Sysadmin told to spend 20+ hours changing user names, for no reason Welcome again to On-Call, our regular Friday morning foray into readers' stories of being asked to do the right thing, for the wrong reason, at unspeakable times. This week, meet reader “Harold” who works as IT manager for an educational institution. Harold tells us that the institution has a simple scheme to allocate user …
I'd love to know what financially stable world some of the posters that frequent this forum are living in. A day doesn't go by where someone is suggesting that an actual paying job is simply abandoned because of a disagreement. Can someone let me know where all these replacement jobs are available?
" A day doesn't go by where someone is suggesting that an actual paying job is simply abandoned because of a disagreement. Can someone let me know where all these replacement jobs are available?"
Well everyone leaving a job because of a disagreement is freeing up a post so ...
It might be a merry-go-round of misery but at least we get to throw in some invective to leaven the drudgery.
IDK about anywhere else in the country, but in London and the SE you've only got to whack your CV up onto two or three job sites and buff up your LI profile and your phone will start ringing off the hook if you have any sort of real skills and experience. You can't literally walk out of one job and into another, but that's only because the interviewing and onboarding process takes so long in most organisations. Obviously you'll be looking longer if you've particular requirements for your employer, salary, length of commute etc etc.
"...and the SE you've only got to whack your CV up onto two or three job sites and buff up your LI profile and your phone will start ringing off the hook if you have any sort of real skills and experience."
Yeah, but 80% of the calls will be based on a keyword search that picked up something you last did in the 1990s, plus the vacancy will be right at the other end of the country.
Note to recruiters: As an IT Manager in West Sussex, I am not really interested in an electronic engineering position in Aberdeen.
I sympathise. I can imagine some recruitment droid in Toronto suggesting you just pop over from Vancouver but as I am now blighty based it is quite likely that a train journey from London to Brighton (approx 80km or 50 of your miles) could take in the region of five hours given the state of our railways south of the river at the moment.
I just got asked if I could come in to talk about a position in atlanta, I live in sofia, bulgaria.
I'm a code monkey on the South Coast of Britain. A few months back, I got offered a piecework electronics assembly job in Seattle. Who says recruitment agents don't earn their crust[1]?
Vic.
[1] Me. That's who.
ISTR hearing* of an individual who registered with several different agencies on learning his role was potentially up for grabs. Meanwhile, perused Sits Vac for an alternative option.
Ultimately, found himself applying for what appeared (from advert) to be his dream role. His disappointment on discovering that it was actually the job he already held, but viewed through the rose tinted lenses of a recruitment droid, was tempered only by the discovery that meanwhile his boss had selected his own (anonymised and "edited" by the recruitment agency) CV for interview at 1.5 times his current salary to replace himself in his own job.
*Possibly apocryphally
ISTR hearing* of an individual who registered with several different agencies on learning his role was potentially up for grabs. Meanwhile, perused Sits Vac for an alternative option.
There was a BOFH episode that did this a few years back. I can't find it despite 20mins with Google and a few downloads of archives of episodes, but IIRC basically the bofh started looking for a new job as a way to get a pay rise, and the boss decided "2 can play at that game" and found someone "only slightly more expensive". Ends with the bofh taking a last look at the building he'd worked in for so long, before walking back into the lobby and saying he's the new sysadmin (or whatever the role was)
[Edit : see https://www.andrews.edu/~freeman/bofh/bofh12jun.html for a copy. The older archives El Reg links to are no longer working, site down. Episode title is "Looking for new challenges, or just more dosh, the BOFH risks it all in the agency shark pool" on a couple of versions I've found)]
(Hey, didn't we used to have a BOFH icon? We need one.)
Well I live and work in the heart of Silicon Valley, this fantasy of walking straight out of one job into another might work for 20 yr olds who are willing to work themselves to death but for anyone who actually wants to be paid for their real skills and experience it simply doesn't exist.
Hello:
"Harold should find another place to work."
Quite so ...
But as this obviously has a cost for Harold, in his resignation he should include (and in no uncertain terms) the reason why he is resigning, sending a copy to all other parties ie: the 1IC and all board members.
Cheers.
"sending a copy to all other parties ie: the 1IC and all board members."
I did that one place I walked out of (made sure I had a job to walk into though) - it was politely swept under the carpet before anyone could say anything. Although apparently a few months later they had an impromptu IT audit instigated by one of the governors....
A huge pain to change that could have been avoided by using the first two letters of everyone's first name and a unique four, five or six digit employee number. As Dept.'s/Businesses grow a three letter naming scheme based on names can run out of unique possibilities quickly.
I'm not trying call out the submitter, but if there is any expectation of growth there are better naming schemes.
Anyone who thinks such a renaming is a worthy use of time shouldn't be let near an organization.
Oh, I can think of several organisations they should be allowed to enter. Many contain the words "Mental Health".
He'd do well at any government organisation come end of financial year, when they have a ton of money they haven't spent and need to dispose of into a worthless black hole.
This comment stood out to me as being too true. Some people engineer awkward situations as a means of control
I recently left a job as Head of Tech at a husband / wife owned shop where the wife overruled almost every decision I made because back in the 90s she was CTO at some bank and knew best. The typical week goes
Monday
Boss: We need this and this, what do we need and how long will it take to make happen?
Me: 3 days to create, a couple for QA and then on Friday we can watch the rollout for stability
Wife: That should only take about...a day TOPS
Boss: Get it done or you're fired
Me: I could get this part done by today but, we definitely shouldn't use it in production
Tuesday
Me: It's done but, there are some catches which could be dangerous. Don't use x and y until I say so
Boss: Great, put it up
Wife: *Uses the thing I told her not to*
Boss: Why is it F'ing broken!?!?
Wife: His stuff always breaks, utterly shit
Me: I'll get it fixed, seems that x and y were used despite being told otherwise
Wife: Hurry and get it fixed
*Spend half the day fixing problem wife caused*
Wednesday
Me: OK, by the end of today, x will be done. Please DO NOT use x until I say so
Wife: Excellent. *Uses x right before boss checks*
Me: Are you kidding? *stays late to complete*
Thursday
Me: *Gets work done, sends email to both letting them know that it is done but, needs a day QA*
Wife: It should be good enough
Boss: I expected this to be done by Tuesday, why do i always have to F'ing do everything myself?
Me: I stated (with business interests first) what we should have done and how to approach it. Things got complicated when rushing. To stop it happening in the future, I've put in this step we should all follow to make sure the whole process is clear
Boss: This is my f***ing company and it makes profit because of the way I manage it. Do you think you could run this company better than me?
Me: *Bites tongue*
Friday
*Without the necessary QA done, inevitably an error occurs*
Wife: I thought you said it was done. You set such bad expectations and the results are s**t
Me: Let me get this fixed first and then we'll talk. *Fix* It happened because x, wasn't' covered in the limited tests we had time to do after being rushed. Enjoy the weekend
Of course Harold can also break protocol and bypass 2IC...
He'd be out of a job. As a tech, he's a pleb to the academia and he should do as he's told as they know best.
No, I'd get the steps written down, detail the risk very explicitly, add a good 15 minutes per user as contingency, including a statement that this change is so important that it overrides all his other tasks and that more time may be needed in case of conversion failure and get it signed off by that 2IC so that the tech has both his back covered and he has someone to point to when someone objects to the next step:
Executing this. At 45mins per user I reckon you can slot in a couple of pub visits in the process and still remain on schedule, especially if you find a way to automate it. You can reject any other calls on your time as it's a priority, referring to The Right Honourable twat (RHT) who gave the order. Where possible, you should find a reason to down the AD for 5 minutes for every single change as well - quite simply maximise the pain, and divert your phone to the RHT because you have to focus on getting this done.
I reckon the RHT won't even last a *day* - I'd make that a personal challenge.
Beware of pissing off IT staff with a creative mind. I got a whole government to agree not to make us log its own traffic by some creative filtering. We didn't want the hassle and cost of storage so I took a look at the traffic proxy of the beta, picked out, er, "interesting" sites and took a printout of that sample with me to the next tech board meeting and had a quiet word with the government project manager beforehand whose face took on an interesting shade of red when he read the one sheet (and was told by me that there were "loads" of these in the logs). Naturally, I could not possibly know about a crime research exercise by one of the participants (*cough* fellow admins in the pub *cough*) and by his reaction, *he* certainly didn't, grin.
Not entirely unexpected, that logging requirement was dropped in that same meeting "to ensure we met our challenging deadlines" :).
I agree that he should get confirmation, in writing, that the 2IC is ordering this change and accepts that:
* It will take X time per user account,
* May break things (risk assess it),
* Will not be able to be interrupted during the process, so all other jobs to be on hold,
* He will accept responsibility for any down time or unintended consequences of this (pointless and stupid) change.
Ensure that, in the confirmation, he makes clear his reluctance to do it and belief that the risks outweigh the "benefits".
Then he should get on with the job. His arse is covered in case of problems, but if the boss tells you to do something, you either do it or look for work elsewhere.
I agree that he should get confirmation, in writing, that the 2IC is ordering this change and accepts that:
Absolutely. 2IC wants this, 2IC needs to take ownership of the consequences, including costs and Harold's time.
The clever BOFH makes sure that the consequences of Management actions fall where they should.
Also need to factor in time for informing current users of new user names and taking support calls for, if I've read this right, dealing with the calls and conflicts now that middle initials are not used and certain common combinations of initials are shared by multiple staff. And also for users who never type in their username then find that the one that magically appears in the username field has stopped working.
