Welcome again to On-Call, our regular Friday morning foray into readers' stories of being asked to do the right thing, for the wrong reason, at unspeakable times. This week, meet reader “Harold” who works as IT manager for an educational institution. Harold tells us that the institution has a simple scheme to allocate user …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Page:

← Prev
1
2
3
4
5
6
Next →

1. 1. 1. 1. Sunday 11th December 2016 00:45 GMT Anonymous Coward
        
        "And I'm pretty sure if it had turned to an orgy I'd have noticed something (?)"
        
        My impression was that the orgies were spin-offs involving people from a local group. Usually only the husband in a couple was a member of MENSA. Any women were usually single.
        
        This was round the time when swingers parties made the "car keys in a bowl" a national meme. So-called "open marriages" were also a trend.
        
        I remember going to a university social gathering with a couple I knew - "Bob" and "Carol". It was fairly obvious that many of the staff were running shotgun on their wives who came to talk to me.*** The next day the head of department enquired if "Carol" was my girlfriend or "Bob's" girlfriend. "Oh - that is Bob's wife". I could have added "I'm just the lodger".
        
        ***In my younger days there were times when I was a sheep in wolf's clothing. Lindsay Anderson's "O Lucky Man" strikes some chords.
        
        0 0 Reply
        
        Monday 12th December 2016 13:36 GMT Anonymous Coward
        
        Just for the record, I wasn't not dissing Mensa or the idea thereof, just that overall their activities didn't me personally other than to annoy people who thought they were better than others :).
        
        0 0 Reply
2. Friday 9th December 2016 10:59 GMT graeme leggett
  
  I'd suggest that you ask to be allowed to do a test of the change to be sure that you've "properly setup your procedures and documentation for the changes to go through without impacting normal operations" etc etc.
  
  Then take his computer off him and practice the rename on it.
  
  Or if he sees through that one, get him to authorise a test machine set up.
  
  Either way, I'll hazard a guess that the changeover takes more time than expected and you can quote that in the job costing. Worse case - at least you've had the practice.
  
  6 0 Reply
Friday 9th December 2016 09:45 GMT Anonymous Coward

Identity management, no one understands it

No, absolutely no-one ... Even in big IT corporation, you only have a single chap out of thousands of IT people that can differentiate between login, first name, second name, display name ...

I was once in a company using X.500 directory for emails. Names displayed were "second name, first name" whenever looking up in the email directory.

And there was this chap called Pierre (first name) François (second name) working as a designer, and his alter ego called François (first name) Pierre (second name) being an HR director.

And there was this nutball VP assistant picking up the wrong address for sending a file named "factory_redondancy_list.xls" (they're all XLS aren't they ?) and crying foul to the (me) mail admin that the X.500 directory needs to be sorted by order of (people) importance.

Good (not) times it was ...

6 0 Reply
1. This post has been deleted by its author
Friday 9th December 2016 09:57 GMT Destroy All Monsters

WTF

He is the sysadmin!

Boss wants names changes? Names change!

Now get to it.

Not happy? Write up exactly what the problems are, what the consequences are and demand feedback. Maybe propose to hire two "tuners" to do it during a week or so.

If boss still says go do it, go do it. It's not a fucking democracy.

Are we now at the point in history where sysadmins start to publicly moan about having to do their job?

If ithis kind of thing is difficult to do, then there is indication that a lot of base work has not been done yet.

12 6 Reply
1. Friday 9th December 2016 10:21 GMT Olius
  
  Re: WTF
  
  When I had a boss (I'm now self employed), I used to consider it a part of my job remit to let the boss (who is usually obsessed with not wasting money) know when one of their decisions was technically incompetent to the point of wasting the company huge amounts of money. As the boss is the boss and not a techie, they would not necessarily understand the technical debt or other repercussions of what they are asking for, and it is my place to tell them - especially if there is not enough slack in the dept to do the work whilst maintaining the sacrosanct "BAU" (Business As Usual)
  
  Blindly following a non-technical incompetent is not, imho, showing due diligence to the company.
  
