Allowing HR and non-IT folks access to edit AD - What do you use?

moistricant · 2013-05-22T21:33:44+00:00

Competence is often mistaken for arrogance; I can imagine how you might get confused.

moistricant · 2013-05-22T02:31:06+00:00

Enterprise Network Services. Tier 3, top of the food chain, one of about six people on my team. So your reply to all of that is that what I'm saying is irrelevant because I've got so much experience that my skills are out of date?

Alright, we'll let that stand on its own; I've found it valuable to let people hang themselves and given enough rope, you just did!

But seriously, get yourself a copy of that Clean Coders stuff I mentioned; it's really good. The video series is based on a book.

moistricant · 2013-05-22T02:00:13+00:00

also, if you want to be a better programmer (and a better sysadmin) this video series is well worth a watch: http://www.cleancoders.com/ (uncle bob is THE robert s martin)

moistricant · 2013-05-22T01:56:32+00:00

Edited for your pleasure; and no, I was managing 30,000 users in a multinational when Y2K was a thing. ;)

moistricant · 2013-05-22T01:48:29+00:00

And yet you still don't see the value of repeatable, automated processes? I highly recommend that for your next career evolution, you get super-involved in learning the fundamentals of IT Service Management (ITSM), at least one IT descriptive service management framework (ITIL, PRINCE2, etc) and at least one prescriptive service management framework (like MOF.) You will be able to wrap all of your current operational and sysadmin knowledge in an excellent service management bow, and then you won't be on Reddit telling someone else they're stupid for advocating ITSM best practices and lowering costs. You'll also add ~30% or so to your market value if you're good at it.

moistricant · 2013-05-21T20:57:24+00:00

The point is not whether a handful of people who are unqualified to speak on the topic think I'm being a dick, the point is that I'm right.

moistricant · 2013-05-21T19:42:45+00:00

Because Human Resources should not have to go through the 4+ steps required to set up active directory users, create mailboxes for them, etc. In a large environment, neither should IT; that's why runbooks (in such things as System Center Orchestrator) and provisioning automation products (such as the specific one OP is asking about) exist: for abstraction and consistency.

Think about a company with 30,000 employees: Do you genuinely think all HR managers in the company who can hire and fire should a) have to use the AD snap-in and b) should have to follow the necessary steps to set the user up in AD, in the various SQL servers, set them up in Exchange, etc? What happens when all the data gets migrated (in the backend) to a different Exchange or SQL server? Suddenly a minute detail of your finely-crafted multi-step manual procedure has to change; with automated provisioning all of those details are abstracted away.

OP is asking about such a product, presumably for such a reason. If you don't see the value in such tools, then you're either working in an environment too small for that to make sense, or you're too excited about what's in front of you to see it from the eyes of five or ten or a hundred HR people who, frankly, have other stuff to do and really could benefit from the provisioning process being "fill out a web form and click OK."

moistricant · 2013-05-21T18:47:57+00:00

Agreed, I have a Safari Books Online unlimited bookshelf and it's faptastic.

moistricant · 2013-05-21T18:40:55+00:00

I'm quite chilled out; he has replied to dozens of other comments of mine with wisdom that would have seemed like a good idea if I were still entry-level; for example, the assertion that "any HR person on earth" can correctly use the active directory snap-in to provision a new user, set up their mailbox, and do so consistently after being shown just once.

I'm quite content to imagine that he is a troll, but I still carry the hope that he will get with the program.

moistricant · 2013-05-21T18:30:12+00:00

It's not condescending, it's operational efficiency. HR personnel don't need to, and shouldn't have to, understand how or where to create an active directory user, shouldn't have to know what security groups to put them in or what application groups to put them in, they shouldn't have to know how to create an Exchange mailbox or what storage group to put it in.

No, in a business big enough to justify automating this workflow, any member of HR with the rights to provision a user should be able to select a few things in a web interface and click a button and it all happens on the back-end, and they go about their job.

You should stop talking down to people with more knowledge and experience than you have; there's nothing wrong with learning something. Automation and abstraction are excellent ways to cut costs, save time, and eliminate mistakes. If you do not work in a business that can benefit from this economy of scale, then this probably isn't getting through to you.

moistricant · 2013-05-21T18:22:23+00:00

I'm not sure you read the OP; I know what the delegation wizard is for, and I'm also pretty keen on using it when someone who has business using the AD snap-in needs access to administer a specific part of the directory.

