| Author | Messages | |
laurahcomputing
Posts:148
 | | 12/08/2009 6:46 PM |
| And to joe's point about constrained prov/de-prov, even if you only
delegate "create/delete user object" at the OU level, nothing prevents
a malicious or well-meaning-but-bad-hair-day-having admin from
clicking CTRL-A followed by DEL followed by 'Y'.
(Though naturally they'll only do this within the North America OU. At
2pm. On a Friday.(
On Tue, Dec 8, 2009 at 12:10 PM, Brian Desmond <brian@briandesmond.com> wrote:
> My favorite tends to be where ou admins are allowed to make their own ou
> trees. Couple I have seen
>
> One place some folks got a little carried away and their plant ou's were
> 25-50 levels deep. Nobody knew about this until a consultant was tasked to
> draw this out in visio.
>
> Another org some guy had decided to have a separate ou and gpo for every
> single office he managed. Each ou had one pc in it.
>
> Brian Desmond from my phone
>
> ________________________________
> From: joe <listmail@joeware.net>
> Sent: Tuesday, December 08, 2009 8:23 AM
> To: activedir@mail.activedir.org <activedir@mail.activedir.org>
> Subject: RE: [ActiveDir] Slightly OT - Is anyone benefiting from the MCMAD
> certification
>
> Yep I have run into quite a few of them as well, and when we audit the
> directory in those companies to see if the standards are being enforced, the
> answer is generally no. You tend to catch it when someone goes to actually
> use some field and is expecting things to be following a standard and then
> realize that the standard isn’t being followed. Or alternately some auditor
> is looking at things and realize stuff is wrong. Often people who look at
> the directory know it is in trouble, but either haven’t been listened to or
> just silently admit defeat and don’t even bring it up or worse, don’t care.
> This is the worst, I have found when users are manually managed. The problem
> is a little better when groups and computers are managed that way. Though
> you best have some sort of object lifecycle mechanism in place. In the
> company I worked for when I wrote oldcmp we ended up cleaning up something
> like 60,000 machine accounts right off the bat.
>
>
>
> One company I worked with had tons of things wrong but one was really bad…
> something really simple wrong… the six character company name was spelled
> like in over a dozen different ways with only one of those ways being
> correct. Overall in these situations you find that fields that aren’t
> supposed to be populated are populated, fields that are supposed to be
> populated aren’t. Phone number formats are across the board, there is no
> real object lifecycle management, things change and people wonder how, etc
> etc. I spent a couple of months auditing the directory for the previously
> mentioned company and ended up producing a document with the top 10 de facto
> standards for each field so they could be correlated and somehow merged into
> the official standards. That doc was hundreds of pages.
>
>
>
> joe
>
>
>
>
>
> --
>
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
>
>
>
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Bill Foster
> Sent: Monday, December 07, 2009 9:43 PM
>
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Slightly OT - Is anyone benefiting from the MCMAD
> certification
>
>
>
> We have three EA/DA’s, and 53 OU admins in a global company with 175,000
> people. The roles are pretty much as Brian has described.
>
>
>
> Bill
>
>
>
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
> Sent: Monday, December 07, 2009 8:29 PM
>
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Slightly OT - Is anyone benefiting from the MCMAD
> certification
>
>
>
> I've worked in A LOT of orgs with so called Ou admins.
>
> Responsibilities vary but usually include computers, groups, group policy
> and some sort of user (eg svc accout) management.
>
> ________________________________
>
> From: Gabriele Scolaro <gabro@gabro.net>
> Sent: Monday, December 07, 2009 6:16 PM
>
> To: activedir@mail.activedir.org <activedir@mail.activedir.org>
> Subject: RE: [ActiveDir] Slightly OT - Is anyone benefiting from the MCMAD
> certification
>
> Joe has just raised the point I wanted to head to with my “decoy” question…
> “What’s an OU Admin?”! ;-)
>
>
>
> I might look “academic”, but I really don’t see other roles in AD management
> than “Service Admins” (EA/DA) and “Data Admins”, that are groups with
> different level of permission allowed to create/edit/delete objects
> (request/approve)… and even in mid-sized org, not necessarily in very large
> one, this should be achieved through provisioning tools that can enforce
> (de)provisioning policies or validate data format across the directory
> (Quest ARS is again a good example).
>
>
>
> “OU Admins” makes me think that you’re granting someone with Full Control
> (or close permisson) over OUs for manual management with ADUC or alike and -
> I could not agree more with Joe - this is like asking for inconsistencies…
> and be sure you’ll 100% get them!
>
>
>
> Regards – Gabriele.
>
>
>
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
> Sent: lunedì 7 dicembre 2009 5:52
>
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Slightly OT - Is anyone benefiting from the MCMAD
> certification
>
>
>
> Most admin work in very large orgs *should be* through provisioning tools
> driven by HR or initial requesters (through workflow), not manual workers
> with delegated rights who know how to start ADUC. And of those companies
> that tend to use manual workers that are very large, those workers are
> usually in “best shore” locationsΏ] so certifications aren’t necessary for
> them because in all actuality there is little to no ability to truly manage
> that in some of those locations. Manual management work is usually the best
> way to ask for inconsistenciesΐ] in your directory.
