Sysadmin told to spend 20+ hours changing user names, for no reason Welcome again to On-Call, our regular Friday morning foray into readers' stories of being asked to do the right thing, for the wrong reason, at unspeakable times. This week, meet reader “Harold” who works as IT manager for an educational institution. Harold tells us that the institution has a simple scheme to allocate user …
I recently came across my original FidoNet address in some old docs which really threw me :).
That naming structure was *very* geographical because it pretty much described the whole path to the node where you held your post, but it had no names in it. If you decided to pick up email from abroad it would cost you an international phone call.
That said, at least it was only text, not 10MB powerpoint files..
Are you sure you have captured all the steps needed to complete this task?
You need time to discover all the consequences of this management meddling, er initiative. Then once you have listed them all you need to test. Days become weeks and could be months. Well, does the manager want it done properly or not? And don't forget to consider how backups taken under the old regime may be restored using the new regime.
would have suggested running as-is with the new process documented and any additional users going on in the new format and if/when there's an issue with an existing account on the old system it's transferred over.
A common naming convention is a good idea, however spending a huge amount of time correcting an existing system which works isn't if it's documented to prevent a problem with loss of staff through illness or being driven to leave by a terrible boss.
Few IT staff I know are precious about how things are recorded, they just want it to be consistent an accurate.
A colleague and I once spent a good week or so changing the network IP address ranges of 30 regional offices to match the 'harmonised' scheme of the company who'd acquired us. The change was not a major shift in numbering and we were clever enough to do a fair bit of it remotely through deft use of RDP and multihoming. After we'd finished and handed everything over to our new lords and masters (who very soon kicked us regional IT guys out), it transpired they'd forgot to tell us that the subnet masks also needed changing, so off we went again!
This same company ripped out the 8Mbit ADSL VPN connections (this was around 2004) between our HQ and the offices and replaced them with 1/2 Meg MPLS circuits - then wondered why everything ground to a halt (I bet the accountants loved the new bills too!)
The icing on the cake, was that the encumbent IT guys were sh*t scared of Linux and so out went the 300-user email system based on Postfix, to be replaced by MS Exchange + required Licences, and they abandoned the distributed, replicated, cross-site backup system based on BackupPC which performed full and incremental backups of data overnight from every office to two other locations, plus the clever rsync scripts that brought a copy of all regional data back to HQ every night for data mining - we had data coming in from MS-SQL, MS-Access and proprietary systems to be munged into one data set in MySQL - it was bloody brilliant, even if I do say so myself.
One of my schools had a very sophisticated (for the time) program for attendance, room use and scheduling. The system could work out for example if there was a lesson clash for any students taking multiple A-level subjects in the sixth form year. Anyway it used the the initials of the staff and the first initial and last name for the students which had worked well. Then a student with a double barrelled name joined the school with a hyphen separating the two last names.
Apparently no one had thought about this possibility when designing the software and his hyphen caused two students to be created in the system (same first name but different second name) So in the first lesson I attended that year the teacher read out the names and everyone put their hand in the air when their name was called and said here. Except for Coates* who wasn't there and no one knew who he was as this was the start of the Autumn term and loads of new students. We had an entire day of lessons where Coates was absent and it was out down to sickness or something else. A week goes by and still no sign which is not good news at all. There is a bit of worry amongst the admin staff that he has been listed as sick every day when in fact nobody knows where this kid is. So they look at his details on the computer and there's no home address, no parents, no phone number etc. which is very odd. This will have to be reported to the Local Education Authority (now to Ofsted) and that's a very bad thing apparently! On the Monday morning of the next week the English teacher asks if anyone knows this kid outside of school as the staff don't know anything about him. "Does anyone know where he lives, what he looks like, who his parents are?" etc.
Rather sheepishly one child then raised his hand and said my my full name is XXXXXX Serge-Coates* it might be me. We'd been through twenty five lessons with the teacher asking at the start of the class when the register was taken if XXXXXX Coates was there. They couldn't believe that he had taken this long to twig that it was possibly him and assumed that he was doing it to make them look stupid. Although not unpopular with the rest of us, he was very unpopular with the staff over that.
