| Author | Messages | |
bdesmond
Posts:977
 | | 12/08/2009 5:13 PM |
| My favorite tends to be where ou admins are allowed to make their own ou trees. Couple I have seen
One place some folks got a little carried away and their plant ou's were 25-50 levels deep. Nobody knew about this until a consultant was tasked to draw this out in visio.
Another org some guy had decided to have a separate ou and gpo for every single office he managed. Each ou had one pc in it.
Brian Desmond from my phone
________________________________
From: joe <listmail@joeware.net>
Sent: Tuesday, December 08, 2009 8:23 AM
To: activedir@mail.activedir.org <activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Slightly OT - Is anyone benefiting from the MCMAD certification
Yep I have run into quite a few of them as well, and when we audit the directory in those companies to see if the standards are being enforced, the answer is generally no. You tend to catch it when someone goes to actually use some field and is expecting things to be following a standard and then realize that the standard isn’t being followed. Or alternately some auditor is looking at things and realize stuff is wrong. Often people who look at the directory know it is in trouble, but either haven’t been listened to or just silently admit defeat and don’t even bring it up or worse, don’t care. This is the worst, I have found when users are manually managed. The problem is a little better when groups and computers are managed that way. Though you best have some sort of object lifecycle mechanism in place. In the company I worked for when I wrote oldcmp we ended up cleaning up something like 60,000 machine accounts right off the bat.
One company I worked with had tons of things wrong but one was really bad… something really simple wrong… the six character company name was spelled like in over a dozen different ways with only one of those ways being correct. Overall in these situations you find that fields that aren’t supposed to be populated are populated, fields that are supposed to be populated aren’t. Phone number formats are across the board, there is no real object lifecycle management, things change and people wonder how, etc etc. I spent a couple of months auditing the directory for the previously mentioned company and ended up producing a document with the top 10 de facto standards for each field so they could be correlated and somehow merged into the official standards. That doc was hundreds of pages.
joe
--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Bill Foster
Sent: Monday, December 07, 2009 9:43 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Slightly OT - Is anyone benefiting from the MCMAD certification
We have three EA/DA’s, and 53 OU admins in a global company with 175,000 people. The roles are pretty much as Brian has described.
Bill
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Monday, December 07, 2009 8:29 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Slightly OT - Is anyone benefiting from the MCMAD certification
I've worked in A LOT of orgs with so called Ou admins.
Responsibilities vary but usually include computers, groups, group policy and some sort of user (eg svc accout) management.
Brian Desmond from my phone
________________________________
From: Gabriele Scolaro <gabro@gabro.net>
Sent: Monday, December 07, 2009 6:16 PM
To: activedir@mail.activedir.org <activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Slightly OT - Is anyone benefiting from the MCMAD certification
Joe has just raised the point I wanted to head to with my “decoy” question… “What’s an OU Admin?”! ;-)
I might look “academic”, but I really don’t see other roles in AD management than “Service Admins” (EA/DA) and “Data Admins”, that are groups with different level of permission allowed to create/edit/delete objects (request/approve)… and even in mid-sized org, not necessarily in very large one, this should be achieved through provisioning tools that can enforce (de)provisioning policies or validate data format across the directory (Quest ARS is again a good example).
“OU Admins” makes me think that you’re granting someone with Full Control (or close permisson) over OUs for manual management with ADUC or alike and - I could not agree more with Joe - this is like asking for inconsistencies… and be sure you’ll 100% get them!
Regards – Gabriele.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 7 dicembre 2009 5:52
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Slightly OT - Is anyone benefiting from the MCMAD certification
Most admin work in very large orgs *should be* through provisioning tools driven by HR or initial requesters (through workflow), not manual workers with delegated rights who know how to start ADUC. And of those companies that tend to use manual workers that are very large, those workers are usually in “best shore” locationsΏ] so certifications aren’t necessary for them because in all actuality there is little to no ability to truly manage that in some of those locations. Manual management work is usually the best way to ask for inconsistenciesΐ] in your directory.
