|
What are the benefits to permanently disabling AD accounts as opposed to deleting them?
|
# ? Aug 6, 2019 20:58 |
|
|
# ? Apr 20, 2024 11:51 |
|
capitalcomma posted:What are the benefits to permanently disabling AD accounts as opposed to deleting them? Because re-enabling is always easier than undeleting.
|
# ? Aug 6, 2019 21:00 |
|
capitalcomma posted:What are the benefits to permanently disabling AD accounts as opposed to deleting them? Audit history. You also don’t end up with tons of ‘unknown account {<Sid guid>}’ items popping up. The impact on AD, even with hundreds of thousands of disabled items, is tiny. Doubly so if they are in their own OU.
|
# ? Aug 6, 2019 21:02 |
|
Twice in the past week I’ve had the misfortune of being the on-site technician for a big company that’s rolling out Cisco IP phones to all their sites across the country without really consulting with those sites on what their needs are or giving them any real training ahead of time. Basically they ship all the equipment to site and then I get to be the guy who shows up on the day and says “Hi, I’m here to make your phones worse.” Most of these places are used to like NEC or Nortel systems where they have line appearances. So they go from being able to press hold, hit the page button, and say “call for joe on line 2” to having to hit the “more” button on their phone screen to expose the Park button, park the call and remember the park code it displays, page “call for Joe on Park 7020”, then joe, if he’s lucky enough to have desk phone, has to dial that park code, or if he’s one of the poor schmucks they set up on Jabber he has to dial that in there except oops they forgot to send them headsets. So much simpler! Also they couldn’t figure out how to page through overhead and speaker phones simultaneously so it’s just the overhead now. Also they have to dial 9 1 (area code) before every number now when they were used to just dialing 7 digits for local.
|
# ? Aug 6, 2019 21:18 |
|
9 1 = bad news. Too easy to hit 911 and they hang up in a panic and welcome police to your door.
|
# ? Aug 6, 2019 21:22 |
|
Entropic posted:Also they have to dial 9 1 (area code) before every number now when they were used to just dialing 7 digits for local. GreenNight posted:9 1 = bad news. Too easy to hit 911 and they hang up in a panic and welcome police to your door. We have a message that plays saying make sure you really need it and it needs confirmation first. I don't know how legal that is.
|
# ? Aug 6, 2019 22:09 |
|
We just made it 8 1 so there are no mistakes.
|
# ? Aug 6, 2019 22:14 |
|
minusX posted:We can hit just 9 with our Cisco system and dial local. If we do 9 1 it assumes long distance and we require a pin for it, even if local (but not if 800 number). Cisco systems can do all sorts of things, if you actually bother to program them to do those things. But these systems are always programmed by Southern Ontario guys who are used to having like 3 area codes in Toronto alone so everyone is used to 10 digits. minusX posted:
Probably not very, depending on your jurisdiction. Whenever we install any kind of new system here we have to arrange a test call with emergency services to make sure 911 works and if it's a 9-prefix system we also have to make sure 9911 dials emergency too. Entropic fucked around with this message at 22:30 on Aug 6, 2019 |
# ? Aug 6, 2019 22:27 |
|
capitalcomma posted:What are the benefits to permanently disabling AD accounts as opposed to deleting them? In my case, as was mentioned EoRaptor, auditing is a big part of it. If you delete an account then anything that would have referenced it is replaced by a gibberish SID. Plus, and this is minor, but I'd rather avoid the situation in the future of deleting the account jdoe@domain.com and then three years later getting another jdoe and giving them the same email because I forgot about the old employee. Also, fun fact, two of the administrators are anal neat freaks and insist on having a completely empty email inbox so they delete every email that they have responded to and then want to pester me endlessly to dig up old emails. I forgot to mention, the second half of the conversation involved them complaining about there being too many faculty created O365 groups that show up in the autocomplete list when typing in email addresses. Their solution was that every July, I go through and delete all the old groups one by one (this takes forever, btw, and no one with a single brain cell would do this). I brought forward four suggestions: 1) Raze the entire group structure to the ground every summer and expect faculty to recreate their groups. They make specific, unique groups for each period of each class for each semester and create them all new every semester anyways. 2) Expect faculty to clean up their own groups at the end of each semester. 3) Hide every group listed as private from the GAL so they don't show up anymore because who gives a poo poo if we have 5000 different AP-PHYSICS-MWF if no one ever sees them? 4) Forbid faculty from creating O365 groups and expect them to just create mailing lists in their address books since they're just sending emails and doing zero collaboration. None of these were acceptable. I told them that at a certain point this is a personal responsibility thing and I can't be expected to babysit this if they're going to turn it into Homer's Car like they do everything else and expect me to "make it work." The director told me that "they should have to" answers are never appropriate. Then immediately followed it up with "You should just send out a survey to all faculty every summer and tell them to list which groups they want to keep and then delete the rest of them." One. By. One.