Yes spot on. The best answer to a daft idea handed down from above is a detailed implementation plan showing the numerous risks and high cost. The latter being calibrated to how daft the idea really is: if it's only a bit daft, maybe you'd happily do it in exchange for padding your budget a little.
The management types may imagine they're in charge, but really the only people who can control whether something happens or not are the people who actually know how to do it.
First you have to get the RHT to actually write it down. I had a manager ask me to basically reorganise my team to favour one person (newest personal recruit, personal friend of the director). I told him it basically changed the job role of 3 people, and that I needed it in writing. At which point he would look at his watch, go "Oh dear, I need to be somewhere" and skip out. This was followed by all of my own improvement initiatives being blocked based on something-or-other. (Repeat for 6 months).
My end game was to divvy up work based on the lowest common denominator (the newest recruit) and write prescriptive job taskings for everyone (I was being accused of bias against new recruit, so had to show I was treating everyone the same). Half the team left, they got in a new team lead after 6 months, then the other half of the team left (including me). The manager and director got booted at the next reorg due to high staff turnover.
Lesson; management hold the reins on tasking and can make your life more uncomfortable that you can make theirs. They can also blame faults from their lack of support, on you, because they are in those circles and you don't. The only influence you can have is on metrics they are evaluated by that you don't control (staff turnover, morale etc).
I am not friends with anyone on facebook from that job. Pity, I was there 11 years but the last 2 I would rather forget.
Oh no, I'd be eager to execute this as a priority once I had it in writing, it would be fun!
After all, once you've explained the risk and are overridden by The Man/Woman In Charge But Without A Clue you can basically cause all the havoc you've explained in your comments - you gave the warning, after all. Invest a couple of days in causing as much havoc as you can explain away and the next time they may listen when you advise them it's not a good idea.
:)
To be honest, this elementary BOFH behaviour. If a manager asks for something gibberingly stupid, then get everything documented then go about the task in a safe manner which will also cause the maximum pain, delay and annoyance to as many other users as possible, whilst being certain to use the name of the original fuckwit in the title of the plan.
The BOFH himself thereafter does not need to trouble to inflict further punishment on the fuckwit; said idiot's colleagues will conspire to mete out punishment as much and as frequently as they are able.
Yup, make sure you have a full trail of supporting evidence, and then go about the task methodically and with total focus. That way when all the stuff that is actually important comes along and has to be put aside as you're too busy with the jobsworth crap, you can lay the blame exactly where it should be and cover yourself as doing exactly what you were told to do.
Either that or use the army method of just prevaricating and waiting for the countermanding order to arrive...
Yes that army method is a good one in a lot of corporate situations. Just assure everyone that it's under control and you'll be right onto it just as soon as your other urgent tasks are completed; and repeat until the idea's either forgotten, or rendered irrelevant by the next re-org.
Works especially well on morning "I can't log in" od "My PC isn't working" type calls, an hour later you wander over to see how they're doing and you find they'd either forgotten to switch something on (PC, Monitor etc) or switch something off (ie Caps Lock) or they've actually properly checked and re-plugged in the cables.
This post has been deleted by its author
If a manager asks for something gibberingly stupid, then get everything documented then go about the task in a safe manner
I was contracting a few years back. One particular customer had a tendency to think up some half-baked "solution" to a problem that would take me twice as long to do as a more conventional approach, but be fraught with problems. I tried the arguing cost/benefit with him, to no avail.
Eventually, I hit on the correct approach: smile broadly, and say "Certainly, Sir. Just put the details down in an email and I'll get right on it". After the first couple of pratfalls, he started to recognise my coded language for "that's barking and will fail miserably".
I had no need to sabotage anything - he just was that bad...
Vic.
Not to mention that could break a number of scripts, web pages, etc. that are set-up to do something specific for a specific user.
Once a username has been assigned, it is impossible to change it without risking to leave something not working, and the repercussions could be found only years after the change.
I once ran a system that would die horribly if anyone tried to remove or rename the account of one of the previous sysadmins. Nobody could work out why the machine dived every time they tried, so they had to leave the account on the system in a disabled state.
My systems are built to something I've called the "V'Ger Rule" - a machine must continue to operate in a correct and safe manner in the absence of its Creator.
Put another way:
1. No blowing up any spaceships ;
2. No joyriding in Carbon Units ;
3. Fat, balding starship captains are to be shot on sight, especially ones that follow the "If you can't eat it, drink it, steal it, spend it or have sex with it, blow it up" mantra.
Harold's boss sounds too much like a Kirk Unit, making such demands.
Nineteen up votes for something that should not happen on a Unix like system? There are reasons why internally user numbers are used not names. You just found one of them. In a company (and many other places) a user is a functionary and the person performing that function can change. That should require only one table entry to change and onIy two fields in that. I have never understood why people have moved away from this.
Nineteen up votes for something that should not happen on a Unix like system?
And why exactly do you think that's the case? In a lot of situations, including Harold's, there's all kinds of links with other systems, such as redacted, redacted and redacted. Those links may be based on user IDs, named tokens, user-associated keys, you name (harhar) it.
"Those links may be based on user IDs, named tokens, user-associated keys, you name (harhar) it."
If you're basing scripts etc on specific AD user names, then you're an idiot. Full stop. There's no sane reason to do so - use a group membership or something, for precisely this reason. New users appear all the time, but user roles don't change much and tend to cover lots of people. Use them.
What, exactly, does the submitting IT manager do when there's a new member of staff? Goes and drums up a new version of every single script for the sake of each new hire, and then builds and names a laptop specifically for that person, with an asset tag based on that user's name? Then manually produces every single link between systems for that user account? That isn't IT, that's manual labour with a computer. I wouldn't be surprised if they were manually copying user's outlook signatures in individually, given the other bad practices in place here. As to the other links, learn to use LDAP and ADFS. Unsurprisingly, the idea of having to convert username on system X to different username on system Y has come up before and will come up again, as has the idea that one might want multiple systems to be drawing from a single directory.
Frankly, this problem sounds largely self-inflicted - the use of 3-character usernames to begin with is not a good idea as it doesn't scale past about 18,000 possible combinations (tiny for a university, and less than 20 years churn for a mid-sized college or school). Meanwhile, it looks like the interplay between systems has been designed with more-or-less zero automation. That's also not really excusable these days when there's so many tools available for get round it. Yes, it's education, so they're not exactly cutting-edge and swimming in budget, but still, this doesn't sound as hugely challenging as the contributor is making out.
In an ideal world, you're totally correct. However, whilst I'm sure that everyone of us sets our own systems up properly, if you've inherited any system, or had a system installed that syncs to your users by anyone other than yourself, I'm prepared to bet that there will be something undocumented waiting to trip you up later on... It might even be something you've done yourself, which, for whatever reason, hasn't been documented and you've forgotten about. I know it shouldn't happen, but the man who makes no mistakes makes nothing...
Well, at least there is method to the madnesss...
10 hours to pub o'clock and counting. Have a nice weekend everyone; here's a little something to cheer you up.
As a contractor, a very familiar situation.
Time to ask the "what colour do you want the new SQL data base" type question.
Just do it,
but
as your you have outlined its a large amount of extra work with extra risk
, and your already busy,
Present overtime authorisation forms before you do the work,
and remember to thank them
and to have a good Christmas.
Ah, the joys of the "blame the contractor" game. My current bugbear with that one is the change management team at my current contract, who are so risk averse that they have become Mordac.
They asked me for a rollback plan for a server reboot last week, and were less than amused when I told them that they would need to approve my change request for a flux capacitor first if they wanted a rollback plan for this change request. We're currently rebooting servers when we need to and putting in retrospective change requests, on the "better to ask forgiveness than permission" basis.
Only the rinky dinkiest of operations I've worked at have used names, initials or any permutation thereof for logins. Everywhere else it's always been based on some kind of unique identifier, be it staff code or employee ID or whatever you choose to call it.
I'd suggest that the author push back and recommend that mechanism instead, as it rules out the possibility of duplicates. If staff codes are not in place yet, make it HR's problem to cook up such a scheme - that should put the project on the back burner for at least a month.
Also, those 20 hours could certainly be spent more productively developing scripts to make the relevant changes - this might also lead to the development of tools to significantly automate user management workflow in future.
For better or worse, usually worse, it's common practice in large chunks of uk education. I've been trying to move my place away from using initials as usernames for years because it doesn't scale. There _are_ collisions and people do want to change their username/initials when they get married or divorced or whatever and it causes bedlam in many systems that link to AD account by username string instead of guid.
When I worked in Academia, we used to have <classname ID><initials> as the login ID; e.g. Computer Science 2nd year Bob Smith would be cs2bs.
Caused havoc with clashes (manually managed), people changing courses mid year (there was considerable overlap between computing & business computing, so some students could and did switch courses) and of course we'd go through the same rigmarole over summer as students went up a year. We ended up going for their matriculation ID (7 digits) prefaced by u (undergrad) or p (post grad) as Solaris/NIS at the time didn't cope well with all digit usernames. This had the advantage of (a) being unique and (b) not needing updated every year.
Thankfully all the account creation was scripted, all I had to do was feed in a list of real names & login IDs and it created the accounts, gave it a random password and printed a "new login" sheet for the lecturers to hand out.
When I worked in Academia, we used to have <classname ID><initials> as the login ID; e.g. Computer Science 2nd year Bob Smith would be cs2bs.
