the product but they are not
> the end all be all knowledge and understanding of the product, certainly not
> the PSS/MCS folks. There are people outside of MSFT better suited to
> understanding the MSFT products in specific environments. A good analyst
> will admit that right up if asked. Don't get me wrong, there are some
> amazing PSS/MCS folks but this isn't the standard, IMO, this is the special
> case. As ~Eric mentioned before, you can't train someone into being an
> amazing analyst, it just doesn't work that way. You need to get the RAPs and
> take them as guidance but make sure you look at all of the answers in the
> context of what your environment is set up to do.
> >
> >
> >
> > Another thing to keep in mind, possibly this has changed recently as it
> has been a HUGE gripe I have had with the whole process in general is that
> there is no true combined AD/Exchange RAP. You have an ExRAP and you have an
> ADRAP. They are different things done by different people with different
> goals. I have seen actual AD RAPs that said AD was spot on great and then
> followed up a month later by an ExRAP which said that AD was completely
> screwed and causing massive issues in Exchange with no
> correlation/combination between the two and when you ask for them to
> reconcile the results they sort of shrug at you. They need an all inclusive
> RAP.
> >
> >
> >
> > Yet another thing to keep in mind and something I say to push them on is
> how much rights they want when they walk through the door. Usually they want
> full Enterprise/Domain/Exchange admin rights and I always like to ask them,
> so what do you plan on changing? The idea is that they should just be
> gathering info. Why do they need the ability to change shit if they are just
> looking? Realistically there are some things that they need higher level
> rights to get info about but they haven't convinced me to date that they
> have narrowed it down to specifically what and why. If enough people push
> them back and feed them the same lines that MSFT is trying to get everyone
> else into, one of least user rights to do things, then maybe we can get this
> fixed. I mean come on, all the RAP is is a set of scripts gathering info.
> How many different ways are there to get the info and do they really know
> what rights they really need and why?
> >
> >
> >
> > If other companies start doing these types of reviews or really anything
> and they say, well we need enterprise admin and everything else, the
> recommendation from MSFT would be, well you shouldn't be giving out
> Enterprise to lots of people. And there is a good reason for that. But this
> should also apply to MSFT themselves. As I mentioned before, there are great
> and not so great analysts, not all of them are people I would consider
> giving high level rights to. Of course they could always say that you could
> run the scripts, but what do you know about the scripts being run and how is
> that any different from doing that with any other company or vendor. It
> isn't.
> >
> >
> >
> >
> > joe
> >
> >
> >
> >
> >
> >
> >
> > --
> >
> > O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
> >
> >
> >
> >
> >
> >
> >
> > ________________________________
>
> >
> > From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> Teo De Las Heras
> > Sent: Sunday, July 08, 2007 4:39 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> >
> >
> > Interesting...it seems that what makes the ADRAP is the engineer assigned.
> My company is also a premier customer and we're looking to do an ADRAP and
> EXRAP before the year ends. Would you guys mind sharing the names of the
> engineers that you were impressed with. I'll see if my TAM can schedule
> them for our ADRAP.
> >
> >
> >
> >
> >
> > Teo
> >
> >
> >
> > On 7/6/07, Harvey Kamangwitz wrote:
> >
> >
> > Hi all,
> >
> >
> >
> >
> >
> > As a Microsoft Premier customer, they've suggested we go through an AD
> Risk Assessment Program. I'm still learning what they do (it's conducted by
> their Field Engineering team) and what the benefits are...in the mean time,
> I thought it'd be good to see what my compatriots think of the program. Has
> anyone been through it? Is it worth it?
> >
> >
> >
> >
> >
> > Thanks,
> >
> >
> > Harvey
> >
> >
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| listmail
Posts:822
| | 07/10/2007 12:48 PM |
| Hopefully, but there is no guarantee. Certainly I have seen
reports where that wasn't the case. For the most part, from the many reports I
have seen now, it is mostly boilerplate. Occasionally you will get something
specific that takes some oddity of the environment into
account.
My point on pushing the point on Enterprise Admins is that
they shouldn't need those rights to generate a listing of info. This goes back
to my audit admin posts from previously. If enough people make life difficult
for PSS on this, it won't just be customers asking for it. There really is no
reason you ever should have to give PSS Enterprise or even Domain Admins and if
you did and they did mess something up, I am not so generous to believe that
whomever did it would be so good at fixing it.
When I go into an environment I ask for normal user and
Exchange View. If someone locked their environment down (say to "protect" info
about specific users/groups) then I ask to be in the group that has read access
to that as well. That way, regardless of what I do, I can't hurt things. If I
need something that cannot be gathered with those rights, I almost always give
specific instructions of what I need and how to get it unless I have been told
just to supply a script or something like that. It always makes me itch a little
though that someone would allow me to supply arbitrary scripts to run with admin
level rights. Me who has no deep knowledge nor understanding of your environment
and you are just willing to take anything I give you... Not very smart. This
goes for MSFT as well. A lot of assumptions have to be in place to just allow
that to happen and assumptions are very bad for AD and
security.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Matheesha
WeerasingheSent: Monday, July 09, 2007 4:23 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Has anyone gone
through Microsoft's ADRAP?
Thanks Brian. I accept the point on not everyone at MS is expert in AD. But
hopefully the chap turning up at site to do the RAP should be.
As for exchange, thanks for the info. We have no exchange here where I work
(only lotus domino). Hence I have no knowledge on the requirements for exchange
queries.
Cheers
M@
On 09/07/07, Brian
Desmond
wrote:
The tool will run those
same WMI queries so if they do require that access you either have to change
the WMI ACLs on all the DCs or give up the rights. The suitability script
verifies all the connectivity requirements that the tool needs.
Just because someone works
for Microsoft doesn't mean they're the expert on AD. Same token applies to
just if someone works for HP they know everything about printers, etc. Like
others have said here it very much depends on the knowledge level of the PFE
you get onsite for the gig. You can have them do it all on your equipment,
they do install the tool there and run it that way in fact since it needs to
run in context ( e.g. no specifying a username/password to bind under)>
Exchange data is not
viewable with straight normal user rights. You need Exchange View Only type
rights to read the data which is easily delegated with the little wizard in
ESM. This changed some in exchange 2007 though.
The actual tool collects a
bunch of data from AD but it also touches each DC hence the WMI and RPC
checks.
Thanks,
Brian
Desmond
brian@briandesmond.com
c -
312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
MatheeshaSent: Monday, July 09, 2007 2:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Has anyone gone through Microsoft's
ADRAP?
Hi Joe
I haven't been
through an ADRAP yet so I can't comment on exactly why the RAP engineer needs
enterprise/domain admin credentials.
But for example in
the suitability scripts that one needs to execute to get some info on the
environment, there is a WMI test which connects to the root\cimv2 namespace.
They use WMI to query registry values. By default a normal user cannot connect
to this namespace on a domain controller remotely. As the domain/enterprise
admin can, I believe the simplest thing MSFT can do in these scenarios is to
say "please ensure you run the suitability scripts with enterprise admin
credentials and ensure we have the same once we are on site" (as opposed to
ACLing the namespace to ensure normal users can do the WMI queries required to
pass the RAP).