Moderate to significant cost savings over best shore is often achievable through automation not to mention no loss of IP when the company across the hall offers $1 an hour more or someone made enough to move to another country or no retraining when you need to make changes to processes and/or standards. Also auditing and logging tends to be considerably better. You don’t have to ask 50 questions to try and figure out what might have been done, you look at the actual logs of the provisioning and workflow tools.
joe
Ώ] Another way to say, cheapest place that the work can be farmed out too. Can’t just say India anymore, nor KL, nor Costa Rica, those costs are all going up.
ΐ] Accidental or through admins who just don’t agree with the standards.
--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Levicki
Sent: Monday, December 07, 2009 10:57 AM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Slightly OT - Is anyone benefiting from the MCMAD certification
Hi Gabriele,
An OU Admin is someone who is employed solely to administer Organizational Units. Typically you would only see this sort of role in very large organizations where this would be a full time role / full time roles.
Regards,
Andrew
2009/12/7 Gabriele Scolaro <gabro@gabro.net<mailto:gabro@gabro.net>>
Just curious... What's an OU Admin? - Gabriele.
> -----Original Message-----
> From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-<mailto:activedir->
> owner@mail.activedir.org<mailto:owner@mail.activedir.org>] On Behalf Of Daniel Gilbert
> Sent: venerdì 4 dicembre 2009 5:37
> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
> Subject: RE: [ActiveDir] Slightly OT - Is anyone benefiting from the
> MCMAD certification
>
> That is part of the fun, a new organization is assuming management of
> our AD environment, we are transitioning from one AD structure to a
> newer AD structure. Part of the transition will entail new management.
>
> The new management is mandating the Domain Admins hold the MCITP-EA
> certificate. OU Admins are supposed to hold the MCITP-SA certificate.
>
> I know the MCM certificate is an expensive undertaking and is not a
> gimme. From the looks of it, you need to know your stuff before
> attempting.
>
> Daniel Gilbert, CISSP, MCSE 2003
>
> > -------- Original Message --------
> > Subject: Re: [ActiveDir] Slightly OT - Is anyone benefiting from the
> > MCMAD certification
> > From: Rick Sheikh <ricksheikh@gmail.com<mailto:ricksheikh@gmail.com>>
> > Date: Fri, December 04, 2009 9:21 am
> > To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
> > Has you organization realized the cost on having this goal achieved ?
> The
> > last I had read and IIRC the cost for an individual to attend the
> > instructor-led class plus the exam costs were running around $15k.
> > Technically speaking there is a very thin line between domain admins
> and
> > enterprise admin in a multi-domain forest design. I don't see the
> point to
> > isolate the authority with assumed skill sets.
> > What has your organization decided as minimal certs. guideline for
> domain
> > admins ?
> > On Fri, Dec 4, 2009 at 10:04 AM, Daniel Gilbert
> <daniel@tankerstinkering.com<mailto:daniel@tankerstinkering.com>
> > > wrote:
> > > I would love to see some traffic on this subject. Our organization
> is
> > > working to develop a new Active Directory environment and one of
> the
> > > requirements they are publishing for the Enterprise Admins is they
> must
> > > hold the MCM certification.
> > >
> > > Those of us in the old environment working as EA's, though we find
> this
> > > mandate admirable, we suspect it is unachievable in the contracting
> > > world becuase no one wants to foot the bill (government contracting
> > > spaces) for this certification.
> > >
> > > Daniel Gilbert, CISSP, MCSE 2003
> > >
> > >
> > > > -------- Original Message --------
> > > > Subject: [ActiveDir] Slightly OT - Is anyone benefiting from the
> MCMAD
> > > > certification
> > > > From: "Marcus Walshe" <marwalshe@yahoo.ie<mailto:marwalshe@yahoo.ie>>
> > > > Date: Fri, December 04, 2009 2:26 am
> > > > To: <activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>>
> > > > Hi,
> > > >
> > > > Just wanted to get an update from the people on the list who have
> > > achieved
> > > > the MCMAD (or any other MCM), are they seeing any benefit in
> having the
> > > > certification. Not only from the perspective of understanding the
> > > > technology, but in regards to career opportunity, etc. Most
> people that I
> > > > speak to in the UK are still largely unaware of what the cert is
> and
> > > dismiss
> > > > it as a glorified MCSE.
> > > >
> > > > Thanks,
> > > > Marcus.
> > >
> > >
> > >
>
| | | |
|
|