When I was at Uni the computer centre used to have everything automated. All usernames were XXXXnnnn, so they started with AAAA0000 and incremented until, presumably, ZZZZ9999. Once you got an ID it followed you for years, so each year they would run a script to create the next set of logins for the freshman entrants.
Fortunately they did it mechanically, so if they expected around 180 new students they ran off 200 IDs. This meant that the last 20 or so were created but unassigned, giving those of us who'd figured out the system access to lots more free storage & CPU credits for personal projects. Of course it helped that the initial passwords were also mechanically generated...
All usernames were XXXXnnnn, so they started with AAAA0000 and incremented until, presumably, ZZZZ9999. Once you got an ID it followed you for years,
A0RQ000 :-)
Some things, you never forget. I had a work study job at the Computing Center, so I had unlimited free time and storage, and my login didn't expire at the end of every semester.
Rob - you are right - the problem with usernames and people's personal lives are HR.
Marriage can cause problems when a username incorporates their maiden name, but the biggest problem is divorce, when they absolutely want to get rid of their previous surname from aspects of company business including their AD account and SQL databases.
It is also not pleasant when previous documents that had been written by said persons include their path/user/full name on the footers of documents of years gone by and requested (ordered by HR) that these are updated by IT. No f*cking way.
similar at our site (a lab) we're not that big only a few hundred ID's What we generally do is first 2 letters of Christian name and first 2 letters of surname, unless there is a conflict then we might go with 2 and 3, etc. We have got lots of foreign users (until BREXIT of course when they all get sent home) and occasionally our naming convention has given a user a "rude" word in their language!
and occasionally our naming convention has given a user a "rude" word in their language!
I remember reading many years ago of a Uni or ISP or something that used 1st 5 letters of surname then first 2 letters of first name, so a lady named "Megan Cummins" became cuminme@...
NSFW Warning : be very careful searching for this! ;)
I can't find the original article on a quick search (was probably last century some time I read it), and the sort of results coming up put me off searching further (see icon).
When I was doing my OE (a decade and a half ago) in London (when I first discovered el Reg!) we had the [7 of surname][first initial]
Nicola Burfoot would happily ring the helpdesk with "Hi, Burfoon here...."
Gerry Grimshaw (an woman approaching retirement age) was less impressed.
Logon with name is nice. So is a system that remembers user name. I think it isn't a big risk - although it's another matter for e-mail addresses and spear phishing, you probably want a random number on those - otherwise it's the passwords that need to be secret. And short names are good.
Tip that I read somewhere: spam tools typically will just not send to an address that contains the term "spam", such as "robert.hates.spam" or "rc.nospam.thankyou", so if that is your actual address then you won't be bothered. It was said that they also avoid the ".mil" domain - you can see that point of view but it's quite a drastic remedy.
So anyway: are those accounts based on forenames? Maybe I have a blind spot for this, I can't think of names beginning with Boo, except for Boo Radley. And Booker T. Washington. Who is quite famous.
I am also stuck for the other names. I promise I am not trying to social engineer your hospital.
I suppose that the NHS has a lot of Gastarbeiter with names that are unfamiliar in common English, but would those workers get the joke?
I'm stuck on what those 3+1 NHS usernames could have been too. Plenty of other unfortunate possibilities spring freely to mind... Rachael & Wanda Knowles, Aiden Smith, Percy, Cliff, Benjamin & Scarlett Turner, etc. Poor Shirley Temple would have had a shitty time there... but Cock, Boob and Turd have beaten me. Maybe it was three of surname then initial?
Hope OP comes back to put us out of our mystery, and so half of Nigeria can spearfish his hospital.
Spam tools spam the .mil TLD. Thing is, DoD email naming conventions make no sense and change all the time. Its partially security through obscurity. Every now and then I'd get one, but it wasn't often.
Its also that DISA and the service departments are pretty good at making sure Lt. Jackov, Private Fuckwit, Airman Shitbird, and Petty Officer Tunaboat rarely see spam messages because they can and do proactively monitor incoming email along with Counterintelligence/Security and Force Protection.
It's just being practical. If you make username something like Firstname[.MI].Surname*:
- users are going to remember it
- it can match their email name
- logging/listing is readable and doesn't need an additional translation step all the time.
But, yes, there could be an issue of duplication. But the question is, how likely is duplication within a reasonable time-frame?
Initials are more likely to clash, but in some countries, in a small, stable organization, not so likely.
Only the rinky dinkiest of operations I've worked at have used names, initials or any permutation thereof for logins. Everywhere else it's always been based on some kind of unique identifier, be it staff code or employee ID or whatever you choose to call it.
Really? I've worked at orgs from 20 people up to 300,000, and only the one 300,000-strong organisation used anything other than username. Current employer has ~ 5000 and uses names. Two or three places back, employer had ~50,000 staff and used names.
Upvoted for same.
Work for an enormous multinational with ~120,000 employees, who until a 'normalisation exercise' and AD move a couple of months ago used a combination (due to buyouts / mergers etc.) of:
- staff number + initials (i.e 710718bjr)
- first 3 of first name + first 3 of last name (i.e. Dave Smith = davsmi, with a number appended for duplicates)
- first initial + surname (with appended number for duplicates)
We have now moved to a uniform of [firstname].{optional: middle initial}.[surname]{optional number for duplicates if middle initial doesn't differentiate}. This matches the email alias on the corporate Exchange server.
It gets confusing when some part of the system references user names with the family name first - but others require it as family name last. It's surprising how many people have names that can look valid in either order. eg James Alan. Not to mention people who have unfamiliar foreign names - or have a culture that uses the family name first.
"We have now moved to a uniform of [firstname].{optional: middle initial}.[surname]{optional number for duplicates if middle initial doesn't differentiate}. This matches the email alias on the corporate Exchange server."
The problem with this kind of thing is when you use it for email too.
My name is particularly common - there are at least 100 ABrowns across the organisation and at least a dozen with the same middle initial. Unsurprisingly I get a _lot_ of mail intended for other ABrowns
Still not as bad as one place I worked: We had 3 Alan Gr[ae]ys within 30 feet of each other and a dozen other Alans in the laboratory - all colours covered.
>Only the rinky dinkiest of operations I've worked at have used names, initials or any permutation thereof for logins.
Interesting. I've never worked anywhere that does not use names or initials for usernames and while some have been "rinky dink" setups others have been globals where individual project costs would reach billions of dollars. There have been a couple of 3rd party applications where usernames were account numbers but in both cases I can think of these were shared logins (tut tut).
A proper UID is something I'd find more pleasing from a geek point of view but I suspect it isn't what people (apparently users are people) want.
I could certainly see it being disagreeable for Windows shops where email addresses are increasingly used for login. (Or at least where UPN is used for login and it is desirable for UPN to equal primary email address).
How is the UID <-> human name translation handled for reporting? Separate lookup table of some sort or custom fields in an existing user directory?
I love this. There is some serious expertise in corporate guerrilla warfare amongst the Reg commentariat. This is the 3rd or 4th different subversion strategy that I've seen in just the first half page of comments. This one is perhaps the most subtle so far. A two-pronged attack of undermining the plan by "improving" it, and delaying it by yoking it to a web of external dependencies. You magnificent bastards.
" the kind of change that can only really be done out of hours and hence at a nice overtime rate. Then script the bejesus out of it."
Such cynical thinking. And precisely the thinking that first occurred to me.
If it has to be done then scripting it is surely the only way to stay sane through the process. But that shouldn't make it cheaper - we don't want to encourage this sort of nonsense after all.
Any naming scheme will end in duplicates, it's unavoidable.
Oh, and Harold's a twat:
Rename the user in Active Directory - Yes.
Update roaming profile and home directory to match - Unnecessary, you could do that at the end of the year, or in one massive script as a one-off.
Update e-mail alias in Exchange - No. You ADD the alias, keeping the other. If you do it right, one script at worst.
Synchronise with <anything> - should be automatic or one-click for anything even vaguely useful, or else is Harold having to resync every single time he adds or changes any single user?
Rename laptops and map those changes to Active Directory - What the hell? No.
Synchronise the new computer name with redacted - No.
Worry about other systems, such as redacted, not merging their user tracking logs - Worry about that when you need to query logs, that's an issue for IT not anyone else and won't affect anything.
Lose the will to live - I just did.
Seriously, junk like this is why people hate IT.
Sure, it's a horrible, unnecessary job, but it's not that bad at all. Give it a day for all users, alongside all your other tasks - done. There'll be a few outliers and oddballs, but that was always going to happen.
But "I've got to rename all the laptops and, ohmigosh, press Resync on a few services?" - Yes.
20 minutes per user? Like hell. Maybe several hours for ALL users but if you're a school you're looking at what? 500-1500 users depending on the school? That's not going to take you 500 hours. It's ALL going to take you about 4-5 hours plus tweaks for oddballs.
What the hell is Harold's background? A paid-by-the-hour, can-only-use-Microsoft-tools-because-I-know-nothing-else consultant? One script. If it took you a week to write while you argued it out and tested it, it'd take a few hours to run at worst.
Move 'old-user-name-profile-folder' 'new-user-name-profile-folder' (Batch or Powershell, it wouldn't even move the data, just rename the folder, so it would be quite quick)
Update AD with new username (ADModify.net)
Update Exchange with new alias (Powershell).
Press Resync on a handful of services.
Clear up the mess.
Happens all the time in Education circles (and medical establishments for that matter) - They think that because they've managed to get a post as a teacher then they're better than the ancillary staff and as such treat them as morons, and forget about any sort of funding unless it's one of their ideas (meaning they've probably specced up some utter shite and are merrily paying through the nose for it.