In the worst case
scenario if it breaks... who better to fix other than MSFT? ;-) If you didn't
trust them with the skills or confidentiality, then why even choose someone
from MSFT to do the RAP? Certain orgs where security is very important ask the
engineer to do the needy using equipment there, give his opinion and walk
away. No data is allowed to leave site for analysis. But they still have to
ensure he is security cleared before he is allowed to touch/see anything .
As for querying
AD, you are right. I am yet to find a query I cannot do due to the normal user
credentials used to perform the query.
Cheers
M@
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: 09 July 2007 04:22To: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Has anyone gone through Microsoft's ADRAP?
Combination of two
things in my experience makes the RAPs.
The first is the
quality of the engineer executing the RAP. They all get the same info, it is
how well they analyze it and understand AD/Exchange as to how good the report
is that they generate. You will get the extremely intelligent knowledgeable
analysts who will make the resulting report fit well into the goals and design
of the environment and then you will get the analysts who may be intelligent
but will give you a generic read on the report which may not make much sense
in light of how things are done. There is no perfect way to run AD nor design
AD, it is an extremely complex and flexible product and different people can
and will set it up in different ways and I have seen many a time where a RAP
has reported something as incorrect when in fact it was not only correct, but
the only proper way to handle the specific item in that environment. I have
been on "teams" designed to blow apart the reports generated for ADRAP and
ExRAPs because the results don't make sense in the environmentand have
successfully done so every time it was needed.
The second is implied
in the first answer and it is how "Softian" your environment is. The smaller
the environment, the more likely you will be a homogenius MSFT environment
adhering to all of the MSFT ways. The larger the environment the more likely
it will be heterogenious with people paid to think of BETTER ways to do things
for that specific environment which may not align well with what a generic
report would want so the generated report may not be the best.
I think the biggest
problem is companies who take the RAPs and use it as the gold standard of this
is the one and only way things can be set up and any deviation is wrong. Let
me say straight up again, there are many ways to do things that are all
equally valid and sometimes there are things that would normally be considered
not so good that are perfectly acceptable in another environment. Microsoft
may have written the product but they are not the end all be all knowledge and
understanding of the product, certainly not the PSS/MCS folks. There are
people outside of MSFT better suited to understanding the MSFT products in
specific environments. A good analyst will admit that right up if asked. Don't
get me wrong, there are some amazing PSS/MCS folks but this isn't the
standard, IMO, this is the special case. As ~Eric mentioned before, you can't
train someone into being an amazing analyst, it just doesn't work that way.
You need to get the RAPs and take them as guidance but make sure you look at
all of the answers in the context of what your environment is set up to do.
Another thing to keep
in mind, possibly this has changed recently as it has been a HUGE gripe I have
had with the whole process in general is that there is no true combined
AD/Exchange RAP. You have an ExRAP and you have an ADRAP. They are different
things done by different people with different goals. I have seen actual AD
RAPs that said AD was spot on great and then followed up a month later by an
ExRAP which said that AD was completely screwed and causing massive issues in
Exchange with no correlation/combination between the two and when you ask for
them to reconcile the results they sort of shrug at you. They need an all
inclusive RAP.
Yet another thing to
keep in mind and something I say to push them on is how much rights they want
when they walk through the door. Usually they want full
Enterprise/Domain/Exchange admin rights and I always like to ask them, so what
do you plan on changing? The idea is that they should just be gathering info.
Why do they need the ability to change shit if they are just looking?
Realistically there are some things that they need higher level rights to get
info about but they haven't convinced me to date that they have narrowed it
down to specifically what and why. If enough people push them back and feed
them the same lines that MSFT is trying to get everyone else into, one of
least user rights to do things, then maybe we can get this fixed. I mean come
on, all the RAP is is a set of scripts gathering info. How many different ways
are there to get the info and do they really know what rights they really need
and why?
If other companies
start doing these types of reviews or really anything and they say, well we
need enterprise admin and everything else, the recommendation from MSFT would
be, well you shouldn't be giving out Enterprise to lots of people. And there
is a good reason for that. But this should also apply to MSFT themselves. As I
mentioned before, there are great and not so great analysts, not all of them
are people I would consider giving high level rights to. Of course they could
always say that you could run the scripts, but what do you know about the
scripts being run and how is that any different from doing that with any other
company or vendor. It isn't.
joe
--
O'Reilly Active
Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Teo
De Las HerasSent: Sunday, July 08, 2007 4:39 PMTo: ActiveDir@mail.activedir.org Subject: Re:
[ActiveDir] Has anyone gone through Microsoft's ADRAP?
Interesting...it seems that what makes the ADRAP is the
engineer assigned. My company is also a premier customer and we're
looking to do an ADRAP and EXRAP before the year ends. Would you guys mind
sharing the names of the engineers that you were impressed with. I'll
see if my TAM can schedule them for our ADRAP.
Teo
On 7/6/07, Harvey Kamangwitz wrote:
Hi all,
As a Microsoft Premier customer, they've suggested we go
through an AD Risk Assessment Program. I'm still learning what they do (it's
conducted by their Field Engineering team) and what the benefits are...in the
mean time, I thought it'd be good to see what my compatriots think of the
program. Has anyone been through it? Is it worth it?
Thanks,
Harvey | | | |
| listmail
Posts:822
| | 07/10/2007 12:51 PM |
| v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@font-face {
font-family: Verdana;
}
@page Section1 {size: 612.0pt 792.0pt; margin: 72.0pt 72.0pt 72.0pt 72.0pt; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0cm; MARGIN-RIGHT: 0cm; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.q {
mso-style-name: q
}
SPAN.e {
mso-style-name: e
}
SPAN.EmailStyle21 {
FONT-WEIGHT: normal; COLOR: #4f81bd; FONT-STYLE: normal; FONT-FAMILY: "Verdana","sans-serif"; TEXT-DECORATION: none; mso-style-type: personal-reply
}
.MsoChpDefault {
mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
Same
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Williams Paul
(HOM99)Sent: Monday, July 09, 2007 7:59 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Has anyone gone
through Microsoft's ADRAP?
Guys,
is the RAP what used to be the health check, or is this something
different? If different, what’s different?
Thanks,
--Paul
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Matheesha WeerasingheSent: 09 July 2007
09:23To: ActiveDir@mail.activedir.orgSubject: Re:
[ActiveDir] Has anyone gone through Microsoft's
ADRAP?
Thanks Brian. I accept the point on not everyone at MS is
expert in AD. But hopefully the chap turning up at site to do the RAP should
be.
As for exchange, thanks for the info. We have no exchange
here where I work (only lotus domino). Hence I have no knowledge on the
requirements for exchange queries.
Cheers
M@
On 09/07/07, Brian Desmond
wrote:
The tool will run
those same WMI queries so if they do require that access you either have to
change the WMI ACLs on all the DCs or give up the rights. The suitability script
verifies all the connectivity requirements that the tool needs.
Just because
someone works for Microsoft doesn't mean they're the expert on AD. Same token
applies to just if someone works for HP they know everything about printers,
etc. Like others have said here it very much depends on the knowledge level of
the PFE you get onsite for the gig. You can have them do it all on your
equipment, they do install the tool there and run it that way in fact since it
needs to run in context ( e.g. no specifying a username/password to bind
under)>
Exchange data is
not viewable with straight normal user rights. You need Exchange View Only type
rights to read the data which is easily delegated with the little wizard in ESM.