  25 0 Reply
2. Monday 12th December 2016 11:17 GMT Kiwi
  
  Re: WTF
  
  If boss still says go do it, go do it. It's not a fucking democracy.
  
  We had a dick like that in a factory I worked in. I wanted to take my machines out of action for a day to do some serious maintenance and tuning before starting a very large order. In terms of downtime it would've cost maybe as much as a couple of grand, both in lost productivity and in the time of myself and one of the co-workers. Parts and other stuff (lubricants and cleaners) would've been between another $50-100.
  
  But no. Had to do that job NOW!.
  
  Guess what? We had to do that job. Twice. The whole order was rejected because, simply, the machine was out of spec and needed maintenance. Therefore the parts the machine made were out of spec. Fractionally, but enough that they didn't fit. So we lost the whole first batch (well over $30k worth of work), plus some wonderful bits in our supply contract where, well, we caused them downtime so had to pay penalties to cover that as well.
  
  So which was best? My way - would've cost at an extreme outside $3,000 but had a perfect running machine needing only tiny bits of work for the next few months? Or the "If boss still says go do it, go do it. It's not a fucking democracy." way - which cost the company.
  
  Oh, and I do mean it cost the company. Sure, things kept running for another few years, but the financial costs were too much. The boss had a heart attack a short while after this (he survived, thankfully, and became a much nicer person after that), but the company itself was terminal. There was a loss of goodwill, huge loss of revenue, other contracts lost during the time we were making up for the mistake, and a domino effect that had us running on reserves chasing our tails for a while until the reserves ran out.
  
  I drive past there every few months now. Quite sad. The building was demolished a couple of years back, but nothing's replaced it. I gave over a decade of my life to what is little more than a hole in the ground. Had the boss listened? Well, we may still have gone under - a lot of manufacturing has gone overseas. But we could've outlasted out competition, and then we would be the big firm with happy well-paid employees.
  
  Sometimes you should shut up and let the boss fuck up. Other times, it pays to slap the boss upside the head and do it your way regardless.
  
  2 0 Reply
Friday 9th December 2016 09:59 GMT Olius

Two questions...

Why did it take him 20 hours to turn HR's spreadsheet in to a script that can update the various DBs?

(That's not a serious question)

A serious question is - why are the laptops named after their owners?

Any sysadmin that has been a sysadmin for more than a couple of years knows that this is a sure way to be swamped with unnecessary extra work for each swap or breakage.

16 1 Reply
1. Friday 9th December 2016 11:11 GMT Peter2
  
  Re: Two questions...
  
  I really don't get why people name devices after the owners. One of my predecessors did this on my existing network and it was a total nightmare. Every time you picked up a "spare" computer you'd end up with duplicate names on the network causing no end of hassle.
  
  Personally, I just name the devices with their asset numbers and get the users to read me the asset number off of the label if I need it for some reason. If I need to know who's using which device then you can always pull the login records, or look at the asset register if you need to know who's got a laptop they take off site.
  
  12 0 Reply
  1. Friday 9th December 2016 11:21 GMT Anonymous Coward
    
    Re: Two questions...
    
    me either, or naming PC's after the room they're in, because they never get moved to somewhere else! if you want to know where it is stick the room in the computer description field. Don't name a PC after anything that is likely to change! We have a static list that we pick the next incremental name\number from
    
    4 0 Reply
    1. Friday 9th December 2016 22:28 GMT Alan Brown
      
      Re: Two questions...
      
      "if you want to know where it is stick the room in the computer description field"
      
      No, if you want to know where it is, put the room and port number on the network port description and look at where it's connected when you need it.
      
      Anything else will always have you playing catchup.
      
      0 0 Reply
  2. Friday 9th December 2016 13:59 GMT Prst. V.Jeltz
    
    Re: Two questions...
    
    "Personally, I just name the devices with their asset numbers"
    
    Its the way to be sure - then the user has it written in front of them.
    