Many systems and services will throw anomalies regardless of the potential scripting of changes to AD. AD is essentially just a database after all.
All the potty little applications, scripts, possibly including payroll and timesheet systems, incident ticketing systems and a host of others are likely to throw mismatches and cause chaos, albeit potentially for OTHER people for months.
This sort of change is only trivial and scriptable if you think of nothing but the AD service in front of you and park the thought of services that it supports and the various, ill thought out but impossible to change, methods of integrating with it.
Harold is now in the wrong on this.
- Presented with a bad idea from a superior and made a case against it - correct
- Refused to do it and left things in a 'stalemate' for months - so, so wrong
The correct course of action would be to formally log your objections and ensure that you have given an accurate estimate of the time it will take and the issues it will cause. If you are still instructed to do it (in writing) having provided this information, so be it. Do it. You have your get-out-of-jail-free card when it does all go wrong. If things go wrong, your get-out-of-jail-free card is ignored and you are punished, call a lawyer. If you can't deal with that, leave now.
The reality is that if the 2IC gives you an instruction, unless you are the 1IC, it is your responsibility to do it (bar stuff that is totally irresponsible/illegal to do). There could very well be reasons beyond your paygrade for being asked to do it that you are not aware of and it isn't your superior's responsibility to have to explain that to you. If Harold hasn't been fired yet, I expect it's because they're still looking for his replacement.
The problem here is that the task, while risky and stupid, is achievable.
A diligent and skilled SysAdmin (despite warnings of possible consequences should it go wrong) manages to complete the task without any major incident. Said 2IC then boasts of the success, which then gives him ideas on even more stupid and risky plans until eventually it does go all kablooey.
At which point the SysAdmin gets the blame for fucking it up this time.
Yes, let's bend over for every vanity project. To hell with any other important tech issues that arise.
Just because someone managed to blag their way to senior management, does not mean that they are qualified for the job.
Undertaking major changes to core systems on the whim of a boss is risky and sets a dangerous precedent.
I agree that the changes are do-able but if they don't want to engage in a proper project plan then be prepared for them to throw you under the bus the first chance they get.
The large US Corp that took over my small UK one eventually(*) imposed their standard for single sign on names which was the first 4 letters of the surname, followed by the first 2 letters of first name. (No idea what they did with all the SMITJOs.) One of our users became FELLCH because of this. Oh the fun explaining the problem with that to the US management. [Those who don't see the problem should consult the Urban Dictionary, although the entry has only one L.]
(*) After I'd worked my notice.
We once had a director that decided that to avoid problems with duped usernames, we would use the first 4 letters of the first name, and the last four letters of the last name...
carlhell was one of the permutations... Don't ge me started on asian names which may have only 3 letters in the first and last name.... or worse yet only 2 letters...
This post has been deleted by its author
"Don't get me started on Asian names which may have only 3 letters in the first and last name.... or worse yet only 2 letters..."
Interesting read here: https://www.w3.org/International/questions/qa-personal-names
Worth pointing out to anyone who has ....erm...bright...ideas about naming schemes.
This post has been deleted by its author
The list is missing some very key points
13. database backups have to be done outside of office hours because everyone knows you can't back up databases whilst people are using them.
14. there are several databases that need backing up.
15. the actual switching over of user accounts following the backup has to be done outside office hours. Probably a weekend. You can't remote in to do this so the building will need to be open. This now involves at least a caretaker opening up for you and turning off the alarms. If you can get the caretaker to say they're not available, a senior member of staff may have to be inconvenienced. Won't work if your building is already 24/7 but worth a shot.
16. the risk matrix says doing this just before Xmas would be a bad idea, earliest point it can be done is the new year.
17. because of the size of the databases (you can pretend to discover this after you've been absolutely forced to do the work) means you need to order some new kit. At the very least some large external drives, possibly also some (additional) cloud storage, maybe even software. And if you really want to postpone the work, an industrial espionage proof top of the range secure laptop for backup storage and transportation. Also a fireproof safe to keep the laptop in. And one of those biometric eye-scanners to lock the room the safe containing the laptop is in.
18. in the unlikely event you get all that (because your boss is even more bloody minded than you are) or if you are forced to go ahead without all that kit (more likely) then do the work. Insist on overtime at the very minimum. And then, come Monday, make sure the system isn't ready and working. Prep a room as full of cables and flashing lights on important looking boxes as you can. Explain there's a hitch/problem/issue. You can keep this up for a while I'm sure. Once you've run out excuses then it's a question of time. Might be an hour.. might be a couple, the spinner / bar / countdown timer / other thing that might provide an idea of when it will be ready has stopped. Might be stuck on a large file or maybe the bandwidth is flooded.When there's absolutely nothing else you can do and you're being told to phone Microsoft/God/IT Support somewhere, make sure your support is in a time zone that isn't awake for several hours yet. That support may need to escalate several times. You can easily wait days for Canadian support to move from T1 to T3. If you're in Canada, make sure everyone knows your support is in Australia.
19. Always, always.. make sure you can put your own preferred system back on incredibly easily, after all the mess is because of management, you're the good guy in all of this.
We have to rename users e.g. for Marriage + Religious Conversion (and many HR onboarding errors - grr!). But the knock on effect to 3rd party systems (Cloud) is a major PITB. Still failing to persuade the "powers that be" that a new user name format is need - basic don't change the value of DB Primary Key stuff
Notwithstanding the PIA work in changing, from a user PoV I can see the sense in not having strict rules for email addresses. A couple of friends use their middle names because they hate their first names - so they are pissed off every day by having email addresses in their hated names due to company policy which just plucks names from the HR d/b and is cast in iron from that point on. A colleague who hails from somewhere east goes by his surname all the time, except with his mum, because his given name is about 30 characters long - yet in his first job his email address was namesurname@server.com. They had to change it eventually because back in the day some systems wouldn't take addresses >32 characters and, frankly, some people were ignoring the mails because they didn't know anyone called that.
For me, from a practical PoV, it's always good to be able to read the mail and see who it's going to by checking the email address. You know - when you're sending that sensitive mail and this time you really do check all the addresses individually (not the alias from the address book) before hitting send to avoid all that embarrassment (again).
Strict naming conventions can be both a help an a hindrance. Automation loves it, up until it breaks.
However, these people do have an option available to them, the same one as my ex-wife took. Her employer insisted that their legal name be used on all official communications. Her given name was Christine, her grandmother's name, which she always felt was stuffy and old fashioned. Everyone called her Chrissy, but work wouldn't allow it... Until she changed her name by deed poll.
If you really hate your name, that's the best option. If you just dislike it and don't want the hassle, suck it up.
If I remember this correctly, in UK common law your official name is simply that by which you are usually known, which does not have to be the one on your birth certificate. Regular use could be sufficient. An advert in the local paper puts an official seal on it and deed poll is not essential. However this tends not to hold much sway with the various organisations who demand proof of identity. I did a quick Google search which confirms some of this
See, https://www.citizensadvice.org.uk/relationships/birth-certificates-and-changing-your-name/changing-your-name/
or https://www.quora.com/Is-it-possible-to-legally-change-your-surname-If-so-how-difficult-is-the-process
Company I work for gives new hires a form for firstname, lastname and optional nickname. It's made clear that email addresses will be first.last unless a nickname is given, in which case it will be nick.last. Works very well, William Smith can be bill.smith if he prefers, an asian employee who has adopted a western first name can be correctly Yingtong Iddleipo in HR but susan.iddleipo in email, etc.
It still throws up some issues for cultures like France, where the tradition is to put LASTNAME,Firstname on forms and some people don't read the instructions, but...
I'm one of those people that go by their middle name. I haven't had any problems getting companies I've worked for to honor my preferences until the latest company I ended up at through a corporate acquistion. It took me four months to get them to correct the problem.
Whenever I have people that are expecting a baby tell me they are going to call their children by their middle names I tell them I know from personal experience that's nothing but trouble and if they want to call their child by a specific name then make that the child's first name.
You could consider refusing, under the statement that you are employed to keep their IT systems working in a optimal state, and this procedure could easily have unknown knock on effects.
I can at least imagine an increased workload from people not knowing their usernames for at least 2 months.
You could consider refusing
Won't work. These people tend to think they know better, as if, for instance, a degree in English Literature somehow magically also conveys the insight to have a clue about IT. I've seen it a lot.
I have my own comeback. I joined Mensa specifically to piss off such people* :)
* No, seriously. I've never really found another use for the membership. I'm not a clubby sort of person, nor do I think that being good at logic puzzles somehow elevates me above the crowd. There are people who do far more impressive things than me, and when helping them is when I really enjoy my profession.
I just found it an interesting exercise. As a foreigner I'd never heard of them, and when someone suggested it I thought "oh well, why not" and just did the test, just out of curiosity. To me it wasn't a big deal (as I said before, I'm not big on chest thumping for belonging to a club), but it annoyed the guy I was working for and that made it worth it for a while.
As for your "invite" - I gather you didn't get her hint then?
(sorry, weekend and all that :) ).
Joined when I was a young teenager ( a long long time ago) but when I met the other, mostly adult, members at meetings they were some of the dullest people you could imagine. Once they'd finished discussing their IQ scores they didn't seem to have anything to say. Still it got me my first visit away from home without my parents, all the way down to London - to the annual MENSA party or something of that sort. And I'm pretty sure if it had turned to an orgy I'd have noticed something (?)