This changed some in exchange 2007 though.
The actual tool
collects a bunch of data from AD but it also touches each DC hence the WMI and
RPC checks.
Thanks,
Brian
Desmond
brian@briandesmond.com
c -
312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
MatheeshaSent: Monday, July 09, 2007 2:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Has anyone gone through Microsoft's ADRAP?
Hi Joe
I haven't been through an ADRAP
yet so I can't comment on exactly why the RAP engineer needs enterprise/domain
admin credentials.
But for example in the
suitability scripts that one needs to execute to get some info on the
environment, there is a WMI test which connects to the root\cimv2 namespace.
They use WMI to query registry values. By default a normal user cannot connect
to this namespace on a domain controller remotely. As the domain/enterprise
admin can, I believe the simplest thing MSFT can do in these scenarios is to say
"please ensure you run the suitability scripts with enterprise admin credentials
and ensure we have the same once we are on site" (as opposed to ACLing the
namespace to ensure normal users can do the WMI queries required to pass the
RAP).
In the worst case scenario if
it breaks... who better to fix other than MSFT? ;-) If you didn't trust them
with the skills or confidentiality, then why even choose someone from MSFT to do
the RAP? Certain orgs where security is very important ask the engineer to do
the needy using equipment there, give his opinion and walk away. No data is
allowed to leave site for analysis. But they still have to ensure he is security
cleared before he is allowed to touch/see anything .
As for querying AD, you are
right. I am yet to find a query I cannot do due to the normal user credentials
used to perform the query.
Cheers
M@
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: 09 July 2007 04:22To: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Has anyone gone through Microsoft's ADRAP?
Combination of two things in my
experience makes the RAPs.
The first is the quality of the
engineer executing the RAP. They all get the same info, it is how well they
analyze it and understand AD/Exchange as to how good the report is that they
generate. You will get the extremely intelligent knowledgeable analysts who will
make the resulting report fit well into the goals and design of the environment
and then you will get the analysts who may be intelligent but will give you a
generic read on the report which may not make much sense in light of how things
are done. There is no perfect way to run AD nor design AD, it is an extremely
complex and flexible product and different people can and will set it up in
different ways and I have seen many a time where a RAP has reported something as
incorrect when in fact it was not only correct, but the only proper way to
handle the specific item in that environment. I have been on "teams" designed to
blow apart the reports generated for ADRAP and ExRAPs because the results don't
make sense in the environmentand have successfully done so every time it
was needed.
The second is implied in the first
answer and it is how "Softian" your environment is. The smaller the environment,
the more likely you will be a homogenius MSFT environment adhering to all of the
MSFT ways. The larger the environment the more likely it will be heterogenious
with people paid to think of BETTER ways to do things for that specific
environment which may not align well with what a generic report would want so
the generated report may not be the best.
I think the biggest problem is
companies who take the RAPs and use it as the gold standard of this is the one
and only way things can be set up and any deviation is wrong. Let me say
straight up again, there are many ways to do things that are all equally valid
and sometimes there are things that would normally be considered not so good
that are perfectly acceptable in another environment. Microsoft may have written
the product but they are not the end all be all knowledge and understanding of
the product, certainly not the PSS/MCS folks. There are people outside of MSFT
better suited to understanding the MSFT products in specific environments. A
good analyst will admit that right up if asked. Don't get me wrong, there are
some amazing PSS/MCS folks but this isn't the standard, IMO, this is the special
case. As ~Eric mentioned before, you can't train someone into being an amazing
analyst, it just doesn't work that way. You need to get the RAPs and take them
as guidance but make sure you look at all of the answers in the context of what
your environment is set up to do.
Another thing to keep in mind,
possibly this has changed recently as it has been a HUGE gripe I have had with
the whole process in general is that there is no true combined AD/Exchange RAP.
You have an ExRAP and you have an ADRAP. They are different things done by
different people with different goals. I have seen actual AD RAPs that said AD
was spot on great and then followed up a month later by an ExRAP which said that
AD was completely screwed and causing massive issues in Exchange with no
correlation/combination between the two and when you ask for them to reconcile
the results they sort of shrug at you. They need an all inclusive RAP.
Yet another thing to keep in mind
and something I say to push them on is how much rights they want when they walk
through the door. Usually they want full Enterprise/Domain/Exchange admin rights
and I always like to ask them, so what do you plan on changing? The idea is that
they should just be gathering info. Why do they need the ability to change shit
if they are just looking? Realistically there are some things that they need
higher level rights to get info about but they haven't convinced me to date that
they have narrowed it down to specifically what and why. If enough people push
them back and feed them the same lines that MSFT is trying to get everyone else
into, one of least user rights to do things, then maybe we can get this fixed. I
mean come on, all the RAP is is a set of scripts gathering info. How many
different ways are there to get the info and do they really know what rights
they really need and why?
If other companies start doing
these types of reviews or really anything and they say, well we need enterprise
admin and everything else, the recommendation from MSFT would be, well you
shouldn't be giving out Enterprise to lots of people. And there is a good reason
for that. But this should also apply to MSFT themselves. As I mentioned before,
there are great and not so great analysts, not all of them are people I would
consider giving high level rights to. Of course they could always say that you
could run the scripts, but what do you know about the scripts being run and how
is that any different from doing that with any other company or vendor. It
isn't.
joe
--
O'Reilly Active Directory Third
Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Teo De
Las HerasSent: Sunday, July 08, 2007 4:39 PMTo: ActiveDir@mail.activedir.org Subject: Re:
[ActiveDir] Has anyone gone through Microsoft's ADRAP?
Interesting...it seems that what makes the ADRAP is the engineer
assigned. My company is also a premier customer and we're looking to do an
ADRAP and EXRAP before the year ends. Would you guys mind sharing the names of
the engineers that you were impressed with. I'll see if my TAM can
schedule them for our ADRAP.
Teo
On 7/6/07, Harvey Kamangwitz wrote:
Hi all,
As a Microsoft Premier customer, they've suggested we go through an AD Risk
Assessment Program. I'm still learning what they do (it's conducted by their
Field Engineering team) and what the benefits are...in the mean time, I thought
it'd be good to see what my compatriots think of the program. Has anyone been
through it? Is it worth it?
Thanks,
Harvey | | | |
| StewartJF
Posts:0
| | 07/12/2007 1:58 AM |
| Isn't that why you pay Premier for a TAM, and why the services are only
offered to Premier customers, to "know about your environment" and "why
you have made the decisions you have made"?
-fitz
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Tuesday, July 10, 2007 3:03 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
Wait. Everyone at HP is not a printer expert? Huh. That's a let down.
I bet everyone at Microsoft is not a Windows 98 expert either right?
:)
joe, I think you have made some really good points about the way that
information can and may be used. The folks that do the assessment are
often quite capable people. I've seen many that are very good. You
did hit the nail on the head though when you talked about the way that
an ADRAP and ExRAP may conflict with their assessment. To me, that
echoes the way the products come to life and some gaps in the comm
between the AD and Exchange team coders/architects. It happens right?
I look at it like this: you as the customer are going to get the 0300
phone call. You may call Microsoft as Mateesha pointed out, but it
*could* be too late at that point to do anything other than mop up the
oil slick left behind.