|
# ? Aug 6, 2019 22:28 |
|
larchesdanrew posted:Then immediately followed it up with "You should just send out a survey to all faculty every summer and tell them to list which groups they want to keep and then delete the rest of them." Hate to be that guy but you could delete all groups BUT the one requested via powershell, no need to use the web GUI for mass delete.
|
# ? Aug 6, 2019 22:34 |
|
And if they complain "You deleted all the groups at once, which directly contradicts our order that you do it manually!", write a loop that deletes a group, waits five seconds, repeat.
|
# ? Aug 6, 2019 22:54 |
|
Delete whatever accounts your bosses use to complain to you. Especially ones tied to keycards
|
# ? Aug 7, 2019 00:48 |
|
Crypto your job tia
|
# ? Aug 7, 2019 03:07 |
|
Methanar posted:Delete whatever accounts your bosses use to complain to you. Reminds me of a co-worker who constantly threatens to delete the OU of an entire region on his last day.
|
# ? Aug 7, 2019 03:28 |
|
larchesdanrew posted:In my case, as was mentioned EoRaptor, auditing is a big part of it. If you delete an account then anything that would have referenced it is replaced by a gibberish SID. At the end of the year, put all the permanent groups in their own OU. Delete all other groups going forward, if anyone complains, apologize, say you did it by accident, restore it from the recycle bin, and put it in the permanent groups OU. And above all, do not ask for permission to handle it this way.
|
# ? Aug 7, 2019 03:33 |
|
larchesdanrew posted:In my case, as was mentioned EoRaptor, auditing is a big part of it. If you delete an account then anything that would have referenced it is replaced by a gibberish SID. Have you considered refactoring ALL the mailing groups and automating them from the records package. Have them create update and remove based on the teaching program.
|
# ? Aug 7, 2019 03:54 |
|
KennyTheFish posted:Have you considered refactoring ALL the mailing groups and automating them from the records package. Have them create update and remove based on the teaching program. I see some great potential for automation in our poor SOB's situation. Automatically creating the email group for each class is the sort of thing that can get the teacher's union on your side in the "brickbats, pitchforks, and torches" sense if the principal pulls another stupid on you. Stories about the principal's stupidity trigger me hard enough to offer free consulting, PM me Larches.
|
# ? Aug 7, 2019 04:57 |
|
Thanatosian posted:At the end of the year, put all the permanent groups in their own OU. Delete all other groups going forward, if anyone complains, apologize, say you did it by accident, restore it from the recycle bin, and put it in the permanent groups OU.
|
# ? Aug 7, 2019 05:11 |
Ghostlight posted:Office 365 groups live in the butt
|
|
# ? Aug 7, 2019 10:42 |
|
KennyTheFish posted:Have you considered refactoring ALL the mailing groups and automating them from the records package. Have them create update and remove based on the teaching program. It's a pretty no-frills system as of now (I set it up from scratch in about a month a year and a half ago) and we're running Exchange online while syncing our on-prem AD (that's still running 2008 womp womp), so I'm pretty limited in my automation options. However, I have noticed that Microsoft offers some integration into various SIS services, and I'm curious if I could set something up through that. I plan on checking it out with my SIS rep today and seeing what my options are. SlowBloke posted:Hate to be that guy but you could delete all groups BUT the one requested via powershell, no need to use the web GUI for mass delete. I already use PS for most management, as the exchange online interface is terribly slow and cumbersome and there's a lot of stuff you can't do in a hybrid environment from the GUI that you have to use PS for. This was what I was getting at with the first option I gave them of just wiping the slate clean (via PS) and including exceptions for permanent and semi-permanent groups. He doesn't like this option. I'm going to do it anyways, but in his mind, the only proper way to do it is to use the GUI and verify and delete groups one by one. He asked me what PowerShell is and I explained and he claims it sounds "too complicated" and I need to "keep it simple for future IT employees." I just closed on a house and I'm pretty sure I'm getting fired #blessed
|
# ? Aug 7, 2019 14:24 |
|
larchesdanrew posted:It's a pretty no-frills system as of now (I set it up from scratch in about a month a year and a half ago) and we're running Exchange online while syncing our on-prem AD (that's still running 2008 womp womp), so I'm pretty limited in my automation options. Start looking now.
