| Author | Messages | |
EZiots
Posts:0
 | | 07/12/2007 3:23 AM |
| LOL never had a real good vibe from the TAM when we had one. Never had
to use them much as when I talked to support I was talking at TIER III
Engineering on wacky stuff. I don't have patience nor time for the
middle man.
But I digress even further into the SLAM the TAM abyss..
Z
Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security +
email:eziots@lifespan.org
cell:401-639-3505
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Thursday, July 12, 2007 3:19 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
Me too!
Yeah, I kept thinking that Fitz was just joking. I'm not quite sure
though.
The thing is, TAM's are human beings. And you buy time slices in some
situations. Basically, if they do not have an office on your premises,
then you're time sharing the TAM-time.
Can you honestly say that somebody that pays only partial attention to
you will know your environment as well you'd like for that kind of
support? Will you bet your job on it?
MCS used to have a similar counterpart that would do the same from a
consulting view point. That was in the days before services became one
big happy family though. Since then, they may have become redundant in
some respects since the goal has always been customer satisfaction and
how you get there is not nearly as important as getting there.
But I digress.....
On 7/12/07, joe wrote:
> LOL. I actually spit my drink out reading that. ;o)
>
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Stewart, Fitz
> Sent: Thursday, July 12, 2007 1:59 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
>
> Isn't that why you pay Premier for a TAM, and why the services are
> only offered to Premier customers, to "know about your environment"
> and "why you have made the decisions you have made"?
>
> -fitz
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
> Sent: Tuesday, July 10, 2007 3:03 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
>
> Wait. Everyone at HP is not a printer expert? Huh. That's a let down.
> I bet everyone at Microsoft is not a Windows 98 expert either right?
>
> :)
>
> joe, I think you have made some really good points about the way that
> information can and may be used. The folks that do the assessment are
> often quite capable people. I've seen many that are very good. You
> did hit the nail on the head though when you talked about the way that
> an ADRAP and ExRAP may conflict with their assessment. To me, that
> echoes the way the products come to life and some gaps in the comm
> between the AD and Exchange team coders/architects. It happens right?
>
> I look at it like this: you as the customer are going to get the 0300
> phone call. You may call Microsoft as Mateesha pointed out, but it
> *could* be too late at that point to do anything other than mop up the
> oil slick left behind.
>
> I agree with joe. Treat your vendors, even the ones that wrote your
> apps, as if they are an outsider that do not know about your
> environment nor why you have made the decisions you have made. They
> will naturally want to know that information anyway (right?), but it's
> the rare company that can provide that information for a 3rd party so
> better to be safe and only provide the least privilege needed to do
> the job. Even if they tell you it's a lot, ask why - you may be glad
> you did.
>
> Hey joe, we also agree that *somebody* should do a combined
> AD/Exchange RAP. If Microsoft isn't going to, perhaps a third party
> vendor should do that for them. Maybe even a printer expert? ;)
>
> -ajm
>
> On 7/10/07, joe wrote:
> >
> >
> > Hopefully, but there is no guarantee. Certainly I have seen reports
> where
> > that wasn't the case. For the most part, from the many reports I
> > have
> seen
> > now, it is mostly boilerplate. Occasionally you will get something
> specific
> > that takes some oddity of the environment into account.
> >
> > My point on pushing the point on Enterprise Admins is that they
> shouldn't
> > need those rights to generate a listing of info. This goes back to
> > my
> audit
> > admin posts from previously. If enough people make life difficult
> > for
> PSS on
> > this, it won't just be customers asking for it. There really is no
> reason
> > you ever should have to give PSS Enterprise or even Domain Admins
> > and
> if you
> > did and they did mess something up, I am not so generous to believe
> that
> > whomever did it would be so good at fixing it.
> >
> > When I go into an environment I ask for normal user and Exchange
View.
> If
> > someone locked their environment down (say to "protect" info about
> specific
> > users/groups) then I ask to be in the group that has read access to
> that as
> > well. That way, regardless of what I do, I can't hurt things. If I
> need
> > something that cannot be gathered with those rights, I almost always
> give
> > specific instructions of what I need and how to get it unless I have
> been
> > told just to supply a script or something like that. It always makes
> me itch
> > a little though that someone would allow me to supply arbitrary
> scripts to
> > run with admin level rights. Me who has no deep knowledge nor
> understanding
> > of your environment and you are just willing to take anything I give
> you...
> > Not very smart. This goes for MSFT as well. A lot of assumptions
> > have
> to be
> > in place to just allow that to happen and assumptions are very bad
> > for
> AD
> > and security.
> >
> >
> >
> > --
> > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm
> >
> >
> >
> > ________________________________
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Matheesha
> > Weerasinghe
> > Sent: Monday, July 09, 2007 4:23 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> >
> >
> >
> > Thanks Brian. I accept the point on not everyone at MS is expert in
> AD. But
> > hopefully the chap turning up at site to do the RAP should be.
> >
> > As for exchange, thanks for the info. We have no exchange here where
> > I
> work
> > (only lotus domino). Hence I have no knowledge on the requirements
> > for exchange queries.
> >
> > Cheers
> >
> > M@
> >
> >
> > On 09/07/07, Brian Desmond wrote:
> > >
> > >
> > >
> > >
> > > The tool will run those same WMI queries so if they do require
> > > that
> access
> > you either have to change the WMI ACLs on all the DCs or give up the
> rights.
> > The suitability script verifies all the connectivity requirements
> > that
> the
> > tool needs.
> > >
> > >
> > >
> > > Just because someone works for Microsoft doesn't mean they're the
> expert
> > on AD. Same token applies to just if someone works for HP they know
> > everything about printers, etc. Like others have said here it very
> much
> > depends on the knowledge level of the PFE you get onsite for the
gig.
> You
> > can have them do it all on your equipment, they do install the tool
> there
> > and run it that way in fact since it needs to run in context ( e.g.
> > no specifying a username/password to bind under)>
> > >
> > >
> > >
> > > Exchange data is not viewable with straight normal user rights.
> > > You
> need
> > Exchange View Only type rights to read the data which is easily
> delegated
> > with the little wizard in ESM. This changed some in exchange 2007
> though.
> > >
> > >
> > >
> > > The actual tool collects a bunch of data from AD but it also
> > > touches
> each
> > DC hence the WMI and RPC checks.
> > >
> > >
> > >
> > >
> > > Thanks,
> > >
> > > Brian Desmond
> > >
> > > brian@briandesmond.com
> > >
> > >
> > >
> > > c - 312.731.3132
> > >
> > >
> > >
> > >
> > >
> > >
> > > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Matheesha
> > > Sent: Monday, July 09, 2007 2:53 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's
ADRAP?
> > >
> > >
> > >
> > > Hi Joe
> > >
> > >
> > >
> > > I haven't been through an ADRAP yet so I can't comment on exactly
> why the
> > RAP engineer needs enterprise/domain admin credentials.
> > >
> > >
> > >
> > > But for example in the suitability scripts that one needs to
> > > execute
> to
> > get some info on the environment, there is a WMI test which connects
> to the
> > root\cimv2 namespace. They use WMI to query registry values. By
> default a
> > normal user cannot connect to this namespace on a domain controller
> > remotely. As the domain/enterprise admin can, I believe the simplest
> thing
> > MSFT can do in these scenarios is to say "please ensure you run the
> > suitability scripts with enterprise admin credentials and ensure we
> have the
> > same once we are on site" (as opposed to ACLing the namespace to
> ensure
> > normal users can do the WMI queries required to pass the RAP).
> > >
> > >
> > >
> > > In the worst case scenario if it breaks... who better to fix other
> than
> > MSFT? ;-) If you didn't trust them with the skills or
> > confidentiality,
> then
> > why even choose someone from MSFT to do the RAP? Certain orgs where
> security
> > is very important ask the engineer to do the needy using equipment
> there,
> > give his opinion and walk away. No data is allowed to leave site for
> > analysis. But they still have to ensure he is security cleared
> > before
> he is
> > allowed to touch/see anything .
> > >
> > >
> > >
> > > As for querying AD, you are right. I am yet to find a query I
> > > cannot
> do
> > due to the normal user credentials used to perform the query.
> > >
> > >
> > >
> > > Cheers
> > >
> > >
> > >
> > > M@
> > >
> > >
> > >
> > >
> > >
> > > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
> > > Sent: 09 July 2007 04:22
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's
ADRAP?
> > >
> > >
> > >
> > >
> > > Combination of two things in my experience makes the RAPs.
> > >
> > >
> > >
> > > The first is the quality of the engineer executing the RAP. They
> > > all
> get
> > the same info, it is how well they analyze it and understand
> AD/Exchange as
> > to how good the report is that they generate. You will get the
> extremely
> > intelligent knowledgeable analysts who will make the resulting
> > report
> fit
> > well into the goals and design of the environment and then you will
> get the
> > analysts who may be intelligent but will give you a generic read on
> the
> > report which may not make much sense in light of how things are
done.
> There
> > is no perfect way to run AD nor design AD, it is an extremely
> > complex
> and
> > flexible product and different people can and will set it up in
> different
> > ways and I have seen many a time where a RAP has reported something
> > as incorrect when in fact it was not only correct, but the only
> > proper
> way to
> > handle the specific item in that environment. I have been on "teams"
> > designed to blow apart the reports generated for ADRAP and ExRAPs
> because
> > the results don't make sense in the environment and have
> > successfully
> done
> > so every time it was needed.
> > >
> > >
> > >
> > > The second is implied in the first answer and it is how "Softian"
> your
> > environment is. The smaller the environment, the more likely you
> > will
> be a
> > homogenius MSFT environment adhering to all of the MSFT ways. The
> larger the
> > environment the more likely it will be heterogenious with people
> > paid
> to
> > think of BETTER ways to do things for that specific environment
> > which
> may
> > not align well with what a generic report would want so the
> > generated
> report
> > may not be the best.
> > >
> > >
> > >
> > > I think the biggest problem is companies who take the RAPs and use
> it as
> > the gold standard of this is the one and only way things can be set
> > up
> and
> > any deviation is wrong. Let me say straight up again, there are many
> ways to
> > do things that are all equally valid and sometimes there are things
> that
> > would normally be considered not so good that are perfectly
> > acceptable
> in
> > another environment. Microsoft may have written the product but they
> are not
> > the end all be all knowledge and understanding of the product,
> certainly not
> > the PSS/MCS folks. There are people outside of MSFT better suited to
> > understanding the MSFT products in specific environments. A good
> analyst
> > will admit that right up if asked. Don't get me wrong, there are
> > some amazing PSS/MCS folks but this isn't the standard, IMO, this is
> > the
> special
> > case. As ~Eric mentioned before, you can't train someone into being
> > an amazing analyst, it just doesn't work that way. You need to get
> > the
> RAPs and
> > take them as guidance but make sure you look at all of the answers
> > in
> the
> > context of what your environment is set up to do.
> > >
> > >
> > >
> > > Another thing to keep in mind, possibly this has changed recently
> > > as
> it
> > has been a HUGE gripe I have had with the whole process in general
> > is
> that
> > there is no true combined AD/Exchange RAP. You have an ExRAP and you
> have an
> > ADRAP. They are different things done by different people with
> different
> > goals. I have seen actual AD RAPs that said AD was spot on great and
> then
> > followed up a month later by an ExRAP which said that AD was
> completely
> > screwed and causing massive issues in Exchange with no
> > correlation/combination between the two and when you ask for them to
> > reconcile the results they sort of shrug at you. They need an all
> inclusive
> > RAP.
> > >
> > >
> > >
> > > Yet another thing to keep in mind and something I say to push them
> on is
> > how much rights they want when they walk through the door. Usually
> they want
> > full Enterprise/Domain/Exchange admin rights and I always like to
> > ask
> them,
> > so what do you plan on changing? The idea is that they should just
> > be gathering info. Why do they need the ability to change shit if
> > they
> are just
> > looking? Realistically there are some things that they need higher
> level
> > rights to get info about but they haven't convinced me to date that
> they
> > have narrowed it down to specifically what and why. If enough people
> push
> > them back and feed them the same lines that MSFT is trying to get
> everyone
> > else into, one of least user rights to do things, then maybe we can
> get this
> > fixed. I mean come on, all the RAP is is a set of scripts gathering
> info.