I agree with joe. Treat your vendors, even the ones that wrote your
apps, as if they are an outsider that do not know about your
environment nor why you have made the decisions you have made. They
will naturally want to know that information anyway (right?), but it's
the rare company that can provide that information for a 3rd party so
better to be safe and only provide the least privilege needed to do
the job. Even if they tell you it's a lot, ask why - you may be glad
you did.
Hey joe, we also agree that *somebody* should do a combined
AD/Exchange RAP. If Microsoft isn't going to, perhaps a third party
vendor should do that for them. Maybe even a printer expert? ;)
-ajm
On 7/10/07, joe wrote:
>
>
> Hopefully, but there is no guarantee. Certainly I have seen reports
where
> that wasn't the case. For the most part, from the many reports I have
seen
> now, it is mostly boilerplate. Occasionally you will get something
specific
> that takes some oddity of the environment into account.
>
> My point on pushing the point on Enterprise Admins is that they
shouldn't
> need those rights to generate a listing of info. This goes back to my
audit
> admin posts from previously. If enough people make life difficult for
PSS on
> this, it won't just be customers asking for it. There really is no
reason
> you ever should have to give PSS Enterprise or even Domain Admins and
if you
> did and they did mess something up, I am not so generous to believe
that
> whomever did it would be so good at fixing it.
>
> When I go into an environment I ask for normal user and Exchange View.
If
> someone locked their environment down (say to "protect" info about
specific
> users/groups) then I ask to be in the group that has read access to
that as
> well. That way, regardless of what I do, I can't hurt things. If I
need
> something that cannot be gathered with those rights, I almost always
give
> specific instructions of what I need and how to get it unless I have
been
> told just to supply a script or something like that. It always makes
me itch
> a little though that someone would allow me to supply arbitrary
scripts to
> run with admin level rights. Me who has no deep knowledge nor
understanding
> of your environment and you are just willing to take anything I give
you...
> Not very smart. This goes for MSFT as well. A lot of assumptions have
to be
> in place to just allow that to happen and assumptions are very bad for
AD
> and security.
>
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
> ________________________________
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> Matheesha Weerasinghe
> Sent: Monday, July 09, 2007 4:23 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
>
>
>
> Thanks Brian. I accept the point on not everyone at MS is expert in
AD. But
> hopefully the chap turning up at site to do the RAP should be.
>
> As for exchange, thanks for the info. We have no exchange here where I
work
> (only lotus domino). Hence I have no knowledge on the requirements for
> exchange queries.
>
> Cheers
>
> M@
>
>
> On 09/07/07, Brian Desmond wrote:
> >
> >
> >
> >
> > The tool will run those same WMI queries so if they do require that
access
> you either have to change the WMI ACLs on all the DCs or give up the
rights.
> The suitability script verifies all the connectivity requirements that
the
> tool needs.
> >
> >
> >
> > Just because someone works for Microsoft doesn't mean they're the
expert
> on AD. Same token applies to just if someone works for HP they know
> everything about printers, etc. Like others have said here it very
much
> depends on the knowledge level of the PFE you get onsite for the gig.
You
> can have them do it all on your equipment, they do install the tool
there
> and run it that way in fact since it needs to run in context ( e.g. no
> specifying a username/password to bind under)>
> >
> >
> >
> > Exchange data is not viewable with straight normal user rights. You
need
> Exchange View Only type rights to read the data which is easily
delegated
> with the little wizard in ESM. This changed some in exchange 2007
though.
> >
> >
> >
> > The actual tool collects a bunch of data from AD but it also touches
each
> DC hence the WMI and RPC checks.
> >
> >
> >
> >
> > Thanks,
> >
> > Brian Desmond
> >
> > brian@briandesmond.com
> >
> >
> >
> > c - 312.731.3132
> >
> >
> >
> >
> >
> >
> > From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> Matheesha
> > Sent: Monday, July 09, 2007 2:53 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> >
> >
> >
> > Hi Joe
> >
> >
> >
> > I haven't been through an ADRAP yet so I can't comment on exactly
why the
> RAP engineer needs enterprise/domain admin credentials.
> >
> >
> >
> > But for example in the suitability scripts that one needs to execute
to
> get some info on the environment, there is a WMI test which connects
to the
> root\cimv2 namespace. They use WMI to query registry values. By
default a
> normal user cannot connect to this namespace on a domain controller
> remotely. As the domain/enterprise admin can, I believe the simplest
thing
> MSFT can do in these scenarios is to say "please ensure you run the
> suitability scripts with enterprise admin credentials and ensure we
have the
> same once we are on site" (as opposed to ACLing the namespace to
ensure
> normal users can do the WMI queries required to pass the RAP).
> >
> >
> >
> > In the worst case scenario if it breaks... who better to fix other
than
> MSFT? ;-) If you didn't trust them with the skills or confidentiality,
then
> why even choose someone from MSFT to do the RAP? Certain orgs where
security
> is very important ask the engineer to do the needy using equipment
there,
> give his opinion and walk away. No data is allowed to leave site for
> analysis. But they still have to ensure he is security cleared before
he is
> allowed to touch/see anything .
> >
> >
> >
> > As for querying AD, you are right. I am yet to find a query I cannot
do
> due to the normal user credentials used to perform the query.
> >
> >
> >
> > Cheers
> >
> >
> >
> > M@
> >
> >
> >
> >
> >
> > From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> joe
> > Sent: 09 July 2007 04:22
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> >
> >
> >
> >
> > Combination of two things in my experience makes the RAPs.
> >
> >
> >
> > The first is the quality of the engineer executing the RAP. They all
get
> the same info, it is how well they analyze it and understand
AD/Exchange as
> to how good the report is that they generate. You will get the
extremely
> intelligent knowledgeable analysts who will make the resulting report
fit
> well into the goals and design of the environment and then you will
get the
> analysts who may be intelligent but will give you a generic read on
the
> report which may not make much sense in light of how things are done.
There
> is no perfect way to run AD nor design AD, it is an extremely complex
and
> flexible product and different people can and will set it up in
different
> ways and I have seen many a time where a RAP has reported something as
> incorrect when in fact it was not only correct, but the only proper
way to
> handle the specific item in that environment. I have been on "teams"
> designed to blow apart the reports generated for ADRAP and ExRAPs
because
> the results don't make sense in the environment and have successfully
done
> so every time it was needed.
> >
> >
> >
> > The second is implied in the first answer and it is how "Softian"
your
> environment is. The smaller the environment, the more likely you will
be a
> homogenius MSFT environment adhering to all of the MSFT ways. The
larger the
> environment the more likely it will be heterogenious with people paid
to
> think of BETTER ways to do things for that specific environment which
may
> not align well with what a generic report would want so the generated
report
> may not be the best.
> >
> >
> >
> > I think the biggest problem is companies who take the RAPs and use
it as
> the gold standard of this is the one and only way things can be set up
and
> any deviation is wrong. Let me say straight up again, there are many
ways to
> do things that are all equally valid and sometimes there are things
that
> would normally be considered not so good that are perfectly acceptable
in
> another environment. Microsoft may have written the product but they
are not
> the end all be all knowledge and understanding of the product,
certainly not
> the PSS/MCS folks. There are people outside of MSFT better suited to
> understanding the MSFT products in specific environments. A good
analyst
> will admit that right up if asked. Don't get me wrong, there are some
> amazing PSS/MCS folks but this isn't the standard, IMO, this is the
special
> case. As ~Eric mentioned before, you can't train someone into being an
> amazing analyst, it just doesn't work that way. You need to get the
RAPs and
> take them as guidance but make sure you look at all of the answers in
the
> context of what your environment is set up to do.