>
>
>
> Moderate to significant cost savings over best shore is often achievable
> through automation not to mention no loss of IP when the company across the
> hall offers $1 an hour more or someone made enough to move to another
> country or no retraining when you need to make changes to processes and/or
> standards. Also auditing and logging tends to be considerably better. You
> don’t have to ask 50 questions to try and figure out what might have been
> done, you look at the actual logs of the provisioning and workflow tools.
>
>
>
> joe
>
>
>
>
>
> Ώ] Another way to say, cheapest place that the work can be farmed out too.
> Can’t just say India anymore, nor KL, nor Costa Rica, those costs are all
> going up.
>
>
>
> ΐ] Accidental or through admins who just don’t agree with the standards.
>
>
>
> --
>
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
>
>
>
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Levicki
> Sent: Monday, December 07, 2009 10:57 AM
>
>
>
> Hi Gabriele,
>
>
>
> An OU Admin is someone who is employed solely to administer Organizational
> Units. Typically you would only see this sort of role in very large
> organizations where this would be a full time role / full time roles.
>
>
>
> Regards,
>
>
>
> Andrew
>
> 2009/12/7 Gabriele Scolaro <gabro@gabro.net>
>
> Just curious... What's an OU Admin? - Gabriele.
>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org [mailto:activedir-
>
>> owner@mail.activedir.org] On Behalf Of Daniel Gilbert
>> Sent: venerdì 4 dicembre 2009 5:37
>> To: activedir@mail.activedir.org
>
>> Subject: RE: [ActiveDir] Slightly OT - Is anyone benefiting from the
>> MCMAD certification
>>
>> That is part of the fun, a new organization is assuming management of
>> our AD environment, we are transitioning from one AD structure to a
>> newer AD structure. Part of the transition will entail new management.
>>
>> The new management is mandating the Domain Admins hold the MCITP-EA
>> certificate. OU Admins are supposed to hold the MCITP-SA certificate.
>>
>> I know the MCM certificate is an expensive undertaking and is not a
>> gimme. From the looks of it, you need to know your stuff before
>> attempting.
>>
>> Daniel Gilbert, CISSP, MCSE 2003
>
>>
>> > -------- Original Message --------
>> > Subject: Re: [ActiveDir] Slightly OT - Is anyone benefiting from the
>> > MCMAD certification
>> > From: Rick Sheikh <ricksheikh@gmail.com>
>> > Date: Fri, December 04, 2009 9:21 am
>> > To: activedir@mail.activedir.org
>> > Has you organization realized the cost on having this goal achieved ?
>> The
>> > last I had read and IIRC the cost for an individual to attend the
>> > instructor-led class plus the exam costs were running around $15k.
>> > Technically speaking there is a very thin line between domain admins
>> and
>> > enterprise admin in a multi-domain forest design. I don't see the
>> point to
>> > isolate the authority with assumed skill sets.
>> > What has your organization decided as minimal certs. guideline for
>> domain
>> > admins ?
>> > On Fri, Dec 4, 2009 at 10:04 AM, Daniel Gilbert
>> <daniel@tankerstinkering.com
>> > > wrote:
>> > > I would love to see some traffic on this subject. Our organization
>> is
>> > > working to develop a new Active Directory environment and one of
>> the
>> > > requirements they are publishing for the Enterprise Admins is they
>> must
>> > > hold the MCM certification.
>> > >
>> > > Those of us in the old environment working as EA's, though we find
>> this
>> > > mandate admirable, we suspect it is unachievable in the contracting
>> > > world becuase no one wants to foot the bill (government contracting
>> > > spaces) for this certification.
>> > >
>> > > Daniel Gilbert, CISSP, MCSE 2003
>> > >
>> > >
>> > > > -------- Original Message --------
>> > > > Subject: [ActiveDir] Slightly OT - Is anyone benefiting from the
>> MCMAD
>> > > > certification
>> > > > From: "Marcus Walshe" <marwalshe@yahoo.ie>
>> > > > Date: Fri, December 04, 2009 2:26 am
>> > > > To: <activedir@mail.activedir.org>
>> > > > Hi,
>> > > >
>> > > > Just wanted to get an update from the people on the list who have
>> > > achieved
>> > > > the MCMAD (or any other MCM), are they seeing any benefit in
>> having the
>> > > > certification. Not only from the perspective of understanding the
>> > > > technology, but in regards to career opportunity, etc. Most
>> people that I
>> > > > speak to in the UK are still largely unaware of what the cert is
>> and
>> > > dismiss
>> > > > it as a glorified MCSE.
>> > > >
>> > > > Thanks,
>> > > > Marcus.
>> > >
>> > >
>> > >
>>
>
>
>
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Slightly OT - Is anyone benefiting from the MCMAD
> certification
>
> Brian Desmond from my phone
--
-----------------------
Laura E. Hunter
Principal, LHA Consulting Incorporated (http://www.lhaconsulting.com)
Microsoft MVP, Directory Services
(https://mvp.support.microsoft.com/profile/laura)
Author, Active Directory Consultant's Field Guide (http://tinyurl.com/7f8ll)
Author, Active Directory Cookbook, Third Edition (http://tinyurl.com/7kp3ct)
| | | |
|
|