    Especially good for printers - traditionally named "Finance printer" or some shit like that , and then it moves ,or more often the department changes its name if its a time and money wasting public office.
    
    4 0 Reply
    1. Friday 9th December 2016 15:41 GMT Peter2
      
      Re: Two questions...
      
      - Especially good for printers
      
      To be fair, with printers I go for a meaningful location identifier rather than an asset number such as Vulture Central, Floor 1, Printer 3, shortened down to "VC-F1P3".
      
      A large sticker let's the users know which printer is which, and users just delete their printers and add the nearest one if they relocate between desks/department areas.
      
      0 0 Reply
    2. Friday 9th December 2016 17:46 GMT Doctor Syntax
      
      Re: Two questions...
      
      "Personally, I just name the devices with their asset numbers"
      
      Its the way to be sure - then the user has it written in front of them.
      
      "Dell"
      
      3 0 Reply
      1. Friday 9th December 2016 22:31 GMT Alan Brown
        
        Re: Two questions...
        
        if you want to name it, stick a fucking label on the corner of the screen.
        
        Preferably a security label which makes a HELL of a mess if the user tries to peel it. They'll only try it once.
        
        2 0 Reply
  3. Friday 9th December 2016 16:49 GMT Anonymous Coward
    
    Re: Two questions...
    
    I name the PCs I install using the computer serial (we don't use asset numbers) so its the Dell service tag or whathaveyou.
    
    That has only once bitten me on the fundament. It seems that while MS etc actually advise against having computer names starting with a numeral, and most of the time computers have no problem whatsoever having names starting with a numeral - you guessed it - the clients for Sage 200 (in my case) won't connect to the SQL server if they have numerals at the start of the computer name.
    
    So I had to rename about 3 computers (by adding a D for Dell) to the start of the name.
    
    A footnote - the 3rd party that helps with our system, had renamed most of the desktops to users initials during an upgrade about 5 years ago. But of course that plan broke down the moment staff turnover hit it.
    
    2 0 Reply
    1. Friday 9th December 2016 17:19 GMT Peter2
      
      Re: Two questions...
      
      The GPO script linked to the Staff Laptops OU parses the computer name, finds the bit after the hyphen and then:
      
      Isn't this just reinventing a roaming profile (or a redirected profile with offline folders & files enabled)with the exception of not uploading changes on connection to the network automatically, or is your script doing other things you haven't mentioned?
      
      0 0 Reply
      1. Friday 9th December 2016 18:57 GMT GoodOldHarold
        
        Re: Two questions...
        
        It's for creating a local admin user account for the teacher to use at home, with the same username as their AD account, and then setting that up automatically so I don't have to do anything manual per each teacher's laptop. Literally just name it "after" them and the script does the rest. I have a lot of scripts like that in place, including for dealing with automatic staff laptop encryption. I maintain the view that I shouldn't really be having to do anything :P Although, of course, you have to put in all the legwork first in order to get there... :)
        
        (In practice, of course, their username off the network will be ".\abc", but hey-ho...)
        
        2 0 Reply
  4. Saturday 10th December 2016 13:05 GMT Stuart Elliott
    
    Re: Two questions...
    
    Company name. First Initial.Second Initial 2 digit Month 2 digit Year.
    
    EG. TESCO.SE1216 - shows ownership, both company and user and issue date.
    
    0 0 Reply
2. Friday 9th December 2016 16:01 GMT Doctor Syntax
  
  Re: Two questions...
  
  "Why etc"
  
  Likely answer to both questions: because the current request is only the latest in a long line of "because I can" decisions by nuppit management which has left the entire IT estate in a shambles.
  
  1 0 Reply
3. Friday 9th December 2016 16:02 GMT GoodOldHarold
  
  Re: Two questions...
  