> >
> >
> >
> > Another thing to keep in mind, possibly this has changed recently as
it
> has been a HUGE gripe I have had with the whole process in general is
that
> there is no true combined AD/Exchange RAP. You have an ExRAP and you
have an
> ADRAP. They are different things done by different people with
different
> goals. I have seen actual AD RAPs that said AD was spot on great and
then
> followed up a month later by an ExRAP which said that AD was
completely
> screwed and causing massive issues in Exchange with no
> correlation/combination between the two and when you ask for them to
> reconcile the results they sort of shrug at you. They need an all
inclusive
> RAP.
> >
> >
> >
> > Yet another thing to keep in mind and something I say to push them
on is
> how much rights they want when they walk through the door. Usually
they want
> full Enterprise/Domain/Exchange admin rights and I always like to ask
them,
> so what do you plan on changing? The idea is that they should just be
> gathering info. Why do they need the ability to change shit if they
are just
> looking? Realistically there are some things that they need higher
level
> rights to get info about but they haven't convinced me to date that
they
> have narrowed it down to specifically what and why. If enough people
push
> them back and feed them the same lines that MSFT is trying to get
everyone
> else into, one of least user rights to do things, then maybe we can
get this
> fixed. I mean come on, all the RAP is is a set of scripts gathering
info.
> How many different ways are there to get the info and do they really
know
> what rights they really need and why?
> >
> >
> >
> > If other companies start doing these types of reviews or really
anything
> and they say, well we need enterprise admin and everything else, the
> recommendation from MSFT would be, well you shouldn't be giving out
> Enterprise to lots of people. And there is a good reason for that. But
this
> should also apply to MSFT themselves. As I mentioned before, there are
great
> and not so great analysts, not all of them are people I would consider
> giving high level rights to. Of course they could always say that you
could
> run the scripts, but what do you know about the scripts being run and
how is
> that any different from doing that with any other company or vendor.
It
> isn't.
> >
> >
> >
> >
> > joe
> >
> >
> >
> >
> >
> >
> >
> > --
> >
> > O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
> >
> >
> >
> >
> >
> >
> >
> > ________________________________
>
> >
> > From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> Teo De Las Heras
> > Sent: Sunday, July 08, 2007 4:39 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> >
> >
> > Interesting...it seems that what makes the ADRAP is the engineer
assigned.
> My company is also a premier customer and we're looking to do an
ADRAP and
> EXRAP before the year ends. Would you guys mind sharing the names of
the
> engineers that you were impressed with. I'll see if my TAM can
schedule
> them for our ADRAP.
> >
> >
> >
> >
> >
> > Teo
> >
> >
> >
> > On 7/6/07, Harvey Kamangwitz wrote:
> >
> >
> > Hi all,
> >
> >
> >
> >
> >
> > As a Microsoft Premier customer, they've suggested we go through an
AD
> Risk Assessment Program. I'm still learning what they do (it's
conducted by
> their Field Engineering team) and what the benefits are...in the mean
time,
> I thought it'd be good to see what my compatriots think of the
program. Has
> anyone been through it? Is it worth it?
> >
> >
> >
> >
> >
> > Thanks,
> >
> >
> > Harvey
> >
> >
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| listmail
Posts:822
| | 07/12/2007 2:31 AM |
| LOL. I actually spit my drink out reading that. ;o)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Stewart, Fitz
Sent: Thursday, July 12, 2007 1:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
Isn't that why you pay Premier for a TAM, and why the services are only
offered to Premier customers, to "know about your environment" and "why
you have made the decisions you have made"?
-fitz
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Tuesday, July 10, 2007 3:03 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
Wait. Everyone at HP is not a printer expert? Huh. That's a let down.
I bet everyone at Microsoft is not a Windows 98 expert either right?
:)
joe, I think you have made some really good points about the way that
information can and may be used. The folks that do the assessment are
often quite capable people. I've seen many that are very good. You
did hit the nail on the head though when you talked about the way that
an ADRAP and ExRAP may conflict with their assessment. To me, that
echoes the way the products come to life and some gaps in the comm
between the AD and Exchange team coders/architects. It happens right?
I look at it like this: you as the customer are going to get the 0300
phone call. You may call Microsoft as Mateesha pointed out, but it
*could* be too late at that point to do anything other than mop up the
oil slick left behind.
I agree with joe. Treat your vendors, even the ones that wrote your
apps, as if they are an outsider that do not know about your
environment nor why you have made the decisions you have made. They
will naturally want to know that information anyway (right?), but it's
the rare company that can provide that information for a 3rd party so
better to be safe and only provide the least privilege needed to do
the job. Even if they tell you it's a lot, ask why - you may be glad
you did.
Hey joe, we also agree that *somebody* should do a combined
AD/Exchange RAP. If Microsoft isn't going to, perhaps a third party
vendor should do that for them. Maybe even a printer expert? ;)
-ajm
On 7/10/07, joe wrote:
>
>
> Hopefully, but there is no guarantee. Certainly I have seen reports
where
> that wasn't the case. For the most part, from the many reports I have
seen
> now, it is mostly boilerplate. Occasionally you will get something
specific
> that takes some oddity of the environment into account.
>
> My point on pushing the point on Enterprise Admins is that they
shouldn't
> need those rights to generate a listing of info. This goes back to my
audit
> admin posts from previously. If enough people make life difficult for
PSS on
> this, it won't just be customers asking for it. There really is no
reason
> you ever should have to give PSS Enterprise or even Domain Admins and
if you
> did and they did mess something up, I am not so generous to believe
that
> whomever did it would be so good at fixing it.
>
> When I go into an environment I ask for normal user and Exchange View.
If
> someone locked their environment down (say to "protect" info about
specific
> users/groups) then I ask to be in the group that has read access to
that as
> well. That way, regardless of what I do, I can't hurt things. If I
need
> something that cannot be gathered with those rights, I almost always
give
> specific instructions of what I need and how to get it unless I have
been
> told just to supply a script or something like that. It always makes
me itch
> a little though that someone would allow me to supply arbitrary
scripts to
> run with admin level rights. Me who has no deep knowledge nor
understanding
> of your environment and you are just willing to take anything I give
you...
> Not very smart. This goes for MSFT as well. A lot of assumptions have
to be
> in place to just allow that to happen and assumptions are very bad for
AD
> and security.
>
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
> ________________________________
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> Matheesha Weerasinghe
> Sent: Monday, July 09, 2007 4:23 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
>
>
>
> Thanks Brian. I accept the point on not everyone at MS is expert in
AD. But
> hopefully the chap turning up at site to do the RAP should be.
>
> As for exchange, thanks for the info. We have no exchange here where I
work
> (only lotus domino). Hence I have no knowledge on the requirements for
> exchange queries.
>
> Cheers
>
> M@
>
>
> On 09/07/07, Brian Desmond wrote:
> >
> >
> >
> >
> > The tool will run those same WMI queries so if they do require that
access
> you either have to change the WMI ACLs on all the DCs or give up the
rights.