> > How many different ways are there to get the info and do they really
> know
> > what rights they really need and why?
> > >
> > >
> > >
> > > If other companies start doing these types of reviews or really
> anything
> > and they say, well we need enterprise admin and everything else, the
> > recommendation from MSFT would be, well you shouldn't be giving out
> > Enterprise to lots of people. And there is a good reason for that.
> > But
> this
> > should also apply to MSFT themselves. As I mentioned before, there
> > are
> great
> > and not so great analysts, not all of them are people I would
> > consider giving high level rights to. Of course they could always
> > say that you
> could
> > run the scripts, but what do you know about the scripts being run
> > and
> how is
> > that any different from doing that with any other company or vendor.
> It
> > isn't.
> > >
> > >
> > >
> > >
> > > joe
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > >
> > > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > ________________________________
> >
> > >
> > > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Teo De Las
> > Heras
> > > Sent: Sunday, July 08, 2007 4:39 PM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: Re: [ActiveDir] Has anyone gone through Microsoft's
ADRAP?
> > >
> > >
> > > Interesting...it seems that what makes the ADRAP is the engineer
> assigned.
> > My company is also a premier customer and we're looking to do an
> ADRAP and
> > EXRAP before the year ends. Would you guys mind sharing the names of
> the
> > engineers that you were impressed with. I'll see if my TAM can
> schedule
> > them for our ADRAP.
> > >
> > >
> > >
> > >
> > >
> > > Teo
> > >
> > >
> > >
> > > On 7/6/07, Harvey Kamangwitz wrote:
> > >
> > >
> > > Hi all,
> > >
> > >
> > >
> > >
> > >
> > > As a Microsoft Premier customer, they've suggested we go through
> > > an
> AD
> > Risk Assessment Program. I'm still learning what they do (it's
> conducted by
> > their Field Engineering team) and what the benefits are...in the
> > mean
> time,
> > I thought it'd be good to see what my compatriots think of the
> program. Has
> > anyone been through it? Is it worth it?
> > >
> > >
> > >
> > >
> > >
> > > Thanks,
> > >
> > >
> > > Harvey
> > >
> > >
> >
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| amulnick
Posts:163
| | 07/12/2007 3:25 AM |
| No no. Don't misunderstand me. I've had great TAMs before. Really.
But I don't expect them to know everything about everything. That's
the part that's unreasonable in my opinion.
Al
On 7/12/07, Ziots, Edward wrote:
> LOL never had a real good vibe from the TAM when we had one. Never had
> to use them much as when I talked to support I was talking at TIER III
> Engineering on wacky stuff. I don't have patience nor time for the
> middle man.
>
> But I digress even further into the SLAM the TAM abyss..
>
> Z
>
>
> Edward E. Ziots
> Network Engineer
> Lifespan Organization
> MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security +
> email:eziots@lifespan.org
> cell:401-639-3505
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
> Sent: Thursday, July 12, 2007 3:19 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
>
> Me too!
>
> Yeah, I kept thinking that Fitz was just joking. I'm not quite sure
> though.
>
> The thing is, TAM's are human beings. And you buy time slices in some
> situations. Basically, if they do not have an office on your premises,
> then you're time sharing the TAM-time.
>
> Can you honestly say that somebody that pays only partial attention to
> you will know your environment as well you'd like for that kind of
> support? Will you bet your job on it?
>
> MCS used to have a similar counterpart that would do the same from a
> consulting view point. That was in the days before services became one
> big happy family though. Since then, they may have become redundant in
> some respects since the goal has always been customer satisfaction and
> how you get there is not nearly as important as getting there.
>
> But I digress.....
>
>
> On 7/12/07, joe wrote:
> > LOL. I actually spit my drink out reading that. ;o)
> >
> >
> >
> > --
> > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm
> >
> >
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Stewart, Fitz
> > Sent: Thursday, July 12, 2007 1:59 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> >
> > Isn't that why you pay Premier for a TAM, and why the services are
> > only offered to Premier customers, to "know about your environment"
> > and "why you have made the decisions you have made"?
> >
> > -fitz
> >
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
> > Sent: Tuesday, July 10, 2007 3:03 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> >
> > Wait. Everyone at HP is not a printer expert? Huh. That's a let down.
> > I bet everyone at Microsoft is not a Windows 98 expert either right?
> >
> > :)
> >
> > joe, I think you have made some really good points about the way that
> > information can and may be used. The folks that do the assessment are
>
> > often quite capable people. I've seen many that are very good. You
> > did hit the nail on the head though when you talked about the way that
>
> > an ADRAP and ExRAP may conflict with their assessment. To me, that
> > echoes the way the products come to life and some gaps in the comm
> > between the AD and Exchange team coders/architects. It happens right?
> >
> > I look at it like this: you as the customer are going to get the 0300
> > phone call. You may call Microsoft as Mateesha pointed out, but it
> > *could* be too late at that point to do anything other than mop up the
>
> > oil slick left behind.
> >
> > I agree with joe. Treat your vendors, even the ones that wrote your
> > apps, as if they are an outsider that do not know about your
> > environment nor why you have made the decisions you have made. They
> > will naturally want to know that information anyway (right?), but it's
>
> > the rare company that can provide that information for a 3rd party so
> > better to be safe and only provide the least privilege needed to do
> > the job. Even if they tell you it's a lot, ask why - you may be glad
> > you did.
> >
> > Hey joe, we also agree that *somebody* should do a combined
> > AD/Exchange RAP. If Microsoft isn't going to, perhaps a third party
> > vendor should do that for them. Maybe even a printer expert? ;)
> >
> > -ajm
> >
> > On 7/10/07, joe wrote:
> > >
> > >
> > > Hopefully, but there is no guarantee. Certainly I have seen reports
> > where
> > > that wasn't the case. For the most part, from the many reports I
> > > have
> > seen
> > > now, it is mostly boilerplate. Occasionally you will get something
> > specific
> > > that takes some oddity of the environment into account.
> > >
> > > My point on pushing the point on Enterprise Admins is that they
> > shouldn't
> > > need those rights to generate a listing of info. This goes back to
> > > my
> > audit
> > > admin posts from previously. If enough people make life difficult
> > > for
> > PSS on
> > > this, it won't just be customers asking for it. There really is no
> > reason
> > > you ever should have to give PSS Enterprise or even Domain Admins
> > > and
> > if you
> > > did and they did mess something up, I am not so generous to believe
> > that
> > > whomever did it would be so good at fixing it.
> > >
> > > When I go into an environment I ask for normal user and Exchange
> View.
> > If
> > > someone locked their environment down (say to "protect" info about
> > specific
> > > users/groups) then I ask to be in the group that has read access to
> > that as
> > > well. That way, regardless of what I do, I can't hurt things. If I
> > need
> > > something that cannot be gathered with those rights, I almost always
> > give
> > > specific instructions of what I need and how to get it unless I have
> > been
> > > told just to supply a script or something like that. It always makes
> > me itch
> > > a little though that someone would allow me to supply arbitrary
> > scripts to
> > > run with admin level rights. Me who has no deep knowledge nor
> > understanding
> > > of your environment and you are just willing to take anything I give
> > you...
> > > Not very smart. This goes for MSFT as well. A lot of assumptions
> > > have
> > to be
> > > in place to just allow that to happen and assumptions are very bad
> > > for
> > AD
> > > and security.
> > >
> > >
> > >
> > > --
> > > O'Reilly Active Directory Third Edition -
> > > http://www.joeware.net/win/ad3e.htm
> > >
> > >
> > >
> > > ________________________________
> > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Matheesha
> > > Weerasinghe
> > > Sent: Monday, July 09, 2007 4:23 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> > >
> > >
> > >
> > > Thanks Brian. I accept the point on not everyone at MS is expert in
> > AD. But
> > > hopefully the chap turning up at site to do the RAP should be.
> > >
> > > As for exchange, thanks for the info. We have no exchange here where
>
> > > I
> > work
> > > (only lotus domino). Hence I have no knowledge on the requirements
> > > for exchange queries.
> > >
> > > Cheers
> > >
> > > M@
> > >
> > >
> > > On 09/07/07, Brian Desmond wrote:
> > > >
> > > >
> > > >
> > > >
> > > > The tool will run those same WMI queries so if they do require
> > > > that
> > access
> > > you either have to change the WMI ACLs on all the DCs or give up the
> > rights.
> > > The suitability script verifies all the connectivity requirements
> > > that
> > the
> > > tool needs.
> > > >
> > > >
> > > >
> > > > Just because someone works for Microsoft doesn't mean they're the
> > expert
> > > on AD. Same token applies to just if someone works for HP they know
> > > everything about printers, etc. Like others have said here it very
> > much
> > > depends on the knowledge level of the PFE you get onsite for the
> gig.
> > You
> > > can have them do it all on your equipment, they do install the tool
> > there
> > > and run it that way in fact since it needs to run in context ( e.g.
> > > no specifying a username/password to bind under)>
> > > >
> > > >
> > > >
> > > > Exchange data is not viewable with straight normal user rights.
> > > > You
> > need
> > > Exchange View Only type rights to read the data which is easily
> > delegated
> > > with the little wizard in ESM. This changed some in exchange 2007
> > though.
> > > >
> > > >
> > > >
> > > > The actual tool collects a bunch of data from AD but it also
> > > > touches
> > each
> > > DC hence the WMI and RPC checks.
> > > >
> > > >
> > > >
> > > >
> > > > Thanks,
> > > >
> > > > Brian Desmond
> > > >
> > > > brian@briandesmond.com
> > > >
> > > >
> > > >
> > > > c - 312.731.3132
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Matheesha
> > > > Sent: Monday, July 09, 2007 2:53 AM
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's
> ADRAP?
> > > >
> > > >
> > > >
> > > > Hi Joe
> > > >
> > > >
> > > >
> > > > I haven't been through an ADRAP yet so I can't comment on exactly
> > why the
> > > RAP engineer needs enterprise/domain admin credentials.
> > > >
> > > >
> > > >
> > > > But for example in the suitability scripts that one needs to
> > > > execute
> > to
> > > get some info on the environment, there is a WMI test which connects
> > to the
> > > root\cimv2 namespace. They use WMI to query registry values. By
> > default a
> > > normal user cannot connect to this namespace on a domain controller
> > > remotely. As the domain/enterprise admin can, I believe the simplest
> > thing
> > > MSFT can do in these scenarios is to say "please ensure you run the
> > > suitability scripts with enterprise admin credentials and ensure we
> > have the
> > > same once we are on site" (as opposed to ACLing the namespace to
> > ensure
> > > normal users can do the WMI queries required to pass the RAP).
> > > >
> > > >
> > > >
> > > > In the worst case scenario if it breaks... who better to fix other
> > than
> > > MSFT? ;-) If you didn't trust them with the skills or
> > > confidentiality,
> > then
> > > why even choose someone from MSFT to do the RAP? Certain orgs where
> > security
> > > is very important ask the engineer to do the needy using equipment
> > there,
> > > give his opinion and walk away. No data is allowed to leave site for
>
> > > analysis. But they still have to ensure he is security cleared
> > > before
> > he is
> > > allowed to touch/see anything .
> > > >
> > > >
> > > >
> > > > As for querying AD, you are right. I am yet to find a query I
> > > > cannot
> > do
> > > due to the normal user credentials used to perform the query.
> > > >
> > > >
> > > >
> > > > Cheers
> > > >
> > > >
> > > >
> > > > M@
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
> > > > Sent: 09 July 2007 04:22
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's
> ADRAP?
> > > >
> > > >
> > > >
> > > >
> > > > Combination of two things in my experience makes the RAPs.