"And I'm pretty sure if it had turned to an orgy I'd have noticed something (?)"
My impression was that the orgies were spin-offs involving people from a local group. Usually only the husband in a couple was a member of MENSA. Any women were usually single.
This was round the time when swingers parties made the "car keys in a bowl" a national meme. So-called "open marriages" were also a trend.
I remember going to a university social gathering with a couple I knew - "Bob" and "Carol". It was fairly obvious that many of the staff were running shotgun on their wives who came to talk to me.*** The next day the head of department enquired if "Carol" was my girlfriend or "Bob's" girlfriend. "Oh - that is Bob's wife". I could have added "I'm just the lodger".
***In my younger days there were times when I was a sheep in wolf's clothing. Lindsay Anderson's "O Lucky Man" strikes some chords.
I'd suggest that you ask to be allowed to do a test of the change to be sure that you've "properly setup your procedures and documentation for the changes to go through without impacting normal operations" etc etc.
Then take his computer off him and practice the rename on it.
Or if he sees through that one, get him to authorise a test machine set up.
Either way, I'll hazard a guess that the changeover takes more time than expected and you can quote that in the job costing. Worse case - at least you've had the practice.
No, absolutely no-one ... Even in big IT corporation, you only have a single chap out of thousands of IT people that can differentiate between login, first name, second name, display name ...
I was once in a company using X.500 directory for emails. Names displayed were "second name, first name" whenever looking up in the email directory.
And there was this chap called Pierre (first name) François (second name) working as a designer, and his alter ego called François (first name) Pierre (second name) being an HR director.
And there was this nutball VP assistant picking up the wrong address for sending a file named "factory_redondancy_list.xls" (they're all XLS aren't they ?) and crying foul to the (me) mail admin that the X.500 directory needs to be sorted by order of (people) importance.
Good (not) times it was ...
This post has been deleted by its author
He is the sysadmin!
Boss wants names changes? Names change!
Now get to it.
Not happy? Write up exactly what the problems are, what the consequences are and demand feedback. Maybe propose to hire two "tuners" to do it during a week or so.
If boss still says go do it, go do it. It's not a fucking democracy.
Are we now at the point in history where sysadmins start to publicly moan about having to do their job?
If ithis kind of thing is difficult to do, then there is indication that a lot of base work has not been done yet.
When I had a boss (I'm now self employed), I used to consider it a part of my job remit to let the boss (who is usually obsessed with not wasting money) know when one of their decisions was technically incompetent to the point of wasting the company huge amounts of money. As the boss is the boss and not a techie, they would not necessarily understand the technical debt or other repercussions of what they are asking for, and it is my place to tell them - especially if there is not enough slack in the dept to do the work whilst maintaining the sacrosanct "BAU" (Business As Usual)
Blindly following a non-technical incompetent is not, imho, showing due diligence to the company.
If boss still says go do it, go do it. It's not a fucking democracy.
We had a dick like that in a factory I worked in. I wanted to take my machines out of action for a day to do some serious maintenance and tuning before starting a very large order. In terms of downtime it would've cost maybe as much as a couple of grand, both in lost productivity and in the time of myself and one of the co-workers. Parts and other stuff (lubricants and cleaners) would've been between another $50-100.
But no. Had to do that job NOW!.
Guess what? We had to do that job. Twice. The whole order was rejected because, simply, the machine was out of spec and needed maintenance. Therefore the parts the machine made were out of spec. Fractionally, but enough that they didn't fit. So we lost the whole first batch (well over $30k worth of work), plus some wonderful bits in our supply contract where, well, we caused them downtime so had to pay penalties to cover that as well.
So which was best? My way - would've cost at an extreme outside $3,000 but had a perfect running machine needing only tiny bits of work for the next few months? Or the "If boss still says go do it, go do it. It's not a fucking democracy." way - which cost the company.
Oh, and I do mean it cost the company. Sure, things kept running for another few years, but the financial costs were too much. The boss had a heart attack a short while after this (he survived, thankfully, and became a much nicer person after that), but the company itself was terminal. There was a loss of goodwill, huge loss of revenue, other contracts lost during the time we were making up for the mistake, and a domino effect that had us running on reserves chasing our tails for a while until the reserves ran out.
I drive past there every few months now. Quite sad. The building was demolished a couple of years back, but nothing's replaced it. I gave over a decade of my life to what is little more than a hole in the ground. Had the boss listened? Well, we may still have gone under - a lot of manufacturing has gone overseas. But we could've outlasted out competition, and then we would be the big firm with happy well-paid employees.
Sometimes you should shut up and let the boss fuck up. Other times, it pays to slap the boss upside the head and do it your way regardless.
Why did it take him 20 hours to turn HR's spreadsheet in to a script that can update the various DBs?
(That's not a serious question)
A serious question is - why are the laptops named after their owners?
Any sysadmin that has been a sysadmin for more than a couple of years knows that this is a sure way to be swamped with unnecessary extra work for each swap or breakage.
I really don't get why people name devices after the owners. One of my predecessors did this on my existing network and it was a total nightmare. Every time you picked up a "spare" computer you'd end up with duplicate names on the network causing no end of hassle.
Personally, I just name the devices with their asset numbers and get the users to read me the asset number off of the label if I need it for some reason. If I need to know who's using which device then you can always pull the login records, or look at the asset register if you need to know who's got a laptop they take off site.
me either, or naming PC's after the room they're in, because they never get moved to somewhere else! if you want to know where it is stick the room in the computer description field. Don't name a PC after anything that is likely to change! We have a static list that we pick the next incremental name\number from
"if you want to know where it is stick the room in the computer description field"
No, if you want to know where it is, put the room and port number on the network port description and look at where it's connected when you need it.
Anything else will always have you playing catchup.
"Personally, I just name the devices with their asset numbers"
Its the way to be sure - then the user has it written in front of them.
Especially good for printers - traditionally named "Finance printer" or some shit like that , and then it moves ,or more often the department changes its name if its a time and money wasting public office.
- Especially good for printers
To be fair, with printers I go for a meaningful location identifier rather than an asset number such as Vulture Central, Floor 1, Printer 3, shortened down to "VC-F1P3".
A large sticker let's the users know which printer is which, and users just delete their printers and add the nearest one if they relocate between desks/department areas.
I name the PCs I install using the computer serial (we don't use asset numbers) so its the Dell service tag or whathaveyou.
That has only once bitten me on the fundament. It seems that while MS etc actually advise against having computer names starting with a numeral, and most of the time computers have no problem whatsoever having names starting with a numeral - you guessed it - the clients for Sage 200 (in my case) won't connect to the SQL server if they have numerals at the start of the computer name.
So I had to rename about 3 computers (by adding a D for Dell) to the start of the name.
A footnote - the 3rd party that helps with our system, had renamed most of the desktops to users initials during an upgrade about 5 years ago. But of course that plan broke down the moment staff turnover hit it.
The GPO script linked to the Staff Laptops OU parses the computer name, finds the bit after the hyphen and then:
Isn't this just reinventing a roaming profile (or a redirected profile with offline folders & files enabled)with the exception of not uploading changes on connection to the network automatically, or is your script doing other things you haven't mentioned?
It's for creating a local admin user account for the teacher to use at home, with the same username as their AD account, and then setting that up automatically so I don't have to do anything manual per each teacher's laptop. Literally just name it "after" them and the script does the rest. I have a lot of scripts like that in place, including for dealing with automatic staff laptop encryption. I maintain the view that I shouldn't really be having to do anything :P Although, of course, you have to put in all the legwork first in order to get there... :)
(In practice, of course, their username off the network will be ".\abc", but hey-ho...)
Because of a script! ;)
So if a user is ABC, then his laptop will be called LAPTOP-ABC. The GPO script linked to the Staff Laptops OU parses the computer name, finds the bit after the hyphen and then:
1) Creates a local user with the same username and makes them a local admin;
2) Queries AD for that username to get their forename and surname and adds those to the new local account;
3) Calls PSExec to run "cmd /c" as that user and then terminate, causing their local profile to be created for the first time;
4) Calls PowerShell to use the [ADSI] WinNT:// namespace to expire their local password;
5) Shares their local profile folder with Full Access permissions for that AD user only - then there's a GP Drive Map for when they're logged on with their AD account that maps a drive pointing to that share on \\127.0.0.1, so they can access their local documents when logged on to the network (there are heavy GP restrictions and they can't otherwise access the local hard drive);
6) Copies our Remote Access .wcx file to their local desktop so they can set up their RemoteApp access.
For those commenting about scripting: this whole system is held together with my own (documented) scripts, all of which work perfectly fine as long as there is complete consistency across the board with principles like "profile folder name matches AD username" etc.
read (at TechTales I believe it was) a story about a company with a 2+2 naming pattern in which the two first letter from the last name would be first, so John Doe would have dojo@company.com. Alan Anderton was not amused.
We had a 1+3 scheme, which led to some problems with a chap called Tom Watson. We did warn them that they were invoking the four letter curse, but not too enthusiastically because we knew things like this were going to happen and, to be honest, it promised to be so entertaining that we didn't mind the likely extra work to roll back and adjust the script.
Tom Watson had been quite noisy, so we decided not suggest a 1+4 as a fix. There's only so much you can credibly explain away :).
Learn how to script, preferably in powershell since you're dealing with AD. Secondly learn how to build error trapping into your scripts. Thirdly you should already know how to script.
I've made this change in the past most often to align login names with email addresses to simplify life in a multi-userid age; more often now to disconnect userid's from email addy's due to security concerns.