> The suitability script verifies all the connectivity requirements that
the
> tool needs.
> >
> >
> >
> > Just because someone works for Microsoft doesn't mean they're the
expert
> on AD. Same token applies to just if someone works for HP they know
> everything about printers, etc. Like others have said here it very
much
> depends on the knowledge level of the PFE you get onsite for the gig.
You
> can have them do it all on your equipment, they do install the tool
there
> and run it that way in fact since it needs to run in context ( e.g. no
> specifying a username/password to bind under)>
> >
> >
> >
> > Exchange data is not viewable with straight normal user rights. You
need
> Exchange View Only type rights to read the data which is easily
delegated
> with the little wizard in ESM. This changed some in exchange 2007
though.
> >
> >
> >
> > The actual tool collects a bunch of data from AD but it also touches
each
> DC hence the WMI and RPC checks.
> >
> >
> >
> >
> > Thanks,
> >
> > Brian Desmond
> >
> > brian@briandesmond.com
> >
> >
> >
> > c - 312.731.3132
> >
> >
> >
> >
> >
> >
> > From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> Matheesha
> > Sent: Monday, July 09, 2007 2:53 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> >
> >
> >
> > Hi Joe
> >
> >
> >
> > I haven't been through an ADRAP yet so I can't comment on exactly
why the
> RAP engineer needs enterprise/domain admin credentials.
> >
> >
> >
> > But for example in the suitability scripts that one needs to execute
to
> get some info on the environment, there is a WMI test which connects
to the
> root\cimv2 namespace. They use WMI to query registry values. By
default a
> normal user cannot connect to this namespace on a domain controller
> remotely. As the domain/enterprise admin can, I believe the simplest
thing
> MSFT can do in these scenarios is to say "please ensure you run the
> suitability scripts with enterprise admin credentials and ensure we
have the
> same once we are on site" (as opposed to ACLing the namespace to
ensure
> normal users can do the WMI queries required to pass the RAP).
> >
> >
> >
> > In the worst case scenario if it breaks... who better to fix other
than
> MSFT? ;-) If you didn't trust them with the skills or confidentiality,
then
> why even choose someone from MSFT to do the RAP? Certain orgs where
security
> is very important ask the engineer to do the needy using equipment
there,
> give his opinion and walk away. No data is allowed to leave site for
> analysis. But they still have to ensure he is security cleared before
he is
> allowed to touch/see anything .
> >
> >
> >
> > As for querying AD, you are right. I am yet to find a query I cannot
do
> due to the normal user credentials used to perform the query.
> >
> >
> >
> > Cheers
> >
> >
> >
> > M@
> >
> >
> >
> >
> >
> > From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> joe
> > Sent: 09 July 2007 04:22
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> >
> >
> >
> >
> > Combination of two things in my experience makes the RAPs.
> >
> >
> >
> > The first is the quality of the engineer executing the RAP. They all
get
> the same info, it is how well they analyze it and understand
AD/Exchange as
> to how good the report is that they generate. You will get the
extremely
> intelligent knowledgeable analysts who will make the resulting report
fit
> well into the goals and design of the environment and then you will
get the
> analysts who may be intelligent but will give you a generic read on
the
> report which may not make much sense in light of how things are done.
There
> is no perfect way to run AD nor design AD, it is an extremely complex
and
> flexible product and different people can and will set it up in
different
> ways and I have seen many a time where a RAP has reported something as
> incorrect when in fact it was not only correct, but the only proper
way to
> handle the specific item in that environment. I have been on "teams"
> designed to blow apart the reports generated for ADRAP and ExRAPs
because
> the results don't make sense in the environment and have successfully
done
> so every time it was needed.
> >
> >
> >
> > The second is implied in the first answer and it is how "Softian"
your
> environment is. The smaller the environment, the more likely you will
be a
> homogenius MSFT environment adhering to all of the MSFT ways. The
larger the
> environment the more likely it will be heterogenious with people paid
to
> think of BETTER ways to do things for that specific environment which
may
> not align well with what a generic report would want so the generated
report
> may not be the best.
> >
> >
> >
> > I think the biggest problem is companies who take the RAPs and use
it as
> the gold standard of this is the one and only way things can be set up
and
> any deviation is wrong. Let me say straight up again, there are many
ways to
> do things that are all equally valid and sometimes there are things
that
> would normally be considered not so good that are perfectly acceptable
in
> another environment. Microsoft may have written the product but they
are not
> the end all be all knowledge and understanding of the product,
certainly not
> the PSS/MCS folks. There are people outside of MSFT better suited to
> understanding the MSFT products in specific environments. A good
analyst
> will admit that right up if asked. Don't get me wrong, there are some
> amazing PSS/MCS folks but this isn't the standard, IMO, this is the
special
> case. As ~Eric mentioned before, you can't train someone into being an
> amazing analyst, it just doesn't work that way. You need to get the
RAPs and
> take them as guidance but make sure you look at all of the answers in
the
> context of what your environment is set up to do.
> >
> >
> >
> > Another thing to keep in mind, possibly this has changed recently as
it
> has been a HUGE gripe I have had with the whole process in general is
that
> there is no true combined AD/Exchange RAP. You have an ExRAP and you
have an
> ADRAP. They are different things done by different people with
different
> goals. I have seen actual AD RAPs that said AD was spot on great and
then
> followed up a month later by an ExRAP which said that AD was
completely
> screwed and causing massive issues in Exchange with no
> correlation/combination between the two and when you ask for them to
> reconcile the results they sort of shrug at you. They need an all
inclusive
> RAP.
> >
> >
> >
> > Yet another thing to keep in mind and something I say to push them
on is
> how much rights they want when they walk through the door. Usually
they want
> full Enterprise/Domain/Exchange admin rights and I always like to ask
them,
> so what do you plan on changing? The idea is that they should just be
> gathering info. Why do they need the ability to change shit if they
are just
> looking? Realistically there are some things that they need higher
level
> rights to get info about but they haven't convinced me to date that
they
> have narrowed it down to specifically what and why. If enough people
push
> them back and feed them the same lines that MSFT is trying to get
everyone
> else into, one of least user rights to do things, then maybe we can
get this
> fixed. I mean come on, all the RAP is is a set of scripts gathering
info.
> How many different ways are there to get the info and do they really
know
> what rights they really need and why?
> >
> >
> >
> > If other companies start doing these types of reviews or really
anything
> and they say, well we need enterprise admin and everything else, the
> recommendation from MSFT would be, well you shouldn't be giving out
> Enterprise to lots of people. And there is a good reason for that. But
this
> should also apply to MSFT themselves. As I mentioned before, there are
great
> and not so great analysts, not all of them are people I would consider
> giving high level rights to. Of course they could always say that you
could
> run the scripts, but what do you know about the scripts being run and
how is
> that any different from doing that with any other company or vendor.
It
> isn't.
> >
> >
> >
> >
> > joe
> >
> >
> >
> >
> >
> >
> >
> > --
> >
> > O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
> >
> >
> >
> >
> >
> >
> >
> > ________________________________
>
> >
> > From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> Teo De Las Heras
> > Sent: Sunday, July 08, 2007 4:39 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> >
> >
> > Interesting...it seems that what makes the ADRAP is the engineer
assigned.