> > > >
> > > >
> > > >
> > > > The first is the quality of the engineer executing the RAP. They
> > > > all
> > get
> > > the same info, it is how well they analyze it and understand
> > AD/Exchange as
> > > to how good the report is that they generate. You will get the
> > extremely
> > > intelligent knowledgeable analysts who will make the resulting
> > > report
> > fit
> > > well into the goals and design of the environment and then you will
> > get the
> > > analysts who may be intelligent but will give you a generic read on
> > the
> > > report which may not make much sense in light of how things are
> done.
> > There
> > > is no perfect way to run AD nor design AD, it is an extremely
> > > complex
> > and
> > > flexible product and different people can and will set it up in
> > different
> > > ways and I have seen many a time where a RAP has reported something
> > > as incorrect when in fact it was not only correct, but the only
> > > proper
> > way to
> > > handle the specific item in that environment. I have been on "teams"
> > > designed to blow apart the reports generated for ADRAP and ExRAPs
> > because
> > > the results don't make sense in the environment and have
> > > successfully
> > done
> > > so every time it was needed.
> > > >
> > > >
> > > >
> > > > The second is implied in the first answer and it is how "Softian"
> > your
> > > environment is. The smaller the environment, the more likely you
> > > will
> > be a
> > > homogenius MSFT environment adhering to all of the MSFT ways. The
> > larger the
> > > environment the more likely it will be heterogenious with people
> > > paid
> > to
> > > think of BETTER ways to do things for that specific environment
> > > which
> > may
> > > not align well with what a generic report would want so the
> > > generated
> > report
> > > may not be the best.
> > > >
> > > >
> > > >
> > > > I think the biggest problem is companies who take the RAPs and use
> > it as
> > > the gold standard of this is the one and only way things can be set
> > > up
> > and
> > > any deviation is wrong. Let me say straight up again, there are many
> > ways to
> > > do things that are all equally valid and sometimes there are things
> > that
> > > would normally be considered not so good that are perfectly
> > > acceptable
> > in
> > > another environment. Microsoft may have written the product but they
> > are not
> > > the end all be all knowledge and understanding of the product,
> > certainly not
> > > the PSS/MCS folks. There are people outside of MSFT better suited to
>
> > > understanding the MSFT products in specific environments. A good
> > analyst
> > > will admit that right up if asked. Don't get me wrong, there are
> > > some amazing PSS/MCS folks but this isn't the standard, IMO, this is
>
> > > the
> > special
> > > case. As ~Eric mentioned before, you can't train someone into being
> > > an amazing analyst, it just doesn't work that way. You need to get
> > > the
> > RAPs and
> > > take them as guidance but make sure you look at all of the answers
> > > in
> > the
> > > context of what your environment is set up to do.
> > > >
> > > >
> > > >
> > > > Another thing to keep in mind, possibly this has changed recently
> > > > as
> > it
> > > has been a HUGE gripe I have had with the whole process in general
> > > is
> > that
> > > there is no true combined AD/Exchange RAP. You have an ExRAP and you
> > have an
> > > ADRAP. They are different things done by different people with
> > different
> > > goals. I have seen actual AD RAPs that said AD was spot on great and
> > then
> > > followed up a month later by an ExRAP which said that AD was
> > completely
> > > screwed and causing massive issues in Exchange with no
> > > correlation/combination between the two and when you ask for them to
>
> > > reconcile the results they sort of shrug at you. They need an all
> > inclusive
> > > RAP.
> > > >
> > > >
> > > >
> > > > Yet another thing to keep in mind and something I say to push them
> > on is
> > > how much rights they want when they walk through the door. Usually
> > they want
> > > full Enterprise/Domain/Exchange admin rights and I always like to
> > > ask
> > them,
> > > so what do you plan on changing? The idea is that they should just
> > > be gathering info. Why do they need the ability to change shit if
> > > they
> > are just
> > > looking? Realistically there are some things that they need higher
> > level
> > > rights to get info about but they haven't convinced me to date that
> > they
> > > have narrowed it down to specifically what and why. If enough people
> > push
> > > them back and feed them the same lines that MSFT is trying to get
> > everyone
> > > else into, one of least user rights to do things, then maybe we can
> > get this
> > > fixed. I mean come on, all the RAP is is a set of scripts gathering
> > info.
> > > How many different ways are there to get the info and do they really
> > know
> > > what rights they really need and why?
> > > >
> > > >
> > > >
> > > > If other companies start doing these types of reviews or really
> > anything
> > > and they say, well we need enterprise admin and everything else, the
>
> > > recommendation from MSFT would be, well you shouldn't be giving out
> > > Enterprise to lots of people. And there is a good reason for that.
> > > But
> > this
> > > should also apply to MSFT themselves. As I mentioned before, there
> > > are
> > great
> > > and not so great analysts, not all of them are people I would
> > > consider giving high level rights to. Of course they could always
> > > say that you
> > could
> > > run the scripts, but what do you know about the scripts being run
> > > and
> > how is
> > > that any different from doing that with any other company or vendor.
> > It
> > > isn't.
> > > >
> > > >
> > > >
> > > >
> > > > joe
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > >
> > > > O'Reilly Active Directory Third Edition -
> > > http://www.joeware.net/win/ad3e.htm
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > ________________________________
> > >
> > > >
> > > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Teo De Las
> > > Heras
> > > > Sent: Sunday, July 08, 2007 4:39 PM
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: Re: [ActiveDir] Has anyone gone through Microsoft's
> ADRAP?
> > > >
> > > >
> > > > Interesting...it seems that what makes the ADRAP is the engineer
> > assigned.
> > > My company is also a premier customer and we're looking to do an
> > ADRAP and
> > > EXRAP before the year ends. Would you guys mind sharing the names of
> > the
> > > engineers that you were impressed with. I'll see if my TAM can
> > schedule
> > > them for our ADRAP.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Teo
> > > >
> > > >
> > > >
> > > > On 7/6/07, Harvey Kamangwitz wrote:
> > > >
> > > >
> > > > Hi all,
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > As a Microsoft Premier customer, they've suggested we go through
> > > > an
> > AD
> > > Risk Assessment Program. I'm still learning what they do (it's
> > conducted by
> > > their Field Engineering team) and what the benefits are...in the
> > > mean
> > time,
> > > I thought it'd be good to see what my compatriots think of the
> > program. Has
> > > anyone been through it? Is it worth it?
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Thanks,
> > > >
> > > >
> > > > Harvey
> > > >
> > > >
> > >
> > >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| EZiots
Posts:0
| | 07/12/2007 3:30 AM |
| I don't expect them to know anything, its just another Management hassle
to me, although I have had a few good interactions over the years with
the TAM's.
Z
Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security +
email:eziots@lifespan.org
cell:401-639-3505
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Thursday, July 12, 2007 3:25 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
No no. Don't misunderstand me. I've had great TAMs before. Really.
But I don't expect them to know everything about everything. That's the
part that's unreasonable in my opinion.
Al
On 7/12/07, Ziots, Edward wrote:
> LOL never had a real good vibe from the TAM when we had one. Never had
> to use them much as when I talked to support I was talking at TIER III
> Engineering on wacky stuff. I don't have patience nor time for the
> middle man.
>
> But I digress even further into the SLAM the TAM abyss..
>
> Z
>
>
> Edward E. Ziots
> Network Engineer
> Lifespan Organization
> MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:eziots@lifespan.org
> cell:401-639-3505
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
> Sent: Thursday, July 12, 2007 3:19 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
>
> Me too!
>
> Yeah, I kept thinking that Fitz was just joking. I'm not quite sure
> though.
>
> The thing is, TAM's are human beings. And you buy time slices in some
> situations. Basically, if they do not have an office on your
> premises, then you're time sharing the TAM-time.
>
> Can you honestly say that somebody that pays only partial attention to
> you will know your environment as well you'd like for that kind of
> support? Will you bet your job on it?
>
> MCS used to have a similar counterpart that would do the same from a
> consulting view point. That was in the days before services became
> one big happy family though. Since then, they may have become
> redundant in some respects since the goal has always been customer
> satisfaction and how you get there is not nearly as important as
getting there.
>
> But I digress.....
>
>
> On 7/12/07, joe wrote:
> > LOL. I actually spit my drink out reading that. ;o)
> >
> >
> >
> > --
> > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm
> >
> >
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Stewart,
> > Fitz
> > Sent: Thursday, July 12, 2007 1:59 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> >
> > Isn't that why you pay Premier for a TAM, and why the services are
> > only offered to Premier customers, to "know about your environment"
> > and "why you have made the decisions you have made"?
> >
> > -fitz
> >
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
> > Sent: Tuesday, July 10, 2007 3:03 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> >
> > Wait. Everyone at HP is not a printer expert? Huh. That's a let
down.
> > I bet everyone at Microsoft is not a Windows 98 expert either
right?
> >
> > :)
> >
> > joe, I think you have made some really good points about the way
> > that information can and may be used. The folks that do the
> > assessment are
>
> > often quite capable people. I've seen many that are very good. You
> > did hit the nail on the head though when you talked about the way
> > that
>
> > an ADRAP and ExRAP may conflict with their assessment. To me, that
> > echoes the way the products come to life and some gaps in the comm
> > between the AD and Exchange team coders/architects. It happens
right?
> >
> > I look at it like this: you as the customer are going to get the
> > 0300 phone call. You may call Microsoft as Mateesha pointed out,
> > but it
> > *could* be too late at that point to do anything other than mop up
> > the
>
> > oil slick left behind.
> >
> > I agree with joe. Treat your vendors, even the ones that wrote your
> > apps, as if they are an outsider that do not know about your
> > environment nor why you have made the decisions you have made. They
> > will naturally want to know that information anyway (right?), but
> > it's
>
> > the rare company that can provide that information for a 3rd party
> > so better to be safe and only provide the least privilege needed to
> > do the job. Even if they tell you it's a lot, ask why - you may be
> > glad you did.
> >
> > Hey joe, we also agree that *somebody* should do a combined
> > AD/Exchange RAP. If Microsoft isn't going to, perhaps a third party
> > vendor should do that for them. Maybe even a printer expert? ;)
> >
> > -ajm
> >
> > On 7/10/07, joe wrote:
> > >
> > >
> > > Hopefully, but there is no guarantee. Certainly I have seen
> > > reports
> > where
> > > that wasn't the case. For the most part, from the many reports I
> > > have
> > seen
> > > now, it is mostly boilerplate. Occasionally you will get something
> > specific
> > > that takes some oddity of the environment into account.
> > >
> > > My point on pushing the point on Enterprise Admins is that they
> > shouldn't
> > > need those rights to generate a listing of info. This goes back to
> > > my
> > audit
> > > admin posts from previously. If enough people make life difficult
> > > for
> > PSS on
> > > this, it won't just be customers asking for it. There really is no
> > reason
> > > you ever should have to give PSS Enterprise or even Domain Admins
> > > and
> > if you
> > > did and they did mess something up, I am not so generous to
> > > believe
> > that
> > > whomever did it would be so good at fixing it.
> > >
> > > When I go into an environment I ask for normal user and Exchange
> View.
> > If
> > > someone locked their environment down (say to "protect" info about
> > specific
> > > users/groups) then I ask to be in the group that has read access
> > > to
> > that as
> > > well. That way, regardless of what I do, I can't hurt things. If I
> > need
> > > something that cannot be gathered with those rights, I almost
> > > always
> > give
> > > specific instructions of what I need and how to get it unless I
> > > have
> > been
> > > told just to supply a script or something like that. It always
> > > makes
> > me itch
> > > a little though that someone would allow me to supply arbitrary
> > scripts to
> > > run with admin level rights. Me who has no deep knowledge nor
> > understanding
> > > of your environment and you are just willing to take anything I
> > > give
> > you...
> > > Not very smart. This goes for MSFT as well. A lot of assumptions
> > > have
> > to be
> > > in place to just allow that to happen and assumptions are very bad
> > > for
> > AD
> > > and security.