Most of all - get a good policy that doesn't rely on random collections of initials and only apply to new/newish users. Always allow employees with lots of time at the company to keep their old ID's/email addy/phone number if at all possible - call it plank holders privilege.
I work for the company REDACTED.
They have an ERP software named REDACTED that we must use on a daily basis, living in a Server somewhere, so they don't have to install it in 3000+ terminals. So everybody must login in it using the RDP feature from Windows 7.
But because the terminals are not "properly registered" within the network, saving the passwords on the RDP won't help you, you have to retype your password. EVERY REDACTED TIME.
On top of that, the software has its own login passwords, instead of just pulling the REDACTED credentials from the network. And the network managers must copy them over from the network to the REDACTED program, every day.
In short, you must login on your machine THREE REDACTED TIMES, every REDACTED day, to reach the REDACTED program.
The kick (in the REDACTED) is, that REDACTED of REDACTED of a program runs on a limited number of simultaneous users, so you better rush in the morning, login before everybody else, and leave it running, if you want some usability out of it.
Why, oh, why...is accounting software mired in first half of the last century, with nonstandard keys to change fields, hard field length limits and complete ignorance of the generally accepted Windows UI behaviour "standard"?
// I'm looking at you, Vision
// ...and you, Sema4 (if you're still in business)
I worked for a 'manager' who came to work one morning, presumably having read some management book on his train ride to work and said to the 20 staff members on the IT Support team
"I want you all to write 4 new processes / SOPs this week, doesn't matter what on, just get me 4 so that I can show management we are working really hard" . sigh.
Harold tells us that the institution has a simple scheme to allocate user names for staff: someone called John Brian Smith gets the user name “JBS”. Someone called John Smith, but with no middle name, is “JSM” - the first letter from their first name and the first two from the surname.
3 letter usernames are terrible, my school used them. You end up with all manner of duplicates - I was AGI for A Gibson. But as soon as Ashleigh Gibley started she had to be AGI1.
Its just as bad with Smiths, you always end up with more than one sharing the same first initial.
Harold should have reacted by:
(1) Warmly praising his 2IC for brilliant leadership and the will to make hard organizational decision,
(2) asking about the budget that will be available for organizing the transition to new usernames, or
(3) requesting an external review to establish the required effort and budget to make the transition.
Most people only start thinking if it costs money -- so money is the argument against stupid make-do-work.
So, I agree the approach is futile (user-readable usernames are fine, but ultimately it gets lost over time, John Smith, Jane Smith, James Smethwick all map to the same username).
But, ultimately the 2IC and Harold have been doing different approaches to username allocation. Who's to say that Harold is right with his approach? Suck it up, you've called out the risks and been asked to do it anyway. Refusing to do it because you can't see the benefits is insane. There are always reasons you're not privy to, and having to explain to every sulky admin the rationale behind the request is a ball-ache and unnecessary. Off the top of my head, for all you know there is a DPA related complaint behind revealing personal information (middle initials) without a purpose. The cost/risk/benefit analysis isn't for you to do.
"There are always reasons you're not privy to, and having to explain to every sulky admin the rationale behind the request is a ball-ache and unnecessary."
Actually it is necessary. If you have a rationale it should be shared unless there are good reasons otherwise. It's more likely to get buy-in to what may well be an otherwise incomprehensible idea or at the very least assures everyone that you aren't actually deficient of marbles. It ensures that new situations can be dealt with appropriately. It enables the process to be modified or dumped if circumstances change to make it inappropriate. At the very least it makes you check that your rationale was well enough thought through to enable you to put together a coherent explanation.
If it's a ball-ache explaining it maybe it wasn't a very good idea and even if it was, it was your idea, it's going to be an even bigger ball-ache for somebody so why shouldn't you suffer a little too?
Doctor Sy.tax
Agreed. Explaining the reasoning behind a decision equates to treating all staff as part of a team. It also sometimes makes the difference between providing what the managers say they want and what they actually intended. Maybe the manager who asks for something that sounds pointless and foolhardy is just doing it as a whim. But maybe it's because he/she thinks that this is the way to solve a genuine problem - and doesn't know there's a better solution ( or that his solution would cause more trouble than the original situation.)
Actually it is necessary. If you have a rationale it should be shared unless there are good reasons otherwise. It's more likely to get buy-in to what may well be an otherwise incomprehensible idea or at the very least assures everyone that you aren't actually deficient of marbles. It ensures that new situations can be dealt with appropriately. It enables the process to be modified or dumped if circumstances change to make it inappropriate. At the very least it makes you check that your rationale was well enough thought through to enable you to put together a coherent explanation.
It also allows you to draw intelligent input from the people who will have to execute your wonderful idea, and who may have the required expertise to spot issues, or even enhance the proposed concept (let's not forget that). The challenge, is, of course, that that requires leadership instead of management (there's a large difference between the two).
All email addresses were originally numbers, no problems with duplicates or funny spellings. From memory it was n.n@compuserve.com. I remember how exited I was when it was announced that names would be supported and we could apply for our name related email address.
The article does bring back memories of 20+ years ago of me swearing under my breath everytime a request came through for someone wanting to change their name due to marriage or divorce, used to take between half a day and a day to sort it all out depending on how many systems their single logon had access to. Happy days.
I recently came across my original FidoNet address in some old docs which really threw me :).
That naming structure was *very* geographical because it pretty much described the whole path to the node where you held your post, but it had no names in it. If you decided to pick up email from abroad it would cost you an international phone call.
That said, at least it was only text, not 10MB powerpoint files..
Are you sure you have captured all the steps needed to complete this task?
You need time to discover all the consequences of this management meddling, er initiative. Then once you have listed them all you need to test. Days become weeks and could be months. Well, does the manager want it done properly or not? And don't forget to consider how backups taken under the old regime may be restored using the new regime.
would have suggested running as-is with the new process documented and any additional users going on in the new format and if/when there's an issue with an existing account on the old system it's transferred over.
A common naming convention is a good idea, however spending a huge amount of time correcting an existing system which works isn't if it's documented to prevent a problem with loss of staff through illness or being driven to leave by a terrible boss.
Few IT staff I know are precious about how things are recorded, they just want it to be consistent an accurate.
A colleague and I once spent a good week or so changing the network IP address ranges of 30 regional offices to match the 'harmonised' scheme of the company who'd acquired us. The change was not a major shift in numbering and we were clever enough to do a fair bit of it remotely through deft use of RDP and multihoming. After we'd finished and handed everything over to our new lords and masters (who very soon kicked us regional IT guys out), it transpired they'd forgot to tell us that the subnet masks also needed changing, so off we went again!
This same company ripped out the 8Mbit ADSL VPN connections (this was around 2004) between our HQ and the offices and replaced them with 1/2 Meg MPLS circuits - then wondered why everything ground to a halt (I bet the accountants loved the new bills too!)
The icing on the cake, was that the encumbent IT guys were sh*t scared of Linux and so out went the 300-user email system based on Postfix, to be replaced by MS Exchange + required Licences, and they abandoned the distributed, replicated, cross-site backup system based on BackupPC which performed full and incremental backups of data overnight from every office to two other locations, plus the clever rsync scripts that brought a copy of all regional data back to HQ every night for data mining - we had data coming in from MS-SQL, MS-Access and proprietary systems to be munged into one data set in MySQL - it was bloody brilliant, even if I do say so myself.
One of my schools had a very sophisticated (for the time) program for attendance, room use and scheduling. The system could work out for example if there was a lesson clash for any students taking multiple A-level subjects in the sixth form year. Anyway it used the the initials of the staff and the first initial and last name for the students which had worked well. Then a student with a double barrelled name joined the school with a hyphen separating the two last names.
Apparently no one had thought about this possibility when designing the software and his hyphen caused two students to be created in the system (same first name but different second name) So in the first lesson I attended that year the teacher read out the names and everyone put their hand in the air when their name was called and said here. Except for Coates* who wasn't there and no one knew who he was as this was the start of the Autumn term and loads of new students. We had an entire day of lessons where Coates was absent and it was out down to sickness or something else. A week goes by and still no sign which is not good news at all. There is a bit of worry amongst the admin staff that he has been listed as sick every day when in fact nobody knows where this kid is. So they look at his details on the computer and there's no home address, no parents, no phone number etc. which is very odd. This will have to be reported to the Local Education Authority (now to Ofsted) and that's a very bad thing apparently! On the Monday morning of the next week the English teacher asks if anyone knows this kid outside of school as the staff don't know anything about him. "Does anyone know where he lives, what he looks like, who his parents are?" etc.
Rather sheepishly one child then raised his hand and said my my full name is XXXXXX Serge-Coates* it might be me. We'd been through twenty five lessons with the teacher asking at the start of the class when the register was taken if XXXXXX Coates was there. They couldn't believe that he had taken this long to twig that it was possibly him and assumed that he was doing it to make them look stupid. Although not unpopular with the rest of us, he was very unpopular with the staff over that.
*Name changed, he wasn't posh his parents had divorced and remarried other people keeping their original last names and new surnames.
"Then a student with a double barrelled name joined the school with a hyphen separating the two last names."
Ah. The double barrelled surname problem.
Client's client had a database in which the names were properly structured but for some reason decided to amalgamate forename and surname into one string, surname first to send to us. We were then expected to transform it into the correct sequence to print. Hyphenated surnames would have been OK but non-hyphenated... After giving them a few examples they saw my point. However instead of a correct fix - either send it as two fields or concatenate it in the right order, they kept things as they were and sent an extra, numerical parameter, to shown where it should be pivoted.