|
# ? Aug 7, 2019 15:32 |
|
Proteus Jones posted:Start looking now. And make sure you have some authority over the next CE
|
# ? Aug 7, 2019 15:40 |
|
larchesdanrew posted:Email alias idiocy It's funny, I graduated from a high school like the one you're at in another state and for a while after I thought it would be a neat job to be back at my alma mater as an IT guy. Since I started hearing tales of your current workplace, I've decided that the dream is probably a lot better than the reality. Still sounds better than the TV station, although that isn't saying much.
|
# ? Aug 7, 2019 16:21 |
|
Proteus Jones posted:Start looking now. I've interviewed for 11 jobs in the last year. That's the part that makes me nervous. I'm pretty sure it's my distance that makes me unhirable. No one wants to hire someone in a position that requires emergency response that lives an hour away. A Frosty Witch fucked around with this message at 16:27 on Aug 7, 2019 |
# ? Aug 7, 2019 16:22 |
|
larchesdanrew posted:I've interviewed for 11 jobs in the last year. What's new at the TV station?
|
# ? Aug 7, 2019 16:33 |
|
larchesdanrew posted:I'm pretty sure it's my distance that makes me unhirable. No one wants to hire someone in a position that requires emergency response that lives an hour away. But you told me you were planning to move to a new place that happens to bevery near to the company you are interviewing for, just as soon as you start working there. Uou should tell them that when interviewing. (not your fault if you can't find a suitable place after passing probation and have to stay where you currently are)
|
# ? Aug 7, 2019 16:41 |
|
larchesdanrew posted:No one wants to hire someone in a position that requires emergency response that lives an hour away.
|
# ? Aug 7, 2019 16:56 |
|
larchesdanrew posted:No one wants to hire someone in a position that requires emergency response that lives an hour away. I think an organisation that needs instant emergency response, yet does not support remote work in any form (e.g. needing the 1hr drive), and also complains about automating things and making your life easier with better results... yeah avoid that, that's the situation you're in now. That said, somehow as a favour to my fiancee, I'm trying to figure out how to convince an office to transition to a remote work supporting environment. Thing is, I'm not their IT, just trying to convince them to look into moving to IP Telephony, Teams/Skype/Slack/ANY loving THING for IM and O365. I'm not sure how to actually lure them into it so my other half can work from home more effectively, I wish I knew.
|
# ? Aug 7, 2019 17:11 |
|
It does seem to be a bit of a strange requirement for an employer to require emergency response in person where a one hour delay is unacceptable but they also aren't just paying people to fill a shift pattern like in a NOC. As above, it could easily take someone an hour to get a few miles across a city.
|
# ? Aug 7, 2019 17:14 |
|
I don't know why, but of all technologies, idiots love to get deep into the details of how email should run and be managed. Nothing draws the interest of absolute morons who want to tell you exactly how things should operate like loving Exchange.
|
# ? Aug 7, 2019 17:59 |
|
AlternateAccount posted:I don't know why, but of all technologies, idiots love to get deep into the details of how email should run and be managed. Nothing draws the interest of absolute morons who want to tell you exactly how things should operate like loving Exchange. It's a combination of the Shed Effect, and Dunning-Kreuger. They know how to use email, and therefore that makes them an expert on all areas of email use and administration! Also, because this is much like a bike shed, and everyone is an expert with equally valid opinions, they need to piss away 300+ man hours in meetings about what color the bike shed will be. There's no winning with these people. Easiest is to do whatever best practices are and feign ignorance if you're ever called on it.