*Name changed, he wasn't posh his parents had divorced and remarried other people keeping their original last names and new surnames.
"Then a student with a double barrelled name joined the school with a hyphen separating the two last names."
Ah. The double barrelled surname problem.
Client's client had a database in which the names were properly structured but for some reason decided to amalgamate forename and surname into one string, surname first to send to us. We were then expected to transform it into the correct sequence to print. Hyphenated surnames would have been OK but non-hyphenated... After giving them a few examples they saw my point. However instead of a correct fix - either send it as two fields or concatenate it in the right order, they kept things as they were and sent an extra, numerical parameter, to shown where it should be pivoted.
"We'd been through twenty five lessons with the teacher asking at the start of the class when the register was taken if XXXXXX Coates was there"
Every single class I was ever in at high school only ever called surnames at roll call. The only exception was if there were 2 of them and then an initial would be called too.
Every single class I was ever in at high school only ever called surnames at roll call.
One of my high school teachers had been teaching for 30-odd years and had done it that way with no problem. She would also call out the names in blocks of 3, eg Anderson, Andrews, Calver... Collins, Daniels, Davis....
Then she got my class. One of my classmates had the surname "Roots1". 2 of the boys (one of them a rather sensitive bully) got a bit upset, because of "Peters Roots Symes".
1 For the slang-impaired, at least over here "Root" is a synonym for sex.
The good thing about standards.. is that there are so many to choose from.
Our AD structure is made from several smaller domains nailed together. There are probably 20 or so different naming schemes in use. Now we could make everything the same but that would involve a helluva lot of arguing, and if there's something that IT folk enjoy an argument over then it is naming conventions.
As for machine names.. never name the machine after its owner. In our organisation a machine gets a number which it sticks with throughout its entire life. Unless of course it's those bits of the organisation that actually do name the machine after its owner. Yes, we can't name those consistently either.
You can of course wait until objects with the old names drop out of the AD structure and replace them with new ones. With computers that's about 5 years, not too bad for a large organisation. For users.. well, that can be decades. But you have to plan for the long term, eh?
So this is what I'd do.
Go home and complain. Maybe bitch on social media. Or, you know, a forum like this. Maybe drink. Maybe watch cartoons. Definitely picture detailed visions of retribution.
Then back at work, write up an impact plan, and have the boss sign off on it.
Then, just do it.
Ultimately, no matter how much personal pride I take in a job well done, these are not my computers, and I do not own this business.
"how do you handle companies where two John Smiths work?"
In the original scheme it appeared that naming was somewhat informal allowing scope for ad hoc decisions to resolve problems. If you set up a prescriptive scheme such as that proposed you need to build in a means of ensuring* uniqueness. In another post someone suggested adding x, y or z as dummy initials to a first/last initial scheme; works well right up until you've allocated jxs and then John Xavier Smith joins the company. Essentially it means something along the lines of adding a few digits so that your two John Smiths, or indeed Jane and John Smith, can be handled as smithj01 and smithj02.
*To some degree of statistical acceptability. The example above fails if the company is so big there's a realistic chance of 100 or more smithjnn names being generated in which case you need more digits.
"The proposed naming system cannot guarantee to produce unique names and unique names are an essential requirement."
The existing scheme doesn't either.
Unless the 'new' scheme is less than 3 letters per person, it's less likely to produce duplicates than the frankly idiotic 3-letter practice (which has only 18k possible combinations, and since most of those are unlikely to occur ever - just how likely is ZQP, for example? - it's likely to run into duplicates ridiculously quickly).
Scrap both and come up with a sane naming convention.
... exactly what “Harold” meant by "The 2IC is having none of that argument". He provided an estimate along with identifying some possible risks. And the #2 boss is saying "No"? Does he have some insight into the process and a more streamlined approach? Or is he one of these supervisors that just think the IT department throws a handful of faerie dust at the servers and its 'job done'.