"We'd been through twenty five lessons with the teacher asking at the start of the class when the register was taken if XXXXXX Coates was there"
Every single class I was ever in at high school only ever called surnames at roll call. The only exception was if there were 2 of them and then an initial would be called too.
Every single class I was ever in at high school only ever called surnames at roll call.
One of my high school teachers had been teaching for 30-odd years and had done it that way with no problem. She would also call out the names in blocks of 3, eg Anderson, Andrews, Calver... Collins, Daniels, Davis....
Then she got my class. One of my classmates had the surname "Roots1". 2 of the boys (one of them a rather sensitive bully) got a bit upset, because of "Peters Roots Symes".
1 For the slang-impaired, at least over here "Root" is a synonym for sex.
The good thing about standards.. is that there are so many to choose from.
Our AD structure is made from several smaller domains nailed together. There are probably 20 or so different naming schemes in use. Now we could make everything the same but that would involve a helluva lot of arguing, and if there's something that IT folk enjoy an argument over then it is naming conventions.
As for machine names.. never name the machine after its owner. In our organisation a machine gets a number which it sticks with throughout its entire life. Unless of course it's those bits of the organisation that actually do name the machine after its owner. Yes, we can't name those consistently either.
You can of course wait until objects with the old names drop out of the AD structure and replace them with new ones. With computers that's about 5 years, not too bad for a large organisation. For users.. well, that can be decades. But you have to plan for the long term, eh?
So this is what I'd do.
Go home and complain. Maybe bitch on social media. Or, you know, a forum like this. Maybe drink. Maybe watch cartoons. Definitely picture detailed visions of retribution.
Then back at work, write up an impact plan, and have the boss sign off on it.
Then, just do it.
Ultimately, no matter how much personal pride I take in a job well done, these are not my computers, and I do not own this business.
"how do you handle companies where two John Smiths work?"
In the original scheme it appeared that naming was somewhat informal allowing scope for ad hoc decisions to resolve problems. If you set up a prescriptive scheme such as that proposed you need to build in a means of ensuring* uniqueness. In another post someone suggested adding x, y or z as dummy initials to a first/last initial scheme; works well right up until you've allocated jxs and then John Xavier Smith joins the company. Essentially it means something along the lines of adding a few digits so that your two John Smiths, or indeed Jane and John Smith, can be handled as smithj01 and smithj02.
*To some degree of statistical acceptability. The example above fails if the company is so big there's a realistic chance of 100 or more smithjnn names being generated in which case you need more digits.
"The proposed naming system cannot guarantee to produce unique names and unique names are an essential requirement."
The existing scheme doesn't either.
Unless the 'new' scheme is less than 3 letters per person, it's less likely to produce duplicates than the frankly idiotic 3-letter practice (which has only 18k possible combinations, and since most of those are unlikely to occur ever - just how likely is ZQP, for example? - it's likely to run into duplicates ridiculously quickly).
Scrap both and come up with a sane naming convention.
... exactly what “Harold” meant by "The 2IC is having none of that argument". He provided an estimate along with identifying some possible risks. And the #2 boss is saying "No"? Does he have some insight into the process and a more streamlined approach? Or is he one of these supervisors that just think the IT department throws a handful of faerie dust at the servers and its 'job done'.
Having worked in some heavily audited lines of business, this sounds like a request to 'just get it done, but hide the expenditures' which can get even a CEO canned. Or at least the business banned from government contracts. Now I understand that not everyone must answer to this high a level of accountability. But Harold should take whatever steps are needed, through official channels, to request budget for and set up charge lines to track this activity. That might be enough to stop 2IC in his tracks.
Ultimately all it comes down to is one person thinking their point of view is more important - and therefore overriding - anothers. Everyone wants their own way and will do what they feel necessary to justify that.
This happens in all aspects of life when you're a grown up.
Document the issues as you see them, then get on with your job. If a situation arsies where you're being blamed for someone elses fuck up then show them the dated documentation to show that you foresaw the issue(s) and warned them about them. Collect your pay check and get on with it. If it becomes terrible to the point you can handle it, consider moving jobs. But it would have to be pretty drastic (or you're in a low paid/crap job) for that to be a real option.
"This happens in all aspects of life when you're a grown up."
Until you are grown up you get very little say in any decisions. At 13 a friend's son showed a sense of impeccable logic in family arguments about things he wanted to do or not do. His mother's reaction was always to dismiss his well-crafted argument with "because I say so".
About 20 years ago, my then boss asked me how I had time to help out other staff, when my predecessor spent all week taking the various electric motors off line, testing the motor winding resistances (with a bog standard ohm metre) and recording them, to help identify which motors were starting to fail.
So I went and got a brand new, unused motor from stores, and a dead motor of the same type I had pulled the day before and showed him the ohm readings.
They were identical.
Then I went back to my cubby hole and read a book until someone wanted some help.
(A proper insulation tester would have shown some differences, but they werent willing to supply one, and I wasnt going to spend my own cash to buy one).
If you copied the list of actions that Harold sent to 2IC to explain why it's going to take so long to do, then only redacted a few details before putting it into the article, 2IC will have to be pretty thick not to put 2 and 2 together.
Lets hope 2IC doesn't read El Reg or Harold is royally screwed. I'm sure 2IC will be looking through Harold's employment contract for clauses Harold has breached by sharing this story in a public forum.
...so many icons to choose from.
Nope, it does not. There are various people around the world with the same name as mine. My gmail address has a dot between first and last name. Theirs (multiple people) does not and I get their emails all the time. I even got a classified email from the US once.
So, sorry, Gmail no longer seems to work that way.
As far as I can work it out, my firstname.surname@gmail addy doesn't seem to go to the American who shares my name. But I do get some of her firstnamesurname@gmail.com messages from time to time - unless someone is just assuming that she has that address (which has been mine since gmail was invitation only) or, as suggested below, that one has a digit that gets forgotten. And though I do like to get my own name for any account I would never choose a user name with an add-on number - I'd rather find something original.
"I even got a classified email from the US once."
Similar here. I got a few emails emails from ITV with me CC'd in discussing an upcoming production. It took about three weeks of replying to them pointing out the mistake before I eventually did a Reply-All and it stopped (also got an apology for the inconvenience, natch!)
Another one was a company sending me details of a contract workers invoices/expenses. That only happened once and they were *extremely* apologetic and thanked me profusely for pointing it out to them. That could have been very nasty for them.
That part of the job should be pretty smooth providing (as previously pointed out) it is an additional alias.
There would be benefits in standardisation (visible to the outside world) and little disruption. People accidentally using the old alias would still get their emails.
Changing the login name is where things get horrid. And for no real gain.
I would add the aliases (script). Check there are no issues over a few days. Then make the primary address the new format one.
Then I would raise the issues about the login. If 2ic is any good he'd realise that the good parts of his plan were done, and cancel the rest. If not then I would suggest that a 3rd part were hired to do the move or that it be done a few users every day, until complete (one letter of the alphabet a day perhaps). I would make sure HR had a copy of my recommendations on file, just in case I was overrules and it all went titsup.
I get that this is the total amount of time for all the users, but what difference does it make if you do them all in one go or do one a day for the next few months?
In fact, if he's forced into a corner about doing this, even after making the 2IC sign off on all the risk statements, etc. he should insist on doing a small number of more technically competent power users first and waiting a month to see what sort of issues they have. Choosing the more technically competent means:
1) he won't waste time reminding them their username changed when they call and say "I can't login to X" like will happen with the clueless ones
2) they will notice problems readily and can describe them properly
3) are more likely do the sort of things (personal scripts etc.) that can't easily be accounted for when assessing risk
4) probably perform more important functions, so if stuff breaks their inability to perform their job will quickly make its way up the chain to the top and the 2IC may be forced to reconsider this idea.
1. Document and inform of the risk
2. Create a transformation project, engage a consultant
3. Create a process, and a test, then re-assess risk
4. Request budget for change.
5. Create methods and scripts for PFYs to follow an implement
6. Await sign off from 2IC to approve the potential downfall of anything AD linked for the whim of a change, then either sit back knowing you've been vindicated because he backs out, or plough on and kick off the change project, knowing that the overtime is coming, and the "I told you so" moment will be glorious.
Yes, doing something you think is stupid and without purpose is frustrating, but if that's what the boss wants, just do it. After all, you'll be paid just the same as if you were doing something you consider useful. As others have said, CYA by sending an email detailing how long it will take and the potential pitfalls and asking for confirmation that you should still go ahead. If you get the confirmation and it is something that is possible and you are capable of doing it, then just do it to the best of your ability - what's the problem? Nobody is going to blame you for someone else's decision.
If you don't like doing things that you do not personally believe is necessary, then become self-employed or start your own company. Otherwise you are being paid to do whatever the boss wants you to do (within your job description), and unless you are a director, however you think the company should be run is irrelevant.
On the flip side, how would you like it if your subordinate or employee refused to do what you asked (or deliberately made it fail) because they thought your idea was stupid? Maybe the idea really is stupid - or maybe you have a bigger plan in mind that you don't want to disclose just yet.
You haven't spent much time working have you? Or are you still in school?
Yes, doing something you think is stupid and without purpose is frustrating, but if that's what the boss wants, just do it. .. then just do it to the best of your ability - what's the problem?