> > >
> > >
> > >
> > > --
> > > O'Reilly Active Directory Third Edition -
> > > http://www.joeware.net/win/ad3e.htm
> > >
> > >
> > >
> > > ________________________________
> > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Matheesha
> > > Weerasinghe
> > > Sent: Monday, July 09, 2007 4:23 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: Re: [ActiveDir] Has anyone gone through Microsoft's
ADRAP?
> > >
> > >
> > >
> > > Thanks Brian. I accept the point on not everyone at MS is expert
> > > in
> > AD. But
> > > hopefully the chap turning up at site to do the RAP should be.
> > >
> > > As for exchange, thanks for the info. We have no exchange here
> > > where
>
> > > I
> > work
> > > (only lotus domino). Hence I have no knowledge on the requirements
> > > for exchange queries.
> > >
> > > Cheers
> > >
> > > M@
> > >
> > >
> > > On 09/07/07, Brian Desmond wrote:
> > > >
> > > >
> > > >
> > > >
> > > > The tool will run those same WMI queries so if they do require
> > > > that
> > access
> > > you either have to change the WMI ACLs on all the DCs or give up
> > > the
> > rights.
> > > The suitability script verifies all the connectivity requirements
> > > that
> > the
> > > tool needs.
> > > >
> > > >
> > > >
> > > > Just because someone works for Microsoft doesn't mean they're
> > > > the
> > expert
> > > on AD. Same token applies to just if someone works for HP they
> > > know everything about printers, etc. Like others have said here it
> > > very
> > much
> > > depends on the knowledge level of the PFE you get onsite for the
> gig.
> > You
> > > can have them do it all on your equipment, they do install the
> > > tool
> > there
> > > and run it that way in fact since it needs to run in context (
e.g.
> > > no specifying a username/password to bind under)>
> > > >
> > > >
> > > >
> > > > Exchange data is not viewable with straight normal user rights.
> > > > You
> > need
> > > Exchange View Only type rights to read the data which is easily
> > delegated
> > > with the little wizard in ESM. This changed some in exchange 2007
> > though.
> > > >
> > > >
> > > >
> > > > The actual tool collects a bunch of data from AD but it also
> > > > touches
> > each
> > > DC hence the WMI and RPC checks.
> > > >
> > > >
> > > >
> > > >
> > > > Thanks,
> > > >
> > > > Brian Desmond
> > > >
> > > > brian@briandesmond.com
> > > >
> > > >
> > > >
> > > > c - 312.731.3132
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Matheesha
> > > > Sent: Monday, July 09, 2007 2:53 AM
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's
> ADRAP?
> > > >
> > > >
> > > >
> > > > Hi Joe
> > > >
> > > >
> > > >
> > > > I haven't been through an ADRAP yet so I can't comment on
> > > > exactly
> > why the
> > > RAP engineer needs enterprise/domain admin credentials.
> > > >
> > > >
> > > >
> > > > But for example in the suitability scripts that one needs to
> > > > execute
> > to
> > > get some info on the environment, there is a WMI test which
> > > connects
> > to the
> > > root\cimv2 namespace. They use WMI to query registry values. By
> > default a
> > > normal user cannot connect to this namespace on a domain
> > > controller remotely. As the domain/enterprise admin can, I believe
> > > the simplest
> > thing
> > > MSFT can do in these scenarios is to say "please ensure you run
> > > the suitability scripts with enterprise admin credentials and
> > > ensure we
> > have the
> > > same once we are on site" (as opposed to ACLing the namespace to
> > ensure
> > > normal users can do the WMI queries required to pass the RAP).
> > > >
> > > >
> > > >
> > > > In the worst case scenario if it breaks... who better to fix
> > > > other
> > than
> > > MSFT? ;-) If you didn't trust them with the skills or
> > > confidentiality,
> > then
> > > why even choose someone from MSFT to do the RAP? Certain orgs
> > > where
> > security
> > > is very important ask the engineer to do the needy using equipment
> > there,
> > > give his opinion and walk away. No data is allowed to leave site
> > > for
>
> > > analysis. But they still have to ensure he is security cleared
> > > before
> > he is
> > > allowed to touch/see anything .
> > > >
> > > >
> > > >
> > > > As for querying AD, you are right. I am yet to find a query I
> > > > cannot
> > do
> > > due to the normal user credentials used to perform the query.
> > > >
> > > >
> > > >
> > > > Cheers
> > > >
> > > >
> > > >
> > > > M@
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
> > > > Sent: 09 July 2007 04:22
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's
> ADRAP?
> > > >
> > > >
> > > >
> > > >
> > > > Combination of two things in my experience makes the RAPs.
> > > >
> > > >
> > > >
> > > > The first is the quality of the engineer executing the RAP. They
> > > > all
> > get
> > > the same info, it is how well they analyze it and understand
> > AD/Exchange as
> > > to how good the report is that they generate. You will get the
> > extremely
> > > intelligent knowledgeable analysts who will make the resulting
> > > report
> > fit
> > > well into the goals and design of the environment and then you
> > > will
> > get the
> > > analysts who may be intelligent but will give you a generic read
> > > on
> > the
> > > report which may not make much sense in light of how things are
> done.
> > There
> > > is no perfect way to run AD nor design AD, it is an extremely
> > > complex
> > and
> > > flexible product and different people can and will set it up in
> > different
> > > ways and I have seen many a time where a RAP has reported
> > > something as incorrect when in fact it was not only correct, but
> > > the only proper
> > way to
> > > handle the specific item in that environment. I have been on
"teams"
> > > designed to blow apart the reports generated for ADRAP and ExRAPs
> > because
> > > the results don't make sense in the environment and have
> > > successfully
> > done
> > > so every time it was needed.
> > > >
> > > >
> > > >
> > > > The second is implied in the first answer and it is how
"Softian"
> > your
> > > environment is. The smaller the environment, the more likely you
> > > will
> > be a
> > > homogenius MSFT environment adhering to all of the MSFT ways. The
> > larger the
> > > environment the more likely it will be heterogenious with people
> > > paid
> > to
> > > think of BETTER ways to do things for that specific environment
> > > which
> > may
> > > not align well with what a generic report would want so the
> > > generated
> > report
> > > may not be the best.
> > > >
> > > >
> > > >
> > > > I think the biggest problem is companies who take the RAPs and
> > > > use
> > it as
> > > the gold standard of this is the one and only way things can be
> > > set up
> > and
> > > any deviation is wrong. Let me say straight up again, there are
> > > many
> > ways to
> > > do things that are all equally valid and sometimes there are
> > > things
> > that
> > > would normally be considered not so good that are perfectly
> > > acceptable
> > in
> > > another environment. Microsoft may have written the product but
> > > they
> > are not
> > > the end all be all knowledge and understanding of the product,
> > certainly not
> > > the PSS/MCS folks. There are people outside of MSFT better suited
> > > to
>
> > > understanding the MSFT products in specific environments. A good
> > analyst
> > > will admit that right up if asked. Don't get me wrong, there are
> > > some amazing PSS/MCS folks but this isn't the standard, IMO, this
> > > is
>
> > > the
> > special
> > > case. As ~Eric mentioned before, you can't train someone into
> > > being an amazing analyst, it just doesn't work that way. You need
> > > to get the
> > RAPs and
> > > take them as guidance but make sure you look at all of the answers
> > > in
> > the
> > > context of what your environment is set up to do.
> > > >
> > > >
> > > >
> > > > Another thing to keep in mind, possibly this has changed
> > > > recently as
> > it
> > > has been a HUGE gripe I have had with the whole process in general
> > > is
> > that
> > > there is no true combined AD/Exchange RAP. You have an ExRAP and
> > > you
> > have an
> > > ADRAP. They are different things done by different people with
> > different
> > > goals. I have seen actual AD RAPs that said AD was spot on great
> > > and
> > then
> > > followed up a month later by an ExRAP which said that AD was
> > completely
> > > screwed and causing massive issues in Exchange with no
> > > correlation/combination between the two and when you ask for them
> > > to
>
> > > reconcile the results they sort of shrug at you. They need an all
> > inclusive
> > > RAP.
> > > >
> > > >
> > > >
> > > > Yet another thing to keep in mind and something I say to push
> > > > them
> > on is
> > > how much rights they want when they walk through the door. Usually
> > they want
> > > full Enterprise/Domain/Exchange admin rights and I always like to
> > > ask
> > them,
> > > so what do you plan on changing? The idea is that they should just
> > > be gathering info. Why do they need the ability to change shit if
> > > they
> > are just
> > > looking? Realistically there are some things that they need higher
> > level
> > > rights to get info about but they haven't convinced me to date
> > > that
> > they
> > > have narrowed it down to specifically what and why. If enough
> > > people
> > push
> > > them back and feed them the same lines that MSFT is trying to get
> > everyone
> > > else into, one of least user rights to do things, then maybe we
> > > can
> > get this
> > > fixed. I mean come on, all the RAP is is a set of scripts
> > > gathering
> > info.
> > > How many different ways are there to get the info and do they
> > > really
> > know
> > > what rights they really need and why?
> > > >
> > > >
> > > >
> > > > If other companies start doing these types of reviews or really
> > anything
> > > and they say, well we need enterprise admin and everything else,
> > > the
>
> > > recommendation from MSFT would be, well you shouldn't be giving
> > > out Enterprise to lots of people. And there is a good reason for
that.
> > > But
> > this
> > > should also apply to MSFT themselves. As I mentioned before, there
> > > are
> > great
> > > and not so great analysts, not all of them are people I would
> > > consider giving high level rights to. Of course they could always
> > > say that you
> > could
> > > run the scripts, but what do you know about the scripts being run
> > > and
> > how is
> > > that any different from doing that with any other company or
vendor.
> > It
> > > isn't.
> > > >
> > > >
> > > >
> > > >
> > > > joe
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > >
> > > > O'Reilly Active Directory Third Edition -
> > > http://www.joeware.net/win/ad3e.htm
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > ________________________________
> > >
> > > >
> > > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Teo De
> > > Las Heras
> > > > Sent: Sunday, July 08, 2007 4:39 PM
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: Re: [ActiveDir] Has anyone gone through Microsoft's
> ADRAP?
> > > >
> > > >
> > > > Interesting...it seems that what makes the ADRAP is the engineer
> > assigned.
> > > My company is also a premier customer and we're looking to do an
> > ADRAP and
> > > EXRAP before the year ends. Would you guys mind sharing the names
> > > of
> > the
> > > engineers that you were impressed with. I'll see if my TAM can
> > schedule
> > > them for our ADRAP.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Teo
> > > >
> > > >
> > > >
> > > > On 7/6/07, Harvey Kamangwitz
wrote:
> > > >
> > > >
> > > > Hi all,
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > As a Microsoft Premier customer, they've suggested we go through
> > > > an
> > AD
> > > Risk Assessment Program. I'm still learning what they do (it's
> > conducted by
> > > their Field Engineering team) and what the benefits are...in the
> > > mean
> > time,
> > > I thought it'd be good to see what my compatriots think of the
> > program. Has
> > > anyone been through it? Is it worth it?
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Thanks,
> > > >
> > > >
> > > > Harvey
> > > >
> > > >
> > >
> > >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| listmail
Posts:822
| | 07/12/2007 3:37 AM |
| I've had them living onsite with a whole collection of PSS and MCS resources
also onsite and I still haven't seen the "service" having a view and
understanding of what was done and why. I have had a few REALLY GOOD
individuals who did but that wasn't a function of the TAM or the Premier
agreement, it was a function of the individual people. I had multiple phone
calls in a single day where I was explaining the WINS architecture to them
when MSFT is the one who originally designed it for us and they had all of
the documentation (supposedly right at hand) and when I asked the question,
don't we pay you guys to be fully aware of what we are doing here the
subject changed and I never got a response to that.
You pay for an Alliance or Premier contract so you have the people handy to
give you access to info you can't find yourself because it isn't publicly
documented. You pay for it to get their advice. You do not pay it so they
know your environment and can make suggestions that you should follow
without thinking through. If you ever do something without reviewing it in
terms of your environment and what impact it will have there that comes from
PSS or any vendor, you deserve anything that happens to you.