  Because of a script! ;)
  
  So if a user is ABC, then his laptop will be called LAPTOP-ABC. The GPO script linked to the Staff Laptops OU parses the computer name, finds the bit after the hyphen and then:
  
  1) Creates a local user with the same username and makes them a local admin;
  
  2) Queries AD for that username to get their forename and surname and adds those to the new local account;
  
  3) Calls PSExec to run "cmd /c" as that user and then terminate, causing their local profile to be created for the first time;
  
  4) Calls PowerShell to use the [ADSI] WinNT:// namespace to expire their local password;
  
  5) Shares their local profile folder with Full Access permissions for that AD user only - then there's a GP Drive Map for when they're logged on with their AD account that maps a drive pointing to that share on \\127.0.0.1, so they can access their local documents when logged on to the network (there are heavy GP restrictions and they can't otherwise access the local hard drive);
  
  6) Copies our Remote Access .wcx file to their local desktop so they can set up their RemoteApp access.
  
  For those commenting about scripting: this whole system is held together with my own (documented) scripts, all of which work perfectly fine as long as there is complete consistency across the board with principles like "profile folder name matches AD username" etc.
  
  3 0 Reply
  1. Monday 12th December 2016 12:19 GMT Naselus
    
    Re: Two questions...
    
    Sorry, read as far as "1) Creates a local user with the same username and makes them a local admin;" and then massive, massive alarm bells drowned out the rest of your post.
    
    3 0 Reply
Friday 9th December 2016 10:44 GMT Agent Starling

One place I worked at introduced a new naming convention that had our IT dept working all night to implement. The CEO's newly configured user name became 'sod'. He had the grace to be a sport and live with it at least.

7 0 Reply
1. Friday 9th December 2016 11:03 GMT NorthernCoder
  
  I read (at TechTales I believe it was) a story about a company with a 2+2 naming pattern in which the two first letter from the last name would be first, so John Doe would have dojo@company.com. Alan Anderton was not amused.
  
  5 0 Reply
  1. Friday 9th December 2016 14:00 GMT Prst. V.Jeltz
    
    i'd be over the moon if I was Alan!
    
    3 0 Reply
  2. Friday 9th December 2016 23:09 GMT Anonymous Coward
    
    read (at TechTales I believe it was) a story about a company with a 2+2 naming pattern in which the two first letter from the last name would be first, so John Doe would have dojo@company.com. Alan Anderton was not amused.
    
    We had a 1+3 scheme, which led to some problems with a chap called Tom Watson. We did warn them that they were invoking the four letter curse, but not too enthusiastically because we knew things like this were going to happen and, to be honest, it promised to be so entertaining that we didn't mind the likely extra work to roll back and adjust the script.
    
    Tom Watson had been quite noisy, so we decided not suggest a 1+4 as a fix. There's only so much you can credibly explain away :).
    
    2 0 Reply
Friday 9th December 2016 10:51 GMT Gomez Adams

What happens to the audit trail?

If you allow changing of login ids? There is an audit trail I hope?

4 0 Reply
Friday 9th December 2016 11:02 GMT Anonymous Coward

Another bad idea foisted on an entire nation:

https://en.wikipedia.org/wiki/Unique_Population_Registry_Code

Social hacker heaven.

0 0 Reply
Friday 9th December 2016 11:25 GMT Emmeran

First of all

Learn how to script, preferably in powershell since you're dealing with AD. Secondly learn how to build error trapping into your scripts. Thirdly you should already know how to script.

I've made this change in the past most often to align login names with email addresses to simplify life in a multi-userid age; more often now to disconnect userid's from email addy's due to security concerns.

Most of all - get a good policy that doesn't rely on random collections of initials and only apply to new/newish users. Always allow employees with lots of time at the company to keep their old ID's/email addy/phone number if at all possible - call it plank holders privilege.

3 0 Reply
Friday 9th December 2016 11:37 GMT phuzz

This shouldn't be an issue for me because I work in a company of eight people, so generally logins are of the form "firstname".

Of course three out of the eight have the same first name.

7 0 Reply
1. Friday 9th December 2016 12:43 GMT Anonymous Coward
  
  Been there with a client
  
  3 people called Graham (including the CEO) and the COO called Graeme.
  
  Also 4 people called Andrew.
  