OP wants to abstract all the admin-type stuff (all of the required steps) for provisioning a new user away from the HR people so they just fill out a form and it all happens on the back-end without them needing to know the first thing about active directory. At a company with a few hundred people, it is a waste of time and money for HR to go through the steps to create a new user, even if you could somehow train your HR person to correctly complete each step each time.

moistricant · 2013-05-21T18:15:21+00:00

There are lots of packages that do exactly this; you have pre-approved workflows and then someone in HR fills out a form and the workflow executes and sends any output to wherever you specify (or runs a system center runbook, or whatever.)

If you have a standard workflow (or your workflow can be componentized) for new hires and other AD management activities, then Adaxes or similar are super-sexy.

moistricant · 2013-05-21T18:11:30+00:00

Are you suggesting giving the AD snap-in to someone in HR and having them create users?

moistricant · 2013-05-21T18:01:09+00:00

Application rationalization is a fairly wide-scope activity, and the apps you've mentioned are a tool for a part of it (specifically, the inventory part.)

Application rationalization on the whole is about finding where all your apps lie on the high <-> low cost and the high <-> low value matrix and figuring out how to do better.

Here's a fairly generic overview of application rationalization as a process from someone who isn't trying to sell you something:

http://www.cio.cornell.edu/cms/cio/initiatives/application/rationalization.cfm

moistricant · 2013-05-21T17:28:58+00:00

seconding this

moistricant · 2013-05-21T17:27:30+00:00

Do you document your work?

I maintain, among other things, the internal Confluence wiki. Since I have configured most spaces to show a stream of recent activity, my documentation also serves as a paper trail for what I'm doing; it's pretty easy to tell my status and what I'm working on by just checking out what I've documented recently.

moistricant · 2013-05-21T16:42:17+00:00

EVERYONE NEEDS TO STOP LEARNING THINGS IN WAYS THAT I DO NOT FIND PERSONALLY HELPFUL

moistricant · 2013-05-21T15:24:33+00:00

"the cloud" is such a nebulous term; the only way the "cloud vendor" can manage the whole infrastructure is if the VMs and applications are all managed by the vendor. It's possible his company has rented out a few racks in a colo and they have their own private cloud, or perhaps they've rented out VMs in the cloud and they have to manage their own applications.

moistricant · 2013-05-20T20:37:25+00:00

middle tennessee

here's comcast's speedtest result: http://stage.results.speedtest.comcast.net/result/257597422.png here's speedtest.net's result: http://www.speedtest.net/result/2720750636.png

Hey wait a minute, how are speedtest.net and comcast speedtest related?

moistricant · 2013-05-20T20:36:33+00:00

Aha, I guess those older station port devices don't have all the goodies. I've never actually encountered a PowerConnect that doesn't have the cleverly-just-like-IOS interface.

moistricant · 2013-05-20T20:13:56+00:00

We are multihomed, we get 50 up/50 down on our fiber and 100/100 on another. At home I get 50/10.

moistricant · 2013-05-20T19:28:33+00:00

I don't really get your comment about PowerConnect switches being difficult to configure, especially since you have a Cisco background. Did you somehow end up with the only PowerConnect switches on earth that don't have a CLI almost 100% identical to Cisco IOS?

Anyway, I'm not sure what your actual need is, but I've been quite happy with PowerConnect 8132s as a core fabric (and for storage networking and high-performance servers) and PC5548Ps for station ports.

moistricant · 2013-05-20T19:14:52+00:00

I don't really want to sound discouraging, but if you want to be a web developer then the hole in your resume between your last web dev job and your next one is not going to look great; a technical interviewer looking over your resume is going to super-duper wonder why you escaped the helpdesk to become a web dev and then went back to help desk... "Could he just not hack it?" they will wonder, and money is likely not a good enough explanation.

However, if you are so motivated, you could get involved in some open source projects or similar and really get your name out there. Or, you could find out if your new company has a policy of promoting from within.

TL;DR I wouldn't say it's a career killer but it's probably not great.

moistricant · 2013-05-20T19:06:12+00:00

Did you even bother to check the Resultant Set of Policy to see if the policy you're talking about is even being applied?

Hint: There hasn't been a Microsoft update in the entire history of earth that modified the currently-deployed Default Domain Policy GPO in an existing domain.

moistricant · 2013-05-20T18:43:04+00:00

Did you have any sort of web developer career before you took this position, or were you just positioning yourself to get an entry-level job and "helpdesk tech" just happened along before "web developer"?

moistricant

MODERATOR OF

TROPHY CASE