I am not a fan of being cynical but experience has dug some deep wounds and
you have to be aware of reality when working on your production environment.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Thursday, July 12, 2007 3:19 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
Me too!
Yeah, I kept thinking that Fitz was just joking. I'm not quite sure though.
The thing is, TAM's are human beings. And you buy time slices in some
situations. Basically, if they do not have an office on your
premises, then you're time sharing the TAM-time.
Can you honestly say that somebody that pays only partial attention to
you will know your environment as well you'd like for that kind of
support? Will you bet your job on it?
MCS used to have a similar counterpart that would do the same from a
consulting view point. That was in the days before services became
one big happy family though. Since then, they may have become
redundant in some respects since the goal has always been customer
satisfaction and how you get there is not nearly as important as
getting there.
But I digress.....
On 7/12/07, joe wrote:
> LOL. I actually spit my drink out reading that. ;o)
>
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Stewart, Fitz
> Sent: Thursday, July 12, 2007 1:59 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
>
> Isn't that why you pay Premier for a TAM, and why the services are only
> offered to Premier customers, to "know about your environment" and "why
> you have made the decisions you have made"?
>
> -fitz
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
> Sent: Tuesday, July 10, 2007 3:03 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
>
> Wait. Everyone at HP is not a printer expert? Huh. That's a let down.
> I bet everyone at Microsoft is not a Windows 98 expert either right?
>
> :)
>
> joe, I think you have made some really good points about the way that
> information can and may be used. The folks that do the assessment are
> often quite capable people. I've seen many that are very good. You
> did hit the nail on the head though when you talked about the way that
> an ADRAP and ExRAP may conflict with their assessment. To me, that
> echoes the way the products come to life and some gaps in the comm
> between the AD and Exchange team coders/architects. It happens right?
>
> I look at it like this: you as the customer are going to get the 0300
> phone call. You may call Microsoft as Mateesha pointed out, but it
> *could* be too late at that point to do anything other than mop up the
> oil slick left behind.
>
> I agree with joe. Treat your vendors, even the ones that wrote your
> apps, as if they are an outsider that do not know about your
> environment nor why you have made the decisions you have made. They
> will naturally want to know that information anyway (right?), but it's
> the rare company that can provide that information for a 3rd party so
> better to be safe and only provide the least privilege needed to do
> the job. Even if they tell you it's a lot, ask why - you may be glad
> you did.
>
> Hey joe, we also agree that *somebody* should do a combined
> AD/Exchange RAP. If Microsoft isn't going to, perhaps a third party
> vendor should do that for them. Maybe even a printer expert? ;)
>
> -ajm
>
> On 7/10/07, joe wrote:
> >
> >
> > Hopefully, but there is no guarantee. Certainly I have seen reports
> where
> > that wasn't the case. For the most part, from the many reports I have
> seen
> > now, it is mostly boilerplate. Occasionally you will get something
> specific
> > that takes some oddity of the environment into account.
> >
> > My point on pushing the point on Enterprise Admins is that they
> shouldn't
> > need those rights to generate a listing of info. This goes back to my
> audit
> > admin posts from previously. If enough people make life difficult for
> PSS on
> > this, it won't just be customers asking for it. There really is no
> reason
> > you ever should have to give PSS Enterprise or even Domain Admins and
> if you
> > did and they did mess something up, I am not so generous to believe
> that
> > whomever did it would be so good at fixing it.
> >
> > When I go into an environment I ask for normal user and Exchange View.
> If
> > someone locked their environment down (say to "protect" info about
> specific
> > users/groups) then I ask to be in the group that has read access to
> that as
> > well. That way, regardless of what I do, I can't hurt things. If I
> need
> > something that cannot be gathered with those rights, I almost always
> give
> > specific instructions of what I need and how to get it unless I have
> been
> > told just to supply a script or something like that. It always makes
> me itch
> > a little though that someone would allow me to supply arbitrary
> scripts to
> > run with admin level rights. Me who has no deep knowledge nor
> understanding
> > of your environment and you are just willing to take anything I give
> you...
> > Not very smart. This goes for MSFT as well. A lot of assumptions have
> to be
> > in place to just allow that to happen and assumptions are very bad for
> AD
> > and security.
> >
> >
> >
> > --
> > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm
> >
> >
> >
> > ________________________________
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> > Matheesha Weerasinghe
> > Sent: Monday, July 09, 2007 4:23 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> >
> >
> >
> > Thanks Brian. I accept the point on not everyone at MS is expert in
> AD. But
> > hopefully the chap turning up at site to do the RAP should be.
> >
> > As for exchange, thanks for the info. We have no exchange here where I
> work
> > (only lotus domino). Hence I have no knowledge on the requirements for
> > exchange queries.
> >
> > Cheers
> >
> > M@
> >
> >
> > On 09/07/07, Brian Desmond wrote:
> > >
> > >
> > >
> > >
> > > The tool will run those same WMI queries so if they do require that
> access
> > you either have to change the WMI ACLs on all the DCs or give up the
> rights.
> > The suitability script verifies all the connectivity requirements that
> the
> > tool needs.
> > >
> > >
> > >
> > > Just because someone works for Microsoft doesn't mean they're the
> expert
> > on AD. Same token applies to just if someone works for HP they know
> > everything about printers, etc. Like others have said here it very
> much
> > depends on the knowledge level of the PFE you get onsite for the gig.
> You
> > can have them do it all on your equipment, they do install the tool
> there
> > and run it that way in fact since it needs to run in context ( e.g. no
> > specifying a username/password to bind under)>
> > >
> > >
> > >
> > > Exchange data is not viewable with straight normal user rights. You
> need
> > Exchange View Only type rights to read the data which is easily
> delegated
> > with the little wizard in ESM. This changed some in exchange 2007
> though.
> > >
> > >
> > >
> > > The actual tool collects a bunch of data from AD but it also touches
> each
> > DC hence the WMI and RPC checks.
> > >
> > >
> > >
> > >
> > > Thanks,
> > >
> > > Brian Desmond
> > >
> > > brian@briandesmond.com
> > >
> > >
> > >
> > > c - 312.731.3132
> > >
> > >
> > >
> > >
> > >
> > >
> > > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> > Matheesha
> > > Sent: Monday, July 09, 2007 2:53 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> > >
> > >
> > >
> > > Hi Joe
> > >
> > >
> > >
> > > I haven't been through an ADRAP yet so I can't comment on exactly
> why the
> > RAP engineer needs enterprise/domain admin credentials.
> > >
> > >
> > >
> > > But for example in the suitability scripts that one needs to execute
> to
> > get some info on the environment, there is a WMI test which connects
> to the
> > root\cimv2 namespace. They use WMI to query registry values. By
> default a
> > normal user cannot connect to this namespace on a domain controller
> > remotely. As the domain/enterprise admin can, I believe the simplest
> thing
> > MSFT can do in these scenarios is to say "please ensure you run the
> > suitability scripts with enterprise admin credentials and ensure we
> have the
> > same once we are on site" (as opposed to ACLing the namespace to
> ensure
> > normal users can do the WMI queries required to pass the RAP).
> > >
> > >
> > >
> > > In the worst case scenario if it breaks... who better to fix other
> than
> > MSFT? ;-) If you didn't trust them with the skills or confidentiality,
> then
> > why even choose someone from MSFT to do the RAP? Certain orgs where
> security
> > is very important ask the engineer to do the needy using equipment
> there,
> > give his opinion and walk away. No data is allowed to leave site for
> > analysis. But they still have to ensure he is security cleared before
> he is
> > allowed to touch/see anything .
> > >
> > >
> > >
> > > As for querying AD, you are right. I am yet to find a query I cannot
> do
> > due to the normal user credentials used to perform the query.
> > >
> > >
> > >
> > > Cheers
> > >
> > >
> > >
> > > M@
> > >
> > >
> > >
> > >
> > >
> > > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> > joe
> > > Sent: 09 July 2007 04:22
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> > >
> > >
> > >
> > >
> > > Combination of two things in my experience makes the RAPs.
> > >
> > >
> > >
> > > The first is the quality of the engineer executing the RAP. They all
> get
> > the same info, it is how well they analyze it and understand
> AD/Exchange as
> > to how good the report is that they generate. You will get the
> extremely
> > intelligent knowledgeable analysts who will make the resulting report
> fit
> > well into the goals and design of the environment and then you will
> get the
> > analysts who may be intelligent but will give you a generic read on
> the
> > report which may not make much sense in light of how things are done.
> There
> > is no perfect way to run AD nor design AD, it is an extremely complex
> and
> > flexible product and different people can and will set it up in
> different
> > ways and I have seen many a time where a RAP has reported something as
> > incorrect when in fact it was not only correct, but the only proper
> way to
> > handle the specific item in that environment. I have been on "teams"
> > designed to blow apart the reports generated for ADRAP and ExRAPs
> because
> > the results don't make sense in the environment and have successfully
> done
> > so every time it was needed.
> > >
> > >
> > >
> > > The second is implied in the first answer and it is how "Softian"
> your
> > environment is. The smaller the environment, the more likely you will
> be a
> > homogenius MSFT environment adhering to all of the MSFT ways. The
> larger the
> > environment the more likely it will be heterogenious with people paid
> to
> > think of BETTER ways to do things for that specific environment which
> may
> > not align well with what a generic report would want so the generated
> report
> > may not be the best.
> > >
> > >
> > >
> > > I think the biggest problem is companies who take the RAPs and use
> it as
> > the gold standard of this is the one and only way things can be set up
> and
> > any deviation is wrong. Let me say straight up again, there are many
> ways to
> > do things that are all equally valid and sometimes there are things
> that
> > would normally be considered not so good that are perfectly acceptable
> in
> > another environment. Microsoft may have written the product but they
> are not
> > the end all be all knowledge and understanding of the product,
> certainly not
> > the PSS/MCS folks. There are people outside of MSFT better suited to
> > understanding the MSFT products in specific environments. A good
> analyst
> > will admit that right up if asked. Don't get me wrong, there are some
> > amazing PSS/MCS folks but this isn't the standard, IMO, this is the
> special
> > case. As ~Eric mentioned before, you can't train someone into being an
> > amazing analyst, it just doesn't work that way. You need to get the
> RAPs and
> > take them as guidance but make sure you look at all of the answers in
> the
> > context of what your environment is set up to do.
> > >
> > >
> > >
> > > Another thing to keep in mind, possibly this has changed recently as
> it
> > has been a HUGE gripe I have had with the whole process in general is
> that
> > there is no true combined AD/Exchange RAP. You have an ExRAP and you
> have an
> > ADRAP. They are different things done by different people with
> different
> > goals. I have seen actual AD RAPs that said AD was spot on great and
> then
> > followed up a month later by an ExRAP which said that AD was
> completely
> > screwed and causing massive issues in Exchange with no
> > correlation/combination between the two and when you ask for them to
> > reconcile the results they sort of shrug at you. They need an all
> inclusive
> > RAP.
> > >
> > >
> > >
> > > Yet another thing to keep in mind and something I say to push them
> on is
> > how much rights they want when they walk through the door. Usually
> they want
> > full Enterprise/Domain/Exchange admin rights and I always like to ask
> them,
> > so what do you plan on changing? The idea is that they should just be
> > gathering info. Why do they need the ability to change shit if they
> are just
> > looking? Realistically there are some things that they need higher
> level
> > rights to get info about but they haven't convinced me to date that
> they
> > have narrowed it down to specifically what and why. If enough people
> push
> > them back and feed them the same lines that MSFT is trying to get
> everyone
> > else into, one of least user rights to do things, then maybe we can
> get this
> > fixed. I mean come on, all the RAP is is a set of scripts gathering
> info.
> > How many different ways are there to get the info and do they really
> know
> > what rights they really need and why?