  And usernames were first names... Not my choice.
  
  2 0 Reply
Friday 9th December 2016 11:37 GMT Anonymous Coward

Redacted.

I work for the company REDACTED.

They have an ERP software named REDACTED that we must use on a daily basis, living in a Server somewhere, so they don't have to install it in 3000+ terminals. So everybody must login in it using the RDP feature from Windows 7.

But because the terminals are not "properly registered" within the network, saving the passwords on the RDP won't help you, you have to retype your password. EVERY REDACTED TIME.

On top of that, the software has its own login passwords, instead of just pulling the REDACTED credentials from the network. And the network managers must copy them over from the network to the REDACTED program, every day.

In short, you must login on your machine THREE REDACTED TIMES, every REDACTED day, to reach the REDACTED program.

The kick (in the REDACTED) is, that REDACTED of REDACTED of a program runs on a limited number of simultaneous users, so you better rush in the morning, login before everybody else, and leave it running, if you want some usability out of it.

4 0 Reply
1. Friday 9th December 2016 13:05 GMT Antron Argaiv
  
  Re: Redacted.
  
  Why, oh, why...is accounting software mired in first half of the last century, with nonstandard keys to change fields, hard field length limits and complete ignorance of the generally accepted Windows UI behaviour "standard"?
  
  // I'm looking at you, Vision
  
  // ...and you, Sema4 (if you're still in business)
  
  2 0 Reply
  1. Monday 12th December 2016 12:24 GMT Naselus
    
    Re: Redacted.
    
    "Why, oh, why...is accounting software mired in first half of the last century"
    
    It is, isn't it?
    
    I blame Sage; they're the market leader, but there doesn't seem to have been any effort to update under the hood since Fortran.
    
    1 0 Reply
Friday 9th December 2016 11:58 GMT JamesPond

I worked for a 'manager' who came to work one morning, presumably having read some management book on his train ride to work and said to the 20 staff members on the IT Support team

"I want you all to write 4 new processes / SOPs this week, doesn't matter what on, just get me 4 so that I can show management we are working really hard" . sigh.

6 0 Reply
1. Friday 9th December 2016 22:33 GMT Alan Brown
  
  " presumably having read some management book on his train ride to work"
  
  Actually it sounds like _his_ boss had read it. I've seen this kind of thing before.
  
  1 0 Reply
Friday 9th December 2016 11:58 GMT Dan Wilkie

What happens if you have a John Barton Smythe, a John Barry Smith and a Josephy Barry Smithson?

3 0 Reply
1. Friday 9th December 2016 16:07 GMT Doctor Syntax
  
  "What happens if you have a John Barton Smythe, a John Barry Smith and a Josephy Barry Smithson?"
  
  And a Julian B'stard?
  
  2 0 Reply
Friday 9th December 2016 12:09 GMT AndrueC

Harold tells us that the institution has a simple scheme to allocate user names for staff: someone called John Brian Smith gets the user name “JBS”. Someone called John Smith, but with no middle name, is “JSM” - the first letter from their first name and the first two from the surname.

Obligatory Dilbert.

4 0 Reply
1. Friday 9th December 2016 12:37 GMT Anonymous South African Coward
  
  Well spotted. Ms Brenda Utthead :D
  
  4 0 Reply
2. Saturday 10th December 2016 13:16 GMT sdalton
  
  Is it bad?
  
  Is it bad that I knew what dilbert that would be without clicking on it?
  
  0 0 Reply
Friday 9th December 2016 12:10 GMT FuzzyWuzzys

We had a similar situation, we simply agreed to keep the old ones as they were and each new joiner got a new format ID. Then as people leave the old ones get phased out.

6 0 Reply
Friday 9th December 2016 13:05 GMT andy gibson

3 letter usernames

3 letter usernames are terrible, my school used them. You end up with all manner of duplicates - I was AGI for A Gibson. But as soon as Ashleigh Gibley started she had to be AGI1.

Its just as bad with Smiths, you always end up with more than one sharing the same first initial.