Some people are actually invested in and care about the firms they work for, and the stress screwups can cause their co-workers - whom they also care about. And if you're doing your job (eg making sure the IT keeps working smoothly), then you're pro-active about making sure that the systems you care for continue to work properly, even if that means introducing your boss to a bag of quicklime (El Reg, we really need that BOFH icon!)
Nobody is going to blame you for someone else's decision.
Yeah right. See the Naivety quote from GoodOldHarold..
On the flip side, how would you like it if your subordinate or employee refused to do what you asked (or deliberately made it fail) because they thought your idea was stupid?
I've had the priviledge of working for people who valued their employee's input, and have also been an employer myself. In both cases "This is stupid, you need to..." held the possibility of a pay rise, and potentially saved lives as well. I had a plan which seemed great to me, but had a flaw I could not see. Junior who had little experience was still able to see the flaw, and it saved a lot of hassle.
Any employee should be able to raise issues they see with a plan, and unless the issues they raise are really stupid, they should be discussed if necessary, or at least a polite explanation as to why there isn't an issue should be given. Granted, some people are too stupid for (polite) words, but if someone is well-meaning and their concern is reasonable, why not give them an ear?
I must be very lucky. My boss doesn't ask for stuff just for the hell of it.
But I did once have to deal with another head of another department, who kept dreaming up new ways to reward various forms of fundamentally bad behaviour under the colour of improving performance; only to return some weeks later with a better idea, having identified some issues with the present scheme that I had already told him about the first time he mentioned it.
If you really can't persuade someone that their really bad idea is a really bad idea, then you have to make damned sure you can fix any damage you might have caused while implementing their really bad idea under duress and under protest. That means at least one full backup and restore drill, just to prove you can; and another full backup immediately before you start, so you can go back to a known-working state.
And for the record, it is not only possible, but reasonably painless to change a user's login, under GNU/Linux NIS with all of /home on an NFS share. User rebecca logs out before lunch, user becky logs in after lunch. But I wouldn't do more than one at a time .....
"And for the record, it is not only possible, but reasonably painless to change a user's login, under GNU/Linux NIS with all of /home on an NFS share. User rebecca logs out before lunch, user becky logs in after lunch. But I wouldn't do more than one at a time ....."
Yes, but the real problem in the article is that Rebecca Jones and Ron Johnson would both be able to log in as rj and get their correct, individual environments when they'd done sto.
An AC, Truckle The Uncivil, Richard 12, Terry 6: I don't think GMail cares about dots (periods, full stops) in its user names: It just discards and disregards them.
For instance, Truckle says: "My gmail address has a dot between first and last name. Theirs (multiple people) does not and I get their emails all the time", and Terry: "my firstname.surname@gmail addy doesn't seem to go to the American who shares my name. But I do get some of her firstnamesurname@gmail.com messages from time to time"
I think both Truckle and Terry are seeing the same phenomenon as Richard, who wrote: "Which then causes annoyance anyway, as firstname.lastname@gmail.com gets a huge amount if email intended for firstname.lastname1@gmail.com"; that is, Truckle's and Terry's namesake(s) are probably actually firstname.surname_1 or firstnamesurname97 or whatever, and the mails Truckle and Terry get are the ones where people forget the numbers.
From my testing, GMail really doesn't seem to give a damn about dots (periods, full stops). Try it: Send mail to firstnamesurname@gmail or first.name.sur.name@gmail or even f.i.r.s.t.n.a.m.e.s.u.r.n.a.m.e@gmail, and I'll bet you get them, as long as you get the letters right.
Personally, I hope Casey Conrad in Ohio got her cable TV fixed on the second or third appointment she set up, that Charles R. Conrad doesn't miss any of his U-Haul payments even though he isn't getting the e-mail reminders, and above all that young Cade Conrad in Louisiana would fucking well subscribe to all those gaming and paintball and sports websites with HIS OWN darn address.
Oh, and that ungrateful bitch Christina Conrad in California, whom I went to considerable effort to track down and tell her over the phone that a manager at the company where she'd applied for a job had sent her an invitation to an interview, only to be rudely told that I was disturbing her and she couldn't understand my "weird accent" and she didn't much care for that position after all: May she remain unemployed for ever. Live in cardboard box under a bridge, that kind of thing.
"D'oh!", for people who don't even know their own darn e-mail address.
Or maybe e-mail to call.me.conrad@gmail.com who let's say doesn't exist is delivered to callmeconrad@gmail.com instead - or vice versa. But if both addresses exist then they only get their own e-mails. Or not. Or, that used to happen, but it has security disadvantages - as discussed.
Reminds me of the time just after I left a certain Large Telco. We had a standard email scheme.. <firstname><optional disambiguating digit>.<lastname>@xx.com. Worked fine... even mapped nicely to X400 which was the Up and Coming thing in those days. Then the chairman got his knighthood. The email system had to have a special exception added that so that his email address was sir.<firstname>.<lastname>@xx.com. Drove a coach and horses through our carefully crafted scheme and caused my successor to tear his hair out.
Starting off as an apprentice way back when…
I learned quickly I was getting paid the same amount if I was cleaning the gallery camera, getting lunch for tradies or doing actual work.
Simply put - manager wants you to do something then get it done.
Nothing wrong with having an opinion (as I have worked for myself for just shy of 20 years I am full of them!) but don't let your ego get in the way.
They have put you in a NO WIN situation. They are meddling with things they do not understand. They want to exercise their power for what they think are neat ideas. But those ideas do not follow industry best practices or conventions. You will not increase your knowledge and skills by following their directions. And, it is unlikely you will learn anything more in the environment they are creating for you. No matter what you do, they will think you are taking too long and your effort is unsatisfactory.
Don't try to get even or complain. Don't even talk about it in your interviews. A negative prior experience just makes you look bad. Start looking for another job IMMEDIATELY. Get the two of them together and say you have to resolve their differences with some kind of standard. Once that is established. Start doing the work. Your goal is to have the job only half done, and a new job, when the shit hits the fan. The users will complain bitterly. And, no matter how careful you are, there will be errors and omissions. There will be complaints about those things as well. By the time they have hired your replacement and resumed the project, they will be famous as campus buffoons.
Think I may as well address of couple of issues that people have raised, which without more information would be perfectly reasonable to mention.
The reason for the usernames as they stand is that they reflect what's called a "staff code". This is used in schools as a shorthand for each member of staff, and it's also what appears on e.g. the timetable. For anyone who left school in the last couple of decades or so, cast your minds back to the way your timetable looked. You'd have a subject (or subject code, e.g. Ma for Maths), room number and then... something like ABC - generally speaking, that's the teacher's initials as students shouldn't know staff's first names (very old British tradition, I know, but it's very common). They already know their own staff codes, so it makes sense to have that as a username as it's one less other thing to remember and these are people who can't deal with plugging a computer in... ;) Believe me, we have to make a LOT of compromises in education!
So people are used to referring to John Smith as e.g. JBS, and you'll see that on e-mails, timetables, pigeon holes, requests to form tutors etc. Some schools even name their forms after the form tutor - we don't because tutors can change and then it's a faff... :P
What I would point out is, as long as you're actually using the middle name as a differentiator, you don't really get any duplications in our staff size (93 FTE count). Exceptions were where a member of staff actually didn't have a middle name, in which case we used what's now being proposed as the new system, but that was rare.
You only begin to get these duplications when you stop including the middle initial, and that's really why I object to this. Yes, I do object to the fact that it's against best practice and I'm busy anyway, but what's REALLY bugging me about it is the fact that it's a stupid system he wants to move to. I can already tell we're going to have two VCHs, two AMOs and... three SDEs! He hasn't proposed a system for how to handle duplicates at all, never mind one that could handle THREE people being the same!
Also, teachers get very attached to their staff codes, you know. It's a bit silly and sentimental but when you've been e.g. JBS for 20-odd years, you do get attached. Personalised number plates are very common too as people ascend up the ranks... :P
So basically this is annoying everyone and achieving nothing... and why? Because he doesn't like the fact he's been given Timetable & Cover as a senior management responsibility and can't cope with remembering who's who just like everyone else.
He has a list of who's who on the wall... I've created documents indexed by surname and staff code that auto-update every midnight from the MIS and linked to them on the Start Menu... plus he can always just look them up from the MIS himself or ask a colleague... and apparently that's still not enough! And then, the only response I get when I point all this out is "hmmm... I think you just need to accept that senior leaders require this change to promote SMART working!"
Sooo... that's why I was pissed off enough to write in about it... :/
I worked in a department of a university where an originally apparently sensible scheme (within department staff) had been in place but obviously had gone wrong. Under the scheme I could have been "phil", "philip" or "pmr", with the latter being the most desirable. Unfortunately some idiot had allocated that to someone who should have been "prb" (note that this was NOT the only odd one), so I couldn't have it. ("prb" was in fact what he wanted, and was available.) My immediate superior decided to introduce a new rule whereby department staff would have unprefixed usernames otherwise similar to the prefixed ones used by students and also by staff in the other departments of the faculty - three surname letters and first initial. Under this new rule, I was "reyp". I hated it, but one of my duties involved setting up accounts for new staff. It only happened once all the time I was there, but not surprisingly I used the same rule. The user had wanted "dj" but that was prohibited by security policy. I had no middle initial on file for him, but even if I had, would still have allocated him "johd" as a protest against my own user name.
If I had stayed in that place and been promoted to my immediate superior's position I might have started the potentially longwinded process of re-rationalising user names. What made it worse was that student user names were "current year only", and they needed new ones each and every year!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