> My company is also a premier customer and we're looking to do an
ADRAP and
> EXRAP before the year ends. Would you guys mind sharing the names of
the
> engineers that you were impressed with. I'll see if my TAM can
schedule
> them for our ADRAP.
> >
> >
> >
> >
> >
> > Teo
> >
> >
> >
> > On 7/6/07, Harvey Kamangwitz wrote:
> >
> >
> > Hi all,
> >
> >
> >
> >
> >
> > As a Microsoft Premier customer, they've suggested we go through an
AD
> Risk Assessment Program. I'm still learning what they do (it's
conducted by
> their Field Engineering team) and what the benefits are...in the mean
time,
> I thought it'd be good to see what my compatriots think of the
program. Has
> anyone been through it? Is it worth it?
> >
> >
> >
> >
> >
> > Thanks,
> >
> >
> > Harvey
> >
> >
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| amulnick
Posts:163
| | 07/12/2007 3:18 AM |
| Me too!
Yeah, I kept thinking that Fitz was just joking. I'm not quite sure though.
The thing is, TAM's are human beings. And you buy time slices in some
situations. Basically, if they do not have an office on your
premises, then you're time sharing the TAM-time.
Can you honestly say that somebody that pays only partial attention to
you will know your environment as well you'd like for that kind of
support? Will you bet your job on it?
MCS used to have a similar counterpart that would do the same from a
consulting view point. That was in the days before services became
one big happy family though. Since then, they may have become
redundant in some respects since the goal has always been customer
satisfaction and how you get there is not nearly as important as
getting there.
But I digress.....
On 7/12/07, joe wrote:
> LOL. I actually spit my drink out reading that. ;o)
>
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Stewart, Fitz
> Sent: Thursday, July 12, 2007 1:59 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
>
> Isn't that why you pay Premier for a TAM, and why the services are only
> offered to Premier customers, to "know about your environment" and "why
> you have made the decisions you have made"?
>
> -fitz
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
> Sent: Tuesday, July 10, 2007 3:03 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
>
> Wait. Everyone at HP is not a printer expert? Huh. That's a let down.
> I bet everyone at Microsoft is not a Windows 98 expert either right?
>
> :)
>
> joe, I think you have made some really good points about the way that
> information can and may be used. The folks that do the assessment are
> often quite capable people. I've seen many that are very good. You
> did hit the nail on the head though when you talked about the way that
> an ADRAP and ExRAP may conflict with their assessment. To me, that
> echoes the way the products come to life and some gaps in the comm
> between the AD and Exchange team coders/architects. It happens right?
>
> I look at it like this: you as the customer are going to get the 0300
> phone call. You may call Microsoft as Mateesha pointed out, but it
> *could* be too late at that point to do anything other than mop up the
> oil slick left behind.
>
> I agree with joe. Treat your vendors, even the ones that wrote your
> apps, as if they are an outsider that do not know about your
> environment nor why you have made the decisions you have made. They
> will naturally want to know that information anyway (right?), but it's
> the rare company that can provide that information for a 3rd party so
> better to be safe and only provide the least privilege needed to do
> the job. Even if they tell you it's a lot, ask why - you may be glad
> you did.
>
> Hey joe, we also agree that *somebody* should do a combined
> AD/Exchange RAP. If Microsoft isn't going to, perhaps a third party
> vendor should do that for them. Maybe even a printer expert? ;)
>
> -ajm
>
> On 7/10/07, joe wrote:
> >
> >
> > Hopefully, but there is no guarantee. Certainly I have seen reports
> where
> > that wasn't the case. For the most part, from the many reports I have
> seen
> > now, it is mostly boilerplate. Occasionally you will get something
> specific
> > that takes some oddity of the environment into account.
> >
> > My point on pushing the point on Enterprise Admins is that they
> shouldn't
> > need those rights to generate a listing of info. This goes back to my
> audit
> > admin posts from previously. If enough people make life difficult for
> PSS on
> > this, it won't just be customers asking for it. There really is no
> reason
> > you ever should have to give PSS Enterprise or even Domain Admins and
> if you
> > did and they did mess something up, I am not so generous to believe
> that
> > whomever did it would be so good at fixing it.
> >
> > When I go into an environment I ask for normal user and Exchange View.
> If
> > someone locked their environment down (say to "protect" info about
> specific
> > users/groups) then I ask to be in the group that has read access to
> that as
> > well. That way, regardless of what I do, I can't hurt things. If I
> need
> > something that cannot be gathered with those rights, I almost always
> give
> > specific instructions of what I need and how to get it unless I have
> been
> > told just to supply a script or something like that. It always makes
> me itch
> > a little though that someone would allow me to supply arbitrary
> scripts to
> > run with admin level rights. Me who has no deep knowledge nor
> understanding
> > of your environment and you are just willing to take anything I give
> you...
> > Not very smart. This goes for MSFT as well. A lot of assumptions have
> to be
> > in place to just allow that to happen and assumptions are very bad for
> AD
> > and security.
> >
> >
> >
> > --
> > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm
> >
> >
> >
> > ________________________________
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> > Matheesha Weerasinghe
> > Sent: Monday, July 09, 2007 4:23 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> >
> >
> >
> > Thanks Brian. I accept the point on not everyone at MS is expert in
> AD. But
> > hopefully the chap turning up at site to do the RAP should be.
> >
> > As for exchange, thanks for the info. We have no exchange here where I
> work
> > (only lotus domino). Hence I have no knowledge on the requirements for
> > exchange queries.
> >
> > Cheers
> >
> > M@
> >
> >
> > On 09/07/07, Brian Desmond wrote:
> > >
> > >
> > >
> > >
> > > The tool will run those same WMI queries so if they do require that
> access
> > you either have to change the WMI ACLs on all the DCs or give up the
> rights.
> > The suitability script verifies all the connectivity requirements that
> the
> > tool needs.
> > >
> > >
> > >
> > > Just because someone works for Microsoft doesn't mean they're the
> expert
> > on AD. Same token applies to just if someone works for HP they know
> > everything about printers, etc. Like others have said here it very
> much
> > depends on the knowledge level of the PFE you get onsite for the gig.
> You
> > can have them do it all on your equipment, they do install the tool
> there
> > and run it that way in fact since it needs to run in context ( e.g. no
> > specifying a username/password to bind under)>
> > >
> > >
> > >
> > > Exchange data is not viewable with straight normal user rights. You
> need
> > Exchange View Only type rights to read the data which is easily
> delegated
> > with the little wizard in ESM. This changed some in exchange 2007
> though.
> > >
> > >
> > >
> > > The actual tool collects a bunch of data from AD but it also touches
> each
> > DC hence the WMI and RPC checks.
> > >
> > >
> > >
> > >
> > > Thanks,
> > >
> > > Brian Desmond
> > >
> > > brian@briandesmond.com
> > >
> > >
> > >
> > > c - 312.731.3132
> > >
> > >
> > >
> > >
> > >
> > >
> > > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> > Matheesha
> > > Sent: Monday, July 09, 2007 2:53 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> > >
> > >
> > >
> > > Hi Joe
> > >
> > >
> > >
> > > I haven't been through an ADRAP yet so I can't comment on exactly
> why the
> > RAP engineer needs enterprise/domain admin credentials.