> > >
> > >
> > >
> > > If other companies start doing these types of reviews or really
> anything
> > and they say, well we need enterprise admin and everything else, the
> > recommendation from MSFT would be, well you shouldn't be giving out
> > Enterprise to lots of people. And there is a good reason for that. But
> this
> > should also apply to MSFT themselves. As I mentioned before, there are
> great
> > and not so great analysts, not all of them are people I would consider
> > giving high level rights to. Of course they could always say that you
> could
> > run the scripts, but what do you know about the scripts being run and
> how is
> > that any different from doing that with any other company or vendor.
> It
> > isn't.
> > >
> > >
> > >
> > >
> > > joe
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > >
> > > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > ________________________________
> >
> > >
> > > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> > Teo De Las Heras
> > > Sent: Sunday, July 08, 2007 4:39 PM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> > >
> > >
> > > Interesting...it seems that what makes the ADRAP is the engineer
> assigned.
> > My company is also a premier customer and we're looking to do an
> ADRAP and
> > EXRAP before the year ends. Would you guys mind sharing the names of
> the
> > engineers that you were impressed with. I'll see if my TAM can
> schedule
> > them for our ADRAP.
> > >
> > >
> > >
> > >
> > >
> > > Teo
> > >
> > >
> > >
> > > On 7/6/07, Harvey Kamangwitz wrote:
> > >
> > >
> > > Hi all,
> > >
> > >
> > >
> > >
> > >
> > > As a Microsoft Premier customer, they've suggested we go through an
> AD
> > Risk Assessment Program. I'm still learning what they do (it's
> conducted by
> > their Field Engineering team) and what the benefits are...in the mean
> time,
> > I thought it'd be good to see what my compatriots think of the
> program. Has
> > anyone been through it? Is it worth it?
> > >
> > >
> > >
> > >
> > >
> > > Thanks,
> > >
> > >
> > > Harvey
> > >
> > >
> >
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| amulnick
Posts:163
| | 07/12/2007 4:18 AM |
| Ah. Ok. The selling point is that they know your environment and can
offer better advice. If you get good TAMS and enterprise consultants,
you get that. If you don't, you...don't.
It is definitely a function of the people. No question. It's also a
function of the expectations you have - if you expect them to know the
entire product line to the bit and byte level, then you'll be
disappointed at some point in the next few conversations. If you
expect them to give you access AND to know your environment and
culture, then you have a better shot of getting what you're after.
At a minimum, you do expect the access. You may not get that these days....
On 7/12/07, joe wrote:
> I've had them living onsite with a whole collection of PSS and MCS resources
> also onsite and I still haven't seen the "service" having a view and
> understanding of what was done and why. I have had a few REALLY GOOD
> individuals who did but that wasn't a function of the TAM or the Premier
> agreement, it was a function of the individual people. I had multiple phone
> calls in a single day where I was explaining the WINS architecture to them
> when MSFT is the one who originally designed it for us and they had all of
> the documentation (supposedly right at hand) and when I asked the question,
> don't we pay you guys to be fully aware of what we are doing here the
> subject changed and I never got a response to that.
>
> You pay for an Alliance or Premier contract so you have the people handy to
> give you access to info you can't find yourself because it isn't publicly
> documented. You pay for it to get their advice. You do not pay it so they
> know your environment and can make suggestions that you should follow
> without thinking through. If you ever do something without reviewing it in
> terms of your environment and what impact it will have there that comes from
> PSS or any vendor, you deserve anything that happens to you.
>
> I am not a fan of being cynical but experience has dug some deep wounds and
> you have to be aware of reality when working on your production environment.
>
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
> Sent: Thursday, July 12, 2007 3:19 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
>
> Me too!
>
> Yeah, I kept thinking that Fitz was just joking. I'm not quite sure though.
>
> The thing is, TAM's are human beings. And you buy time slices in some
> situations. Basically, if they do not have an office on your
> premises, then you're time sharing the TAM-time.
>
> Can you honestly say that somebody that pays only partial attention to
> you will know your environment as well you'd like for that kind of
> support? Will you bet your job on it?
>
> MCS used to have a similar counterpart that would do the same from a
> consulting view point. That was in the days before services became
> one big happy family though. Since then, they may have become
> redundant in some respects since the goal has always been customer
> satisfaction and how you get there is not nearly as important as
> getting there.
>
> But I digress.....
>
>
> On 7/12/07, joe wrote:
> > LOL. I actually spit my drink out reading that. ;o)
> >
> >
> >
> > --
> > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm
> >
> >
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Stewart, Fitz
> > Sent: Thursday, July 12, 2007 1:59 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> >
> > Isn't that why you pay Premier for a TAM, and why the services are only
> > offered to Premier customers, to "know about your environment" and "why
> > you have made the decisions you have made"?
> >
> > -fitz
> >
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
> > Sent: Tuesday, July 10, 2007 3:03 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> >
> > Wait. Everyone at HP is not a printer expert? Huh. That's a let down.
> > I bet everyone at Microsoft is not a Windows 98 expert either right?
> >
> > :)
> >
> > joe, I think you have made some really good points about the way that
> > information can and may be used. The folks that do the assessment are
> > often quite capable people. I've seen many that are very good. You
> > did hit the nail on the head though when you talked about the way that
> > an ADRAP and ExRAP may conflict with their assessment. To me, that
> > echoes the way the products come to life and some gaps in the comm
> > between the AD and Exchange team coders/architects. It happens right?
> >
> > I look at it like this: you as the customer are going to get the 0300
> > phone call. You may call Microsoft as Mateesha pointed out, but it
> > *could* be too late at that point to do anything other than mop up the
> > oil slick left behind.
> >
> > I agree with joe. Treat your vendors, even the ones that wrote your
> > apps, as if they are an outsider that do not know about your
> > environment nor why you have made the decisions you have made. They
> > will naturally want to know that information anyway (right?), but it's
> > the rare company that can provide that information for a 3rd party so
> > better to be safe and only provide the least privilege needed to do
> > the job. Even if they tell you it's a lot, ask why - you may be glad
> > you did.
> >
> > Hey joe, we also agree that *somebody* should do a combined
> > AD/Exchange RAP. If Microsoft isn't going to, perhaps a third party
> > vendor should do that for them. Maybe even a printer expert? ;)
> >
> > -ajm
> >
> > On 7/10/07, joe wrote:
> > >
> > >
> > > Hopefully, but there is no guarantee. Certainly I have seen reports
> > where
> > > that wasn't the case. For the most part, from the many reports I have
> > seen
> > > now, it is mostly boilerplate. Occasionally you will get something
> > specific
> > > that takes some oddity of the environment into account.
> > >
> > > My point on pushing the point on Enterprise Admins is that they
> > shouldn't
> > > need those rights to generate a listing of info. This goes back to my
> > audit
> > > admin posts from previously. If enough people make life difficult for
> > PSS on
> > > this, it won't just be customers asking for it. There really is no
> > reason
> > > you ever should have to give PSS Enterprise or even Domain Admins and
> > if you
> > > did and they did mess something up, I am not so generous to believe
> > that
> > > whomever did it would be so good at fixing it.
> > >
> > > When I go into an environment I ask for normal user and Exchange View.
> > If
> > > someone locked their environment down (say to "protect" info about
> > specific
> > > users/groups) then I ask to be in the group that has read access to
> > that as
> > > well. That way, regardless of what I do, I can't hurt things. If I
> > need
> > > something that cannot be gathered with those rights, I almost always
> > give
> > > specific instructions of what I need and how to get it unless I have
> > been
> > > told just to supply a script or something like that. It always makes
> > me itch
> > > a little though that someone would allow me to supply arbitrary
> > scripts to
> > > run with admin level rights. Me who has no deep knowledge nor
> > understanding
> > > of your environment and you are just willing to take anything I give
> > you...
> > > Not very smart. This goes for MSFT as well. A lot of assumptions have
> > to be
> > > in place to just allow that to happen and assumptions are very bad for
> > AD
> > > and security.
> > >
> > >
> > >
> > > --
> > > O'Reilly Active Directory Third Edition -
> > > http://www.joeware.net/win/ad3e.htm
> > >
> > >
> > >
> > > ________________________________
> > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> > > Matheesha Weerasinghe
> > > Sent: Monday, July 09, 2007 4:23 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> > >
> > >
> > >
> > > Thanks Brian. I accept the point on not everyone at MS is expert in
> > AD. But
> > > hopefully the chap turning up at site to do the RAP should be.
> > >
> > > As for exchange, thanks for the info. We have no exchange here where I
> > work
> > > (only lotus domino). Hence I have no knowledge on the requirements for
> > > exchange queries.
> > >
> > > Cheers
> > >
> > > M@
> > >
> > >
> > > On 09/07/07, Brian Desmond wrote:
> > > >
> > > >
> > > >
> > > >
> > > > The tool will run those same WMI queries so if they do require that
> > access
> > > you either have to change the WMI ACLs on all the DCs or give up the
> > rights.
> > > The suitability script verifies all the connectivity requirements that
> > the
> > > tool needs.
> > > >
> > > >
> > > >
> > > > Just because someone works for Microsoft doesn't mean they're the
> > expert
> > > on AD. Same token applies to just if someone works for HP they know
> > > everything about printers, etc. Like others have said here it very
> > much
> > > depends on the knowledge level of the PFE you get onsite for the gig.
> > You
> > > can have them do it all on your equipment, they do install the tool
> > there
> > > and run it that way in fact since it needs to run in context ( e.g. no
> > > specifying a username/password to bind under)>
> > > >
> > > >
> > > >
> > > > Exchange data is not viewable with straight normal user rights. You
> > need
> > > Exchange View Only type rights to read the data which is easily
> > delegated
> > > with the little wizard in ESM. This changed some in exchange 2007
> > though.
> > > >
> > > >
> > > >
> > > > The actual tool collects a bunch of data from AD but it also touches
> > each
> > > DC hence the WMI and RPC checks.
> > > >
> > > >
> > > >
> > > >
> > > > Thanks,
> > > >
> > > > Brian Desmond
> > > >
> > > > brian@briandesmond.com
> > > >
> > > >
> > > >
> > > > c - 312.731.3132
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> > > Matheesha
> > > > Sent: Monday, July 09, 2007 2:53 AM
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> > > >
> > > >
> > > >
> > > > Hi Joe
> > > >
> > > >
> > > >
> > > > I haven't been through an ADRAP yet so I can't comment on exactly
> > why the
> > > RAP engineer needs enterprise/domain admin credentials.
> > > >
> > > >
> > > >
> > > > But for example in the suitability scripts that one needs to execute
> > to
> > > get some info on the environment, there is a WMI test which connects
> > to the
> > > root\cimv2 namespace. They use WMI to query registry values. By
> > default a
> > > normal user cannot connect to this namespace on a domain controller
> > > remotely. As the domain/enterprise admin can, I believe the simplest
> > thing
> > > MSFT can do in these scenarios is to say "please ensure you run the
> > > suitability scripts with enterprise admin credentials and ensure we
> > have the
> > > same once we are on site" (as opposed to ACLing the namespace to
> > ensure
> > > normal users can do the WMI queries required to pass the RAP).
> > > >
> > > >
> > > >
> > > > In the worst case scenario if it breaks... who better to fix other
> > than
> > > MSFT? ;-) If you didn't trust them with the skills or confidentiality,
> > then
> > > why even choose someone from MSFT to do the RAP? Certain orgs where
> > security
> > > is very important ask the engineer to do the needy using equipment
> > there,
> > > give his opinion and walk away. No data is allowed to leave site for
> > > analysis. But they still have to ensure he is security cleared before
> > he is
> > > allowed to touch/see anything .
> > > >
> > > >
> > > >
> > > > As for querying AD, you are right. I am yet to find a query I cannot
> > do
> > > due to the normal user credentials used to perform the query.
> > > >
> > > >
> > > >
> > > > Cheers
> > > >
> > > >
> > > >
> > > > M@
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> > > joe
> > > > Sent: 09 July 2007 04:22
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> > > >
> > > >
> > > >
> > > >
> > > > Combination of two things in my experience makes the RAPs.