|
# ? Aug 7, 2019 18:24 |
|
AlternateAccount posted:I don't know why, but of all technologies, idiots love to get deep into the details of how email should run and be managed. Nothing draws the interest of absolute morons who want to tell you exactly how things should operate like loving Exchange. I would like to introduce you to my current nemesis: conference rooms
|
# ? Aug 7, 2019 18:25 |
|
Hey, anyone interested in Windows client engineering? Cuz my most senior eng guy is away indefinitely, the next most senior guy just moved to EntSec, and two of the three dudes beneath me in the chain quit or didn't get a contract extension. That leaves me as the most senior person with one other guy left on the team. And he's fully allocated to another project Despite all of this being known by management, they haven't given us headcount for our backfills, never mind headcount for the fact that we've been dramatically understaffed for the last 3 years anyway. They haven't even written up position descriptions to build recs off of. We've had one member of the team on LTD for so long our current boss has never met her, despite having to fill out her project planning time sheet every month because there's no provision for suspending those if someone is on leave And also, no provision to get temp headcount to fill her spot until she finally gives in and loving quits already. I'm about to lead a major image release, and I am fully prepared to loving own this, but it definitely doesn't give me the warm fuzzies when management treats this team like we're disposable.
|
# ? Aug 7, 2019 18:44 |
|
Dirt Road Junglist posted:Hey, anyone interested in Windows client engineering? Cuz my most senior eng guy is away indefinitely, the next most senior guy just moved to EntSec, and two of the three dudes beneath me in the chain quit or didn't get a contract extension. That leaves me as the most senior person with one other guy left on the team. And he's fully allocated to another project Windows client engineering is a very thankless, very low return in value for your time as an employee IMO. It could be an upgrade for your career depending on where you are in it. I would say its more like email management, nobody ever notices except when something doesn't work right. It wouldn't be something I would want to focus on long term.
|
# ? Aug 7, 2019 19:19 |
I'm on the train because I don't think I've ever had a director be so directly unprofessional and disrespectful towards basically everyone. I don't know if it's just how things were at this place while it was just a startup and it just carried over, but lines like "I don't know why you would even think that way" or "horrible work, team" get unironically used in TYOOL 2019. I'm still unhappy about the implicit anti-semitic joke he made during a very tense meeting. I came very close to going to HR for the first time in my career. I learned everything I know about Azure here, and I don't have bullshit to deal with. My co-workers are awesome, my commute is great, the office is good, and I'm loving hourly - as in eligible for OT, and basically every month I get six hours of time and a half due to patching. I lose out on so much by leaving, but holy poo poo, nothing feels worse than being treated disrespectfully by someone in a position of authority over you on a frequent and daily basis.
|
|
# ? Aug 7, 2019 20:41 |
|
Sickening posted:Windows client engineering is a very thankless, very low return in value for your time as an employee IMO. It could be an upgrade for your career depending on where you are in it. I would say its more like email management, nobody ever notices except when something doesn't work right. It wouldn't be something I would want to focus on long term. Yeah, I'm not long for this role as it is. We're looking to offload our Windows CE to a single office (as in, not the one I'm based in), and I'll move into more of an OS agnostic scripting/automation role, which is what I was brought onto the team for in the first place. Our Windows fleet is shrinking every day anyway, and I'm tired of being hitched to a horse that's actively dying with every stride. MJP posted:I'm on the train because I don't think I've ever had a director be so directly unprofessional and disrespectful towards basically everyone. I don't know if it's just how things were at this place while it was just a startup and it just carried over, but lines like "I don't know why you would even think that way" or "horrible work, team" get unironically used in TYOOL 2019. I quit my last job because my boss was a creep, a registered sex offender, and engaging in blatantly criminal activities at work. I didn't have anything to go to, either. I carpetbombed every job search and resume posting site in the region and got an offer within 4 weeks, otherwise I was prepared to throw all my belongings back in a U-Haul and move back in with my parents in Montana. I mean, my co-workers had to spread a rumor that I was gay to make sure dude won't send me dick pics, that's how bad it was. No job is worth your sanity.