Having worked in some heavily audited lines of business, this sounds like a request to 'just get it done, but hide the expenditures' which can get even a CEO canned. Or at least the business banned from government contracts. Now I understand that not everyone must answer to this high a level of accountability. But Harold should take whatever steps are needed, through official channels, to request budget for and set up charge lines to track this activity. That might be enough to stop 2IC in his tracks.
Ultimately all it comes down to is one person thinking their point of view is more important - and therefore overriding - anothers. Everyone wants their own way and will do what they feel necessary to justify that.
This happens in all aspects of life when you're a grown up.
Document the issues as you see them, then get on with your job. If a situation arsies where you're being blamed for someone elses fuck up then show them the dated documentation to show that you foresaw the issue(s) and warned them about them. Collect your pay check and get on with it. If it becomes terrible to the point you can handle it, consider moving jobs. But it would have to be pretty drastic (or you're in a low paid/crap job) for that to be a real option.
"This happens in all aspects of life when you're a grown up."
Until you are grown up you get very little say in any decisions. At 13 a friend's son showed a sense of impeccable logic in family arguments about things he wanted to do or not do. His mother's reaction was always to dismiss his well-crafted argument with "because I say so".
About 20 years ago, my then boss asked me how I had time to help out other staff, when my predecessor spent all week taking the various electric motors off line, testing the motor winding resistances (with a bog standard ohm metre) and recording them, to help identify which motors were starting to fail.
So I went and got a brand new, unused motor from stores, and a dead motor of the same type I had pulled the day before and showed him the ohm readings.
They were identical.
Then I went back to my cubby hole and read a book until someone wanted some help.
(A proper insulation tester would have shown some differences, but they werent willing to supply one, and I wasnt going to spend my own cash to buy one).
If you copied the list of actions that Harold sent to 2IC to explain why it's going to take so long to do, then only redacted a few details before putting it into the article, 2IC will have to be pretty thick not to put 2 and 2 together.
Lets hope 2IC doesn't read El Reg or Harold is royally screwed. I'm sure 2IC will be looking through Harold's employment contract for clauses Harold has breached by sharing this story in a public forum.
...so many icons to choose from.
Nope, it does not. There are various people around the world with the same name as mine. My gmail address has a dot between first and last name. Theirs (multiple people) does not and I get their emails all the time. I even got a classified email from the US once.
So, sorry, Gmail no longer seems to work that way.
As far as I can work it out, my firstname.surname@gmail addy doesn't seem to go to the American who shares my name. But I do get some of her firstnamesurname@gmail.com messages from time to time - unless someone is just assuming that she has that address (which has been mine since gmail was invitation only) or, as suggested below, that one has a digit that gets forgotten. And though I do like to get my own name for any account I would never choose a user name with an add-on number - I'd rather find something original.
"I even got a classified email from the US once."
Similar here. I got a few emails emails from ITV with me CC'd in discussing an upcoming production. It took about three weeks of replying to them pointing out the mistake before I eventually did a Reply-All and it stopped (also got an apology for the inconvenience, natch!)
Another one was a company sending me details of a contract workers invoices/expenses. That only happened once and they were *extremely* apologetic and thanked me profusely for pointing it out to them. That could have been very nasty for them.
That part of the job should be pretty smooth providing (as previously pointed out) it is an additional alias.
There would be benefits in standardisation (visible to the outside world) and little disruption. People accidentally using the old alias would still get their emails.
Changing the login name is where things get horrid. And for no real gain.
I would add the aliases (script). Check there are no issues over a few days. Then make the primary address the new format one.
Then I would raise the issues about the login. If 2ic is any good he'd realise that the good parts of his plan were done, and cancel the rest. If not then I would suggest that a 3rd part were hired to do the move or that it be done a few users every day, until complete (one letter of the alphabet a day perhaps). I would make sure HR had a copy of my recommendations on file, just in case I was overrules and it all went titsup.
I get that this is the total amount of time for all the users, but what difference does it make if you do them all in one go or do one a day for the next few months?