> > > >
> > > >
> > > >
> > > > The first is the quality of the engineer executing the RAP. They all
> > get
> > > the same info, it is how well they analyze it and understand
> > AD/Exchange as
> > > to how good the report is that they generate. You will get the
> > extremely
> > > intelligent knowledgeable analysts who will make the resulting report
> > fit
> > > well into the goals and design of the environment and then you will
> > get the
> > > analysts who may be intelligent but will give you a generic read on
> > the
> > > report which may not make much sense in light of how things are done.
> > There
> > > is no perfect way to run AD nor design AD, it is an extremely complex
> > and
> > > flexible product and different people can and will set it up in
> > different
> > > ways and I have seen many a time where a RAP has reported something as
> > > incorrect when in fact it was not only correct, but the only proper
> > way to
> > > handle the specific item in that environment. I have been on "teams"
> > > designed to blow apart the reports generated for ADRAP and ExRAPs
> > because
> > > the results don't make sense in the environment and have successfully
> > done
> > > so every time it was needed.
> > > >
> > > >
> > > >
> > > > The second is implied in the first answer and it is how "Softian"
> > your
> > > environment is. The smaller the environment, the more likely you will
> > be a
> > > homogenius MSFT environment adhering to all of the MSFT ways. The
> > larger the
> > > environment the more likely it will be heterogenious with people paid
> > to
> > > think of BETTER ways to do things for that specific environment which
> > may
> > > not align well with what a generic report would want so the generated
> > report
> > > may not be the best.
> > > >
> > > >
> > > >
> > > > I think the biggest problem is companies who take the RAPs and use
> > it as
> > > the gold standard of this is the one and only way things can be set up
> > and
> > > any deviation is wrong. Let me say straight up again, there are many
> > ways to
> > > do things that are all equally valid and sometimes there are things
> > that
> > > would normally be considered not so good that are perfectly acceptable
> > in
> > > another environment. Microsoft may have written the product but they
> > are not
> > > the end all be all knowledge and understanding of the product,
> > certainly not
> > > the PSS/MCS folks. There are people outside of MSFT better suited to
> > > understanding the MSFT products in specific environments. A good
> > analyst
> > > will admit that right up if asked. Don't get me wrong, there are some
> > > amazing PSS/MCS folks but this isn't the standard, IMO, this is the
> > special
> > > case. As ~Eric mentioned before, you can't train someone into being an
> > > amazing analyst, it just doesn't work that way. You need to get the
> > RAPs and
> > > take them as guidance but make sure you look at all of the answers in
> > the
> > > context of what your environment is set up to do.
> > > >
> > > >
> > > >
> > > > Another thing to keep in mind, possibly this has changed recently as
> > it
> > > has been a HUGE gripe I have had with the whole process in general is
> > that
> > > there is no true combined AD/Exchange RAP. You have an ExRAP and you
> > have an
> > > ADRAP. They are different things done by different people with
> > different
> > > goals. I have seen actual AD RAPs that said AD was spot on great and
> > then
> > > followed up a month later by an ExRAP which said that AD was
> > completely
> > > screwed and causing massive issues in Exchange with no
> > > correlation/combination between the two and when you ask for them to
> > > reconcile the results they sort of shrug at you. They need an all
> > inclusive
> > > RAP.
> > > >
> > > >
> > > >
> > > > Yet another thing to keep in mind and something I say to push them
> > on is
> > > how much rights they want when they walk through the door. Usually
> > they want
> > > full Enterprise/Domain/Exchange admin rights and I always like to ask
> > them,
> > > so what do you plan on changing? The idea is that they should just be
> > > gathering info. Why do they need the ability to change shit if they
> > are just
> > > looking? Realistically there are some things that they need higher
> > level
> > > rights to get info about but they haven't convinced me to date that
> > they
> > > have narrowed it down to specifically what and why. If enough people
> > push
> > > them back and feed them the same lines that MSFT is trying to get
> > everyone
> > > else into, one of least user rights to do things, then maybe we can
> > get this
> > > fixed. I mean come on, all the RAP is is a set of scripts gathering
> > info.
> > > How many different ways are there to get the info and do they really
> > know
> > > what rights they really need and why?
> > > >
> > > >
> > > >
> > > > If other companies start doing these types of reviews or really
> > anything
> > > and they say, well we need enterprise admin and everything else, the
> > > recommendation from MSFT would be, well you shouldn't be giving out
> > > Enterprise to lots of people. And there is a good reason for that. But
> > this
> > > should also apply to MSFT themselves. As I mentioned before, there are
> > great
> > > and not so great analysts, not all of them are people I would consider
> > > giving high level rights to. Of course they could always say that you
> > could
> > > run the scripts, but what do you know about the scripts being run and
> > how is
> > > that any different from doing that with any other company or vendor.
> > It
> > > isn't.
> > > >
> > > >
> > > >
> > > >
> > > > joe
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > >
> > > > O'Reilly Active Directory Third Edition -
> > > http://www.joeware.net/win/ad3e.htm
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > ________________________________
> > >
> > > >
> > > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> > > Teo De Las Heras
> > > > Sent: Sunday, July 08, 2007 4:39 PM
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> > > >
> > > >
> > > > Interesting...it seems that what makes the ADRAP is the engineer
> > assigned.
> > > My company is also a premier customer and we're looking to do an
> > ADRAP and
> > > EXRAP before the year ends. Would you guys mind sharing the names of
> > the
> > > engineers that you were impressed with. I'll see if my TAM can
> > schedule
> > > them for our ADRAP.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Teo
> > > >
> > > >
> > > >
> > > > On 7/6/07, Harvey Kamangwitz wrote:
> > > >
> > > >
> > > > Hi all,
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > As a Microsoft Premier customer, they've suggested we go through an
> > AD
> > > Risk Assessment Program. I'm still learning what they do (it's
> > conducted by
> > > their Field Engineering team) and what the benefits are...in the mean
> > time,
> > > I thought it'd be good to see what my compatriots think of the
> > program. Has
> > > anyone been through it? Is it worth it?
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Thanks,
> > > >
> > > >
> > > > Harvey
> > > >
> > > >
> > >
> > >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| StewartJF
Posts:0
| | 07/13/2007 12:17 PM |
| Good dialog. I actually meant the comment in all seriousness. I spent
5+ years in MCS as a consultant (in part as one of the "enterprise
consultants" Al mentions) and an EM, so I have a fair amount of
experience in this.
With Microsoft, as any vendor who is key to my infrastructure, I expect
informed help. What is most frustrating to me and my peers is having to
explain some of the same things over and over again to support people we
work with - the unique aspects of our environment, and the "why we did
it that way". That is what a TAM, and ESC, or their Oracle/IBM/Sun/HP
equivalents should provide to subject matter experts who are called in
to assist on an as-needed basic, whether Alliance, consulting, support,
or whatever. Don't make me waste my consulting hours (or my support
hours, or even my own time) by repeating to you what I just told your
Exchange support colleague just a few days ago.
I understand that there are various levels of skills in any position. I
know however, that even Starbucks doesn't let just anyone make me my
latte in the AM. There's training and quality controls in place to make
sure my triple-grande latte is made pretty much the same to whatever
Starbucks I go to. I wonder if MS has applied similar quality controls
to some of their Services roles....
-fitz
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Thursday, July 12, 2007 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
Ah. Ok. The selling point is that they know your environment and can
offer better advice. If you get good TAMS and enterprise consultants,
you get that. If you don't, you...don't.
It is definitely a function of the people. No question. It's also a
function of the expectations you have - if you expect them to know the
entire product line to the bit and byte level, then you'll be
disappointed at some point in the next few conversations. If you
expect them to give you access AND to know your environment and
culture, then you have a better shot of getting what you're after.
At a minimum, you do expect the access. You may not get that these
days....
On 7/12/07, joe wrote:
> I've had them living onsite with a whole collection of PSS and MCS
resources
> also onsite and I still haven't seen the "service" having a view and
> understanding of what was done and why. I have had a few REALLY GOOD
> individuals who did but that wasn't a function of the TAM or the
Premier
> agreement, it was a function of the individual people. I had multiple
phone
> calls in a single day where I was explaining the WINS architecture to
them
> when MSFT is the one who originally designed it for us and they had
all of
> the documentation (supposedly right at hand) and when I asked the
question,
> don't we pay you guys to be fully aware of what we are doing here the
> subject changed and I never got a response to that.
>
> You pay for an Alliance or Premier contract so you have the people
handy to
> give you access to info you can't find yourself because it isn't
publicly
> documented. You pay for it to get their advice. You do not pay it so
they
> know your environment and can make suggestions that you should follow
> without thinking through. If you ever do something without reviewing
it in
> terms of your environment and what impact it will have there that
comes from
> PSS or any vendor, you deserve anything that happens to you.
>
> I am not a fan of being cynical but experience has dug some deep
wounds and
> you have to be aware of reality when working on your production
environment.
>
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
> Sent: Thursday, July 12, 2007 3:19 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
>
> Me too!
>
> Yeah, I kept thinking that Fitz was just joking. I'm not quite sure
though.
>
> The thing is, TAM's are human beings. And you buy time slices in some
> situations. Basically, if they do not have an office on your
> premises, then you're time sharing the TAM-time.
>
> Can you honestly say that somebody that pays only partial attention to
> you will know your environment as well you'd like for that kind of
> support? Will you bet your job on it?
>
> MCS used to have a similar counterpart that would do the same from a
> consulting view point. That was in the days before services became
> one big happy family though. Since then, they may have become
> redundant in some respects since the goal has always been customer
> satisfaction and how you get there is not nearly as important as
> getting there.
>
> But I digress.....
>
>
> On 7/12/07, joe wrote:
> > LOL. I actually spit my drink out reading that. ;o)
> >
> >
> >
> > --
> > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm
> >
> >
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Stewart,
Fitz
> > Sent: Thursday, July 12, 2007 1:59 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> >
> > Isn't that why you pay Premier for a TAM, and why the services are
only
> > offered to Premier customers, to "know about your environment" and
"why
> > you have made the decisions you have made"?
> >
> > -fitz
> >
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
> > Sent: Tuesday, July 10, 2007 3:03 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Has anyone gone through Microsoft's ADRAP?
> >
> > Wait. Everyone at HP is not a printer expert? Huh. That's a let
down.
> > I bet everyone at Microsoft is not a Windows 98 expert either
right?
> >
> > :)
> >
> > joe, I think you have made some really good points about the way
that
> > information can and may be used. The folks that do the assessment
are
> > often quite capable people. I've seen many that are very good. You
> > did hit the nail on the head though when you talked about the way
that
> > an ADRAP and ExRAP may conflict with their assessment. To me, that
> > echoes the way the products come to life and some gaps in the comm
> > between the AD and Exchange team coders/architects. It happens
right?
> >
> > I look at it like this: you as the customer are going to get the
0300
> > phone call. You may call Microsoft as Mateesha pointed out, but it
> > *could* be too late at that point to do anything other than mop up
the
> > oil slick left behind.
> >
> > I agree with joe. Treat your vendors, even the ones that wrote your
> > apps, as if they are an outsider that do not know about your
> > environment nor why you have made the decisions you have made. They
> > will naturally want to know that information anyway (right?), but
it's
> > the rare company that can provide that information for a 3rd party
so
> > better to be safe and only provide the least privilege needed to do
> > the job. Even if they tell you it's a lot, ask why - you may be
glad
> > you did.
> >
> > Hey joe, we also agree that *somebody* should do a combined
> > AD/Exchange RAP. If Microsoft isn't going to, perhaps a third party
> > vendor should do that for them. Maybe even a printer expert? ;)
> >
> > -ajm
> >
> > On 7/10/07, joe wrote:
> > >
> > >
> > > Hopefully, but there is no guarantee. Certainly I have seen
reports
> > where
> > > that wasn't the case. For the most part, from the many reports I
have
> > seen
> > > now, it is mostly boilerplate. Occasionally you will get something
> > specific
> > > that takes some oddity of the environment into account.