1 0 Reply
Friday 9th December 2016 13:19 GMT Schultz

Wrong reaction ...

Harold should have reacted by:

(1) Warmly praising his 2IC for brilliant leadership and the will to make hard organizational decision,

(2) asking about the budget that will be available for organizing the transition to new usernames, or

(3) requesting an external review to establish the required effort and budget to make the transition.

Most people only start thinking if it costs money -- so money is the argument against stupid make-do-work.

7 0 Reply
Friday 9th December 2016 13:24 GMT Anonymous Coward

Futile

So, I agree the approach is futile (user-readable usernames are fine, but ultimately it gets lost over time, John Smith, Jane Smith, James Smethwick all map to the same username).

But, ultimately the 2IC and Harold have been doing different approaches to username allocation. Who's to say that Harold is right with his approach? Suck it up, you've called out the risks and been asked to do it anyway. Refusing to do it because you can't see the benefits is insane. There are always reasons you're not privy to, and having to explain to every sulky admin the rationale behind the request is a ball-ache and unnecessary. Off the top of my head, for all you know there is a DPA related complaint behind revealing personal information (middle initials) without a purpose. The cost/risk/benefit analysis isn't for you to do.

3 2 Reply
1. Friday 9th December 2016 16:17 GMT Doctor Syntax
  
  Re: Futile
  
  "There are always reasons you're not privy to, and having to explain to every sulky admin the rationale behind the request is a ball-ache and unnecessary."
  
  Actually it is necessary. If you have a rationale it should be shared unless there are good reasons otherwise. It's more likely to get buy-in to what may well be an otherwise incomprehensible idea or at the very least assures everyone that you aren't actually deficient of marbles. It ensures that new situations can be dealt with appropriately. It enables the process to be modified or dumped if circumstances change to make it inappropriate. At the very least it makes you check that your rationale was well enough thought through to enable you to put together a coherent explanation.
  
  If it's a ball-ache explaining it maybe it wasn't a very good idea and even if it was, it was your idea, it's going to be an even bigger ball-ache for somebody so why shouldn't you suffer a little too?
  
  6 0 Reply
  1. Friday 9th December 2016 22:25 GMT Terry 6
    
    Re: Futile
    
    Doctor Sy.tax
    
    Agreed. Explaining the reasoning behind a decision equates to treating all staff as part of a team. It also sometimes makes the difference between providing what the managers say they want and what they actually intended. Maybe the manager who asks for something that sounds pointless and foolhardy is just doing it as a whim. But maybe it's because he/she thinks that this is the way to solve a genuine problem - and doesn't know there's a better solution ( or that his solution would cause more trouble than the original situation.)
    
    3 0 Reply
  2. Friday 9th December 2016 23:15 GMT Anonymous Coward
    
    Re: Futile
    
    Actually it is necessary. If you have a rationale it should be shared unless there are good reasons otherwise. It's more likely to get buy-in to what may well be an otherwise incomprehensible idea or at the very least assures everyone that you aren't actually deficient of marbles. It ensures that new situations can be dealt with appropriately. It enables the process to be modified or dumped if circumstances change to make it inappropriate. At the very least it makes you check that your rationale was well enough thought through to enable you to put together a coherent explanation.
    
    It also allows you to draw intelligent input from the people who will have to execute your wonderful idea, and who may have the required expertise to spot issues, or even enhance the proposed concept (let's not forget that). The challenge, is, of course, that that requires leadership instead of management (there's a large difference between the two).
    
    3 0 Reply
Friday 9th December 2016 13:29 GMT Anonymous Coward

compuserve anyone

All email addresses were originally numbers, no problems with duplicates or funny spellings. From memory it was n.n@compuserve.com. I remember how exited I was when it was announced that names would be supported and we could apply for our name related email address.

The article does bring back memories of 20+ years ago of me swearing under my breath everytime a request came through for someone wanting to change their name due to marriage or divorce, used to take between half a day and a day to sort it all out depending on how many systems their single logon had access to. Happy days.

1 0 Reply