In fact, if he's forced into a corner about doing this, even after making the 2IC sign off on all the risk statements, etc. he should insist on doing a small number of more technically competent power users first and waiting a month to see what sort of issues they have. Choosing the more technically competent means:
1) he won't waste time reminding them their username changed when they call and say "I can't login to X" like will happen with the clueless ones
2) they will notice problems readily and can describe them properly
3) are more likely do the sort of things (personal scripts etc.) that can't easily be accounted for when assessing risk
4) probably perform more important functions, so if stuff breaks their inability to perform their job will quickly make its way up the chain to the top and the 2IC may be forced to reconsider this idea.
1. Document and inform of the risk
2. Create a transformation project, engage a consultant
3. Create a process, and a test, then re-assess risk
4. Request budget for change.
5. Create methods and scripts for PFYs to follow an implement
6. Await sign off from 2IC to approve the potential downfall of anything AD linked for the whim of a change, then either sit back knowing you've been vindicated because he backs out, or plough on and kick off the change project, knowing that the overtime is coming, and the "I told you so" moment will be glorious.
Yes, doing something you think is stupid and without purpose is frustrating, but if that's what the boss wants, just do it. After all, you'll be paid just the same as if you were doing something you consider useful. As others have said, CYA by sending an email detailing how long it will take and the potential pitfalls and asking for confirmation that you should still go ahead. If you get the confirmation and it is something that is possible and you are capable of doing it, then just do it to the best of your ability - what's the problem? Nobody is going to blame you for someone else's decision.
If you don't like doing things that you do not personally believe is necessary, then become self-employed or start your own company. Otherwise you are being paid to do whatever the boss wants you to do (within your job description), and unless you are a director, however you think the company should be run is irrelevant.
On the flip side, how would you like it if your subordinate or employee refused to do what you asked (or deliberately made it fail) because they thought your idea was stupid? Maybe the idea really is stupid - or maybe you have a bigger plan in mind that you don't want to disclose just yet.
You haven't spent much time working have you? Or are you still in school?
Yes, doing something you think is stupid and without purpose is frustrating, but if that's what the boss wants, just do it. .. then just do it to the best of your ability - what's the problem?
Some people are actually invested in and care about the firms they work for, and the stress screwups can cause their co-workers - whom they also care about. And if you're doing your job (eg making sure the IT keeps working smoothly), then you're pro-active about making sure that the systems you care for continue to work properly, even if that means introducing your boss to a bag of quicklime (El Reg, we really need that BOFH icon!)
Nobody is going to blame you for someone else's decision.
Yeah right. See the Naivety quote from GoodOldHarold..
On the flip side, how would you like it if your subordinate or employee refused to do what you asked (or deliberately made it fail) because they thought your idea was stupid?
I've had the priviledge of working for people who valued their employee's input, and have also been an employer myself. In both cases "This is stupid, you need to..." held the possibility of a pay rise, and potentially saved lives as well. I had a plan which seemed great to me, but had a flaw I could not see. Junior who had little experience was still able to see the flaw, and it saved a lot of hassle.
Any employee should be able to raise issues they see with a plan, and unless the issues they raise are really stupid, they should be discussed if necessary, or at least a polite explanation as to why there isn't an issue should be given. Granted, some people are too stupid for (polite) words, but if someone is well-meaning and their concern is reasonable, why not give them an ear?
I must be very lucky. My boss doesn't ask for stuff just for the hell of it.
But I did once have to deal with another head of another department, who kept dreaming up new ways to reward various forms of fundamentally bad behaviour under the colour of improving performance; only to return some weeks later with a better idea, having identified some issues with the present scheme that I had already told him about the first time he mentioned it.
If you really can't persuade someone that their really bad idea is a really bad idea, then you have to make damned sure you can fix any damage you might have caused while implementing their really bad idea under duress and under protest. That means at least one full backup and restore drill, just to prove you can; and another full backup immediately before you start, so you can go back to a known-working state.
And for the record, it is not only possible, but reasonably painless to change a user's login, under GNU/Linux NIS with all of /home on an NFS share. User rebecca logs out before lunch, user becky logs in after lunch. But I wouldn't do more than one at a time .....
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