> > >
> > > My point on pushing the point on Enterprise Admins is that they
> > shouldn't
> > > need those rights to generate a listing of info. This goes back to
my
> > audit
> > > admin posts from previously. If enough people make life difficult
for
> > PSS on
> > > this, it won't just be customers asking for it. There really is no
> > reason
> > > you ever should have to give PSS Enterprise or even Domain Admins
and
> > if you
> > > did and they did mess something up, I am not so generous to
believe
> > that
> > > whomever did it would be so good at fixing it.
> > >
> > > When I go into an environment I ask for normal user and Exchange
View.
> > If
> > > someone locked their environment down (say to "protect" info about
> > specific
> > > users/groups) then I ask to be in the group that has read access
to
> > that as
> > > well. That way, regardless of what I do, I can't hurt things. If I
> > need
> > > something that cannot be gathered with those rights, I almost
always
> > give
> > > specific instructions of what I need and how to get it unless I
have
> > been
> > > told just to supply a script or something like that. It always
makes
> > me itch
> > > a little though that someone would allow me to supply arbitrary
> > scripts to
> > > run with admin level rights. Me who has no deep knowledge nor
> > understanding
> > > of your environment and you are just willing to take anything I
give
> > you...
> > > Not very smart. This goes for MSFT as well. A lot of assumptions
have
> > to be
> > > in place to just allow that to happen and assumptions are very bad
for
> > AD
> > > and security.
> > >
> > >
> > >
> > > --
> > > O'Reilly Active Directory Third Edition -
> > > http://www.joeware.net/win/ad3e.htm
> > >
> > >
> > >
> > > ________________________________
> > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> > > Matheesha Weerasinghe
> > > Sent: Monday, July 09, 2007 4:23 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: Re: [ActiveDir] Has anyone gone through Microsoft's
ADRAP?
> > >
> > >
> > >
> > > Thanks Brian. I accept the point on not everyone at MS is expert
in
> > AD. But
> > > hopefully the chap turning up at site to do the RAP should be.
> > >
> > > As for exchange, thanks for the info. We have no exchange here
where I
> > work
> > > (only lotus domino). Hence I have no knowledge on the requirements
for
> > > exchange queries.
> > >
> > > Cheers
> > >
> > > M@
> > >
> > >
> > > On 09/07/07, Brian Desmond wrote:
> > > >
> > > >
> > > >
> > > >
> > > > The tool will run those same WMI queries so if they do require
that
> > access
> > > you either have to change the WMI ACLs on all the DCs or give up
the
> > rights.
> > > The suitability script verifies all the connectivity requirements
that
> > the
> > > tool needs.
> > > >
> > > >
> > > >
> > > > Just because someone works for Microsoft doesn't mean they're
the
> > expert
> > > on AD. Same token applies to just if someone works for HP they
know
> > > everything about printers, etc. Like others have said here it very
> > much
> > > depends on the knowledge level of the PFE you get onsite for the
gig.
> > You
> > > can have them do it all on your equipment, they do install the
tool
> > there
> > > and run it that way in fact since it needs to run in context (
e.g. no
> > > specifying a username/password to bind under)>
> > > >
> > > >
> > > >
> > > > Exchange data is not viewable with straight normal user rights.
You
> > need
> > > Exchange View Only type rights to read the data which is easily
> > delegated
> > > with the little wizard in ESM. This changed some in exchange 2007
> > though.
> > > >
> > > >
> > > >
> > > > The actual tool collects a bunch of data from AD but it also
touches
> > each
> > > DC hence the WMI and RPC checks.
> > > >
> > > >
> > > >
> > > >
> > > > Thanks,
> > > >
> > > > Brian Desmond
> > > >
> > > > brian@briandesmond.com
> > > >
> > > >
> > > >
> > > > c - 312.731.3132
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> > > Matheesha
> > > > Sent: Monday, July 09, 2007 2:53 AM
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's
ADRAP?
> > > >
> > > >
> > > >
> > > > Hi Joe
> > > >
> > > >
> > > >
> > > > I haven't been through an ADRAP yet so I can't comment on
exactly
> > why the
> > > RAP engineer needs enterprise/domain admin credentials.
> > > >
> > > >
> > > >
> > > > But for example in the suitability scripts that one needs to
execute
> > to
> > > get some info on the environment, there is a WMI test which
connects
> > to the
> > > root\cimv2 namespace. They use WMI to query registry values. By
> > default a
> > > normal user cannot connect to this namespace on a domain
controller
> > > remotely. As the domain/enterprise admin can, I believe the
simplest
> > thing
> > > MSFT can do in these scenarios is to say "please ensure you run
the
> > > suitability scripts with enterprise admin credentials and ensure
we
> > have the
> > > same once we are on site" (as opposed to ACLing the namespace to
> > ensure
> > > normal users can do the WMI queries required to pass the RAP).
> > > >
> > > >
> > > >
> > > > In the worst case scenario if it breaks... who better to fix
other
> > than
> > > MSFT? ;-) If you didn't trust them with the skills or
confidentiality,
> > then
> > > why even choose someone from MSFT to do the RAP? Certain orgs
where
> > security
> > > is very important ask the engineer to do the needy using equipment
> > there,
> > > give his opinion and walk away. No data is allowed to leave site
for
> > > analysis. But they still have to ensure he is security cleared
before
> > he is
> > > allowed to touch/see anything .
> > > >
> > > >
> > > >
> > > > As for querying AD, you are right. I am yet to find a query I
cannot
> > do
> > > due to the normal user credentials used to perform the query.
> > > >
> > > >
> > > >
> > > > Cheers
> > > >
> > > >
> > > >
> > > > M@
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> > > joe
> > > > Sent: 09 July 2007 04:22
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: RE: [ActiveDir] Has anyone gone through Microsoft's
ADRAP?
> > > >
> > > >
> > > >
> > > >
> > > > Combination of two things in my experience makes the RAPs.
> > > >
> > > >
> > > >
> > > > The first is the quality of the engineer executing the RAP. They
all
> > get
> > > the same info, it is how well they analyze it and understand
> > AD/Exchange as
> > > to how good the report is that they generate. You will get the
> > extremely
> > > intelligent knowledgeable analysts who will make the resulting
report
> > fit
> > > well into the goals and design of the environment and then you
will
> > get the
> > > analysts who may be intelligent but will give you a generic read
on
> > the
> > > report which may not make much sense in light of how things are
done.
> > There
> > > is no perfect way to run AD nor design AD, it is an extremely
complex
> > and
> > > flexible product and different people can and will set it up in
> > different
> > > ways and I have seen many a time where a RAP has reported
something as
> > > incorrect when in fact it was not only correct, but the only
proper
> > way to
> > > handle the specific item in that environment. I have been on
"teams"
> > > designed to blow apart the reports generated for ADRAP and ExRAPs
> > because
> > > the results don't make sense in the environment and have
successfully
> > done
> > > so every time it was needed.
> > > >
> > > >
> > > >
> > > > The second is implied in the first answer and it is how
"Softian"
> > your
> > > environment is. The smaller the environment, the more likely you
will
> > be a
> > > homogenius MSFT environment adhering to all of the MSFT ways. The
> > larger the
> > > environment the more likely it will be heterogenious with people
paid
> > to
> > > think of BETTER ways to do things for that specific environment
which
> > may
> > > not align well with what a generic report would want so the
generated
> > report
> > > may not be the best.
> > > >
> > > >
> > > >
> > > > I think the biggest problem is companies who take the RAPs and
use
> > it as
> > > the gold standard of this is the one and only way things can be
set up
> > and
> > > any deviation is wrong. Let me say straight up again, there are
many
> > ways to
> > > do things that are all equally valid and sometimes there are
things
> > that
> > > would normally be considered not so good that are perfectly
acceptable
> > in
> > > another environment. Microsoft may have written the product but
they
> > are not
> > > the end all be all knowledge and understanding of the product,
> > certainly not
> > > the PSS/MCS folks. There are people outside of MSFT better suited
to
> > > understanding the MSFT products in specific environments. A good
> > analyst
> > > will admit that right up if asked. Don't get me wrong, there are
some
> > > amazing PSS/MCS folks but this isn't the standard, IMO, this is
the
> > special
> > > case. As ~Eric mentioned before, you can't train someone into
being an
> > > amazing analyst, it just doesn't work that way. You need to get
the
> > RAPs and
> > > take them as guidance but make sure you look at all of the answers
in
> > the
> > > context of what your environment is set up to do.
> > > >
> > > >
> > > >
> > > > Another thing to keep in mind, possibly this has changed
recently as
> > it
> > > has been a HUGE gripe I have had with the whole process in general
is
> > that
> > > there is no true combined AD/Exchange RAP. You have an ExRAP and
you
> > have an
> > > ADRAP. They are different things done by different people with
> > different
> > > goals. I have seen actual AD RAPs that said AD was spot on great
and
> > then
> > > followed up a month later by an ExRAP which said that AD was
> > completely
> > > screwed and causing massive issues in Exchange with no
> > > correlation/combination between the two and when you ask for them
to
> > > reconcile the results they sort of shrug at you. They need an all
> > inclusive
> > > RAP.
> > > >
> > > >
> > > >
> > > > Yet another thing to keep in mind and something I say to push
them
> > on is
> > > how much rights they want when they walk through the door. Usually
> > they want
> > > full Enterprise/Domain/Exchange admin rights and I always like to
ask
> > them,
> > > so what do you plan on changing? The idea is that they should just
be
> > > gathering info. Why do they need the ability to change shit if
they
> > are just
> > > looking? Realistically there are some things that they need higher
> > level
> > > rights to get info about but they haven't convinced me to date
that
> > they
> > > have narrowed it down to specifically what and why. If enough
people
> > push
> > > them back and feed them the same lines that MSFT is trying to get
> > everyone
> > > else into, one of least user rights to do things, then maybe we
can
> > get this
> > > fixed. I mean come on, all the RAP is is a set of scripts
gathering
> > info.
> > > How many different ways are there to get the info and do they
really
> > know
> > > what rights they really need and why?
> > > >
> > > >
> > > >
> > > > If other companies start doing these types of reviews or really
> > anything
> > > and they say, well we need enterprise admin and everything else,
the
> > > recommendation from MSFT would be, well you shouldn't be giving
out
> > > Enterprise to lots of people. And there is a good reason for that.
But
> > this
> > > should also apply to MSFT themselves. As I mentioned before, there
are
> > great
> > > and not so great analysts, not all of them are people I would
consider
> > > giving high level rights to. Of course they could always say that
you
> > could
> > > run the scripts, but what do you know about the scripts being run
and
> > how is
> > > that any different from doing that with any other company or
vendor.
> > It
> > > isn't.
> > > >
> > > >
> > > >
> > > >
> > > > joe
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > >
> > > > O'Reilly Active Directory Third Edition -
> > > http://www.joeware.net/win/ad3e.htm
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > ________________________________
> > >
> > > >
> > > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
> > > Teo De Las Heras
> > > > Sent: Sunday, July 08, 2007 4:39 PM
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: Re: [ActiveDir] Has anyone gone through Microsoft's
ADRAP?
> > > >
> > > >
> > > > Interesting...it seems that what makes the ADRAP is the engineer
> > assigned.
> > > My company is also a premier customer and we're looking to do an
> > ADRAP and
> > > EXRAP before the year ends. Would you guys mind sharing the names
of
> > the
> > > engineers that you were impressed with. I'll see if my TAM can
> > schedule
> > > them for our ADRAP.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Teo
> > > >
> > > >
> > > >
> > > > On 7/6/07, Harvey Kamangwitz
wrote:
> > > >
> > > >
> > > > Hi all,
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > As a Microsoft Premier customer, they've suggested we go through
an
> > AD
> > > Risk Assessment Program. I'm still learning what they do (it's
> > conducted by
> > > their Field Engineering team) and what the benefits are...in the
mean
> > time,
> > > I thought it'd be good to see what my compatriots think of the
> > program. Has
> > > anyone been through it? Is it worth it?
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Thanks,
> > > >
> > > >
> > > > Harvey
> > > >
> > > >
> > >
> > >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
|
|