|
# ? Aug 7, 2019 20:58 |
|
More fun. The principal sent an email out to all faculty inquiring if anyone had to do any setup or configuring on their computers when they got back for the summer. So far, everyone has given me a glowing review except for one teacher who complained that her computer installed a bunch of updates when she turned them on. The fact remains that administration is blatantly fishing for ammunition. Is there a mixture of and ? Bonus: The computer lab in one of our dorms is out of commission because over the summer a colony of termites took up residence in all of the desks and computers. Thankfully I had already planned on replacing them all next week.
|
# ? Aug 7, 2019 21:36 |
Dirt Road Junglist posted:
The worst part is that I've spent my entire time here - just around 11 months - exposed to this crap, trying to cope with it and figure out how to deal. Even when I made the mental shift to mode I started thinking "maybe I don't want to throw this all away" and then he pulled a similar thing as the most recent one, being the "I don't know why you would think X". That sealed that deal. This week it was "I should probably be professional and not cite him as the reason I'm leaving" to planning to name and shame him if asked. If nobody does an exit interview with me, I'm going to send the details to our office's HR contact. I'm throwing in the anti-semitic remark for good measure. Seriously, that was insane. We were in the meeting, the other guy said that he was the way he was because he was born in a certain country. I said "that's like saying someone's cheap because they're Jewish," he made a remark about "I don't wanna hear that, %our VP, who is Jewish% makes good budgets." My jaw literally dropped at that. He said it in the meeting with me, the other guy, and my incoming manager, a member of our team who would take over as the director got promoted into taking on another team along with us. Literally, when is it ever okay to make a joke affirming stereotypes in an actual professional setting? It shouldn't matter if I, or anyone for that matter, is Jewish - the fact that I am was just... ugh. I'm taking my brain and skills away. They fired the other guy in that meeting two months for good reason. When I'm gone, it'll screw over my team members, but the second I never have to see his face, hear his voice, or read his messages/emails/etc. again is the second things get better.
|
|
# ? Aug 7, 2019 22:00 |
|
larchesdanrew posted:More fun. You know, if he's hunting for reasons to fire you, it may be time for you to nut up, walk in the director's office, and straight up ask him what his loving problem is. Maybe drop that he's a bully and you're fed up with it and going forwards he can shut up and keep his dickbeaters off your IT policy. There's no benefit to being polite if you're already on the way out the door. That being said, I hope you have enough dirt to burn the whole administration down on your way out.
|
# ? Aug 7, 2019 22:32 |
|
|
# ? Apr 20, 2024 11:51 |
|
I had an absolute poo poo as a Director as well. He would constantly belittle the team, played favorites blatantly, and once had a screaming fit because we chose to use his home branch of the bank as a testbed, since it was the closest to the office. This screaming fit included calling myself and a coworker "incompetent children" and "absolute morons". You weren't allowed to make decisions without involving him, but if you 'bothered' him with something he considered beneath him, which was everything, he acted like you had come to him with poo poo on your shoes. There was no winning any time you had to talk to him, so a lot of us just stopped trying. Which caused us to be labeled as cowards or lazy. Our training budget was handled by HR but required signoff from the director, which literally in my three years under him never once happened. There was never a need or there "wasn't enough in the training budget" - mainly because he would spend the entire budget on jetting off to RSA Conferences and VMWare conferences for "Exploratory Exercises". During one of these conferences he ended up being quoted in the Washington Times and holy GOD ALMIGHTY you'd think he was the second coming of Christ. Over the course of my employee there I went to HR twice to lodge complaints, and was told both times that "That's just the way he is, you need to learn to work with it". Good job HR, you're garbage. Anyway the guy sucked like, a lot. When I put in my notice he refused to look at me for two weeks, and after I left I found out that he had tried to hold back my last paycheck for unrecovered expenses, and he torpedoed my going away party citing budget. Because a cake and 30 minutes of social time is just overkill for someone leaving the company after 11 years. I wouldn't be surprised if he ends up running the IT department.
|
# ? Aug 7, 2019 22:51 |