> > >
> > >
> > >
> > > But for example in the suitability scripts that one needs to execute
> to
> > get some info on the environment, there is a WMI test which connects
> to the
> > root\cimv2 namespace. They use WMI to query registry values. By
> default a
> > normal user cannot connect to this namespace on a domain controller
> > remotely. As the domain/enterprise admin can, I believe the simplest
> thing
> > MSFT can do in these scenarios is to say "please ensure you run the
> > suitability scripts with enterprise admin credentials and ensure we
> have the
> > same once we are on site" (as opposed to ACLing the namespace to
> ensure
> > normal users can do the WMI queries required to pass the RAP).
> > >
> > >
> > >
> > > In the worst case scenario if it breaks... who better to fix other
> than
> > MSFT? ;-) If you didn't trust them with the skills or confidentiality,
> then
> > why even choose someone from MSFT to do the RAP? Certain orgs where
> security
> > is very important ask the engineer to do the needy using equipment
> there,
> > give his opinion and walk away. No data is allowed to leave site for
> > analysis. But they still have to ensure he is security cleared before
> he is
> > allowed to touch/see anything .
> > >
> > >
> > >
> > > As for querying AD, you are right. I am yet to find a query I cannot
> do
> > due to the normal user credentials used to perform the query.
> > >
> > >
> > >
> > > Cheers
> > >
> > >
> > >
> > > M@
> > >
> > >
> > >
> > >
> > >
> > > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> > joe
> > > Sent: 09 July 2007 04:22
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> > >
> > >
> > >
> > >
> > > Combination of two things in my experience makes the RAPs.
> > >
> > >
> > >
> > > The first is the quality of the engineer executing the RAP. They all
> get
> > the same info, it is how well they analyze it and understand
> AD/Exchange as
> > to how good the report is that they generate. You will get the
> extremely
> > intelligent knowledgeable analysts who will make the resulting report
> fit
> > well into the goals and design of the environment and then you will
> get the
> > analysts who may be intelligent but will give you a generic read on
> the
> > report which may not make much sense in light of how things are done.
> There
> > is no perfect way to run AD nor design AD, it is an extremely complex
> and
> > flexible product and different people can and will set it up in
> different
> > ways and I have seen many a time where a RAP has reported something as
> > incorrect when in fact it was not only correct, but the only proper
> way to
> > handle the specific item in that environment. I have been on "teams"
> > designed to blow apart the reports generated for ADRAP and ExRAPs
> because
> > the results don't make sense in the environment and have successfully
> done
> > so every time it was needed.
> > >
> > >
> > >
> > > The second is implied in the first answer and it is how "Softian"
> your
> > environment is. The smaller the environment, the more likely you will
> be a
> > homogenius MSFT environment adhering to all of the MSFT ways. The
> larger the
> > environment the more likely it will be heterogenious with people paid
> to
> > think of BETTER ways to do things for that specific environment which
> may
> > not align well with what a generic report would want so the generated
> report
> > may not be the best.
> > >
> > >
> > >
> > > I think the biggest problem is companies who take the RAPs and use
> it as
> > the gold standard of this is the one and only way things can be set up
> and
> > any deviation is wrong. Let me say straight up again, there are many
> ways to
> > do things that are all equally valid and sometimes there are things
> that
> > would normally be considered not so good that are perfectly acceptable
> in
> > another environment. Microsoft may have written the product but they
> are not
> > the end all be all knowledge and understanding of the product,
> certainly not
> > the PSS/MCS folks. There are people outside of MSFT better suited to
> > understanding the MSFT products in specific environments. A good
> analyst
> > will admit that right up if asked. Don't get me wrong, there are some
> > amazing PSS/MCS folks but this isn't the standard, IMO, this is the
> special
> > case. As ~Eric mentioned before, you can't train someone into being an
> > amazing analyst, it just doesn't work that way. You need to get the
> RAPs and
> > take them as guidance but make sure you look at all of the answers in
> the
> > context of what your environment is set up to do.
> > >
> > >
> > >
> > > Another thing to keep in mind, possibly this has changed recently as
> it
> > has been a HUGE gripe I have had with the whole process in general is
> that
> > there is no true combined AD/Exchange RAP. You have an ExRAP and you
> have an
> > ADRAP. They are different things done by different people with
> different
> > goals. I have seen actual AD RAPs that said AD was spot on great and
> then
> > followed up a month later by an ExRAP which said that AD was
> completely
> > screwed and causing massive issues in Exchange with no
> > correlation/combination between the two and when you ask for them to
> > reconcile the results they sort of shrug at you. They need an all
> inclusive
> > RAP.
> > >
> > >
> > >
> > > Yet another thing to keep in mind and something I say to push them
> on is
> > how much rights they want when they walk through the door. Usually
> they want
> > full Enterprise/Domain/Exchange admin rights and I always like to ask
> them,
> > so what do you plan on changing? The idea is that they should just be
> > gathering info. Why do they need the ability to change shit if they
> are just
> > looking? Realistically there are some things that they need higher
> level
> > rights to get info about but they haven't convinced me to date that
> they
> > have narrowed it down to specifically what and why. If enough people
> push
> > them back and feed them the same lines that MSFT is trying to get
> everyone
> > else into, one of least user rights to do things, then maybe we can
> get this
> > fixed. I mean come on, all the RAP is is a set of scripts gathering
> info.
> > How many different ways are there to get the info and do they really
> know
> > what rights they really need and why?
> > >
> > >
> > >
> > > If other companies start doing these types of reviews or really
> anything
> > and they say, well we need enterprise admin and everything else, the
> > recommendation from MSFT would be, well you shouldn't be giving out
> > Enterprise to lots of people. And there is a good reason for that. But
> this
> > should also apply to MSFT themselves. As I mentioned before, there are
> great
> > and not so great analysts, not all of them are people I would consider
> > giving high level rights to. Of course they could always say that you
> could
> > run the scripts, but what do you know about the scripts being run and
> how is
> > that any different from doing that with any other company or vendor.
> It
> > isn't.
> > >
> > >
> > >
> > >
> > > joe
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > >
> > > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > ________________________________
> >
> > >
> > > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> > Teo De Las Heras
> > > Sent: Sunday, July 08, 2007 4:39 PM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> > >
> > >
> > > Interesting...it seems that what makes the ADRAP is the engineer
> assigned.
> > My company is also a premier customer and we're looking to do an
> ADRAP and
> > EXRAP before the year ends. Would you guys mind sharing the names of
> the
> > engineers that you were impressed with. I'll see if my TAM can
> schedule
> > them for our ADRAP.
> > >
> > >
> > >
> > >
> > >
> > > Teo
> > >
> > >
> > >
> > > On 7/6/07, Harvey Kamangwitz wrote:
> > >
> > >
> > > Hi all,
> > >
> > >
> > >
> > >
> > >
> > > As a Microsoft Premier customer, they've suggested we go through an
> AD
> > Risk Assessment Program. I'm still learning what they do (it's
> conducted by
> > their Field Engineering team) and what the benefits are...in the mean
> time,
> > I thought it'd be good to see what my compatriots think of the
> program. Has
> > anyone been through it? Is it worth it?
> > >
> > >
> > >
> > >
> > >
> > > Thanks,
> > >
> > >
> > > Harvey
> > >
> > >
> >
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
|
|