Re: Automation does have its place
The "admin who does things like it was 30 years ago" is surprisingly common.
When I started here, there was no computer imaging process - each one was manually cloned from one of its nearby machines and then manually re-configured. There were duplicate SIDs and unlicensed software everywhere. There was no user-management - each one was set up manually each time, so half of them were missing something or other. And home folders were manually made and permissioned for each user on creation*. Everything was done with copy-paste batch scripts that he didn't understand, which everyone ran on every login, and which literally carved out exceptions (e.g. IF %username% = "fbloggs", to map drives, printers, etc.). The console windows were still visible minutes after logging on as they churned through it all every time.
AD was literally a shock to the guy beyond "create new user". And he was being paid by the hour (not the reason for his lack of process, at least not directly, but he literally didn't have the knowledge).
Within a week, and without spending a penny more than had already been spent, I introduced F12 PXE boot to WDS (which meant imaging took 20 minutes from bare-machine to domain-ready client with the base software in the worst case), group policy (which meant that user's printers, drive maps and settings, and machine's specific software and settings were installed after a couple of reboots of any fresh machine, controlled centrally and changed and cloned easily), and the MSKB article which shows you how to permission the root profile folders applied so that users just logging in would create their own profile folders if they didn't already have one.
Literally the guy was stuck on using things that had "worked" for him on Windows 2000 and never bothered to update knowledge in all that time. That you could deploy a printer from a GPO was new knowledge. That you could image machines from a clean template. That you could centrally control updates. That you could map drives. That you could have a proper tree of users and groups (rather than just leaving everything in the default users and groups folders) and have "Users" settings apply to everyone, while "Users\Office" people also got office settings, that you could modify policies on the domain other than "Default Domain Policy" (literally EVERYTHING was in there). That you could target a policy at users, groups, or even things like Windows versions or machine types.
It took me a few weeks to go from utter unmanaged chaos to "F12, new image, reboot, right-click in AD, clone an existing user (even disabled) of the same type, set password, bang... everything comes down".
It's alright, it's not like we were a school or anything, with 500+ pupils, ~100 staff, all with different settings and permissions, ~100 leaving and ~100 joining users every year, and all needing central control for things like web filters (enforced proxies), etc.
Literally, his "web proxy setting" was a Regedit script for Mozilla Firefox run from a login batch file. Press Ctrl-C and it never got applied. Unapply it after login and it bypassed everything. And, no, not even a "catch-all" transparent filter.... literally relying on that batch file to be all your security.
I honestly never asked what the rest of the junk in his batch files was and just started replacing them from day one. There were things in there playing with Word/Office, activation, antivirus warning disabling, ActiveX permissions, desktop icons (copied from the central server every logon), all kinds of stuff. I just switched them off for a few test machines and then resolved the issues that occurred in a more proper manner.
(*To this day, years later, I'm still finding folders that don't have inheritable permissions and/or have things like "Administrators" - the group not the user - as the owner. There were also a ton of legacy folders, including user profiles, that literally the user could access but administrators couldn't. The only way to fix is to take ownership of all files with recursion, then repermission with recursion, then put the file owner back as it should have been).
P.S. He didn't last long.
Biting the hand that feeds IT
