|
LOL.
I have always thought that the CEO should have equipment
and resources at best as good as what his/her workers have and at worst,
equipment and resources not as good. Why you ask? Because then that person can
better gauge the issues and problems with tech the people that they manage have.
I have a fun story alone this line.
Once upon a time there was a analyst who was really
really good. He was so good he got stuck with the added responsibility to
personally support the top executive in the division of the company he worked
in. This executive had a family name that was on the big sign on the side
of the building of the company and this is actually a rather well known name.
Anyway this exec had been using a corporate load machine for some time, however
he found that it was difficult to get all of the support he needed from the
analyst or others when the analyst wasn't around because the division
didn't use that type of machine/load in the division. The load he had been
using was Win95 on a laptop. The loads the division was using was either Window
3.10 with a hummingbird tcp/ip stack on a PS/2 desktop or OS/2 pre-Warp on PS/2
Desktop. Anyway, he asked what it would take to get better support. The response
was to switch to the standard Windows load. He switched. About 2 weeks
later the analyst gets a call asking him to drop on by when he is
in the area next. The support analyst immediately drops everything he was doing
and runs break neck speed from the poor part of the building where IT was
stuffed into to the corner where the carpeting was lush and the sound proofing
was good.
The analyst was told by the exec... "This machine really
sucks, I can't do anything I want to do...It is worthless.".
The analyst responded, "I understand".
Exec: "Reload it the way I am used to.".
Analyst: "I am sorry, I can't, that isn't the standard.".
Exec: "Perhaps you forgot my name is on the side of the
building....".
Analyst (a young smartass I might add w/ no fear about
being fired and intent on doing the right thing): "No, I haven't. However I
don't have the facilities to legally load Win95 for you, the only legal
resources I have would produce the same thing you have in front of you and
I don't want to put this company in legal jeopardy.".
Exec: "What stops me from going down to Comp USA and
picking up the Win95 CD and loading it myself?".
Analyst: "Well nothing. It is your company, I don't think
anyone is going to fire you for it which would be the result of anyone else
doing it.".
Exec: "Well I think I will just do
that then..."
Analyst: "Well, have you considered the fact that you will
then again be in a position where it will be difficult for us to fix problems
you have?"
Exec: "You are a smart guy, I know you will figure it all
out for me and teach the others."
Analyst: "Thank you, but Ed, have you considered that
the other 2000 people in this building and the 8,000 or so
others in this division all have to deal with the same
issues?"
Exec: "So what?"
Analyst: "Well I would imagine they would all like a new
copy of Win95 from Comp USA as well so they can do their work too. And then, you
would be running a fully supported machine that we could all help you with
any time you have a problem since everyone would be running the same
thing.".
Exec: "Oh, I think I understand. That will be all, thanks a
lot."
A week later the analyst found out the
exec was given back a laptop with the main company's corporate
win95 load on it when called down to load some non-standard software.
Probably within 3 months it was announced that the division would be
switching over from Win3.10 to the Win9x corporate load as soon as as
possible.
Possibly the switchover would have occurred anyway.
Possibly not. This was a financial division of a very large company and anyone
who works for a bank knows that IT is managed by accounting and accounting
doesn't like to spend money except for on nice cushy leather chairs for the
accounting execs.
One thing to think of when using Deny ACEs or depending on
passive Deny with Grants that don't include specific people... What happens if
there is a mistake or accident where that ACL is readjusted to authenticated
users read? I personally never thought about it until it happened in production
once and thousands upon thousands of people around the world on servers and
clients all were locked down to a kiosk mode for a couple of hours. Luckily this
was after 6PM EST which meant that only a small portion of the 250,000 people
who could possibly be impacted were impacted. Basically Europe was offline, most
of EST TZ was offline, it was west coast and Asia Pacific that mostly got
whacked and that accounts for only about 30,000 or so people. Had that occurred
at say 10AM EST, I think multiple people would have been fired and
the financial impact would have been in the hundreds of thousands if
not millions of US Dollars.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, February 08, 2005 1:01 PM To: [email protected] Subject: RE: [ActiveDir] Exclude a specific user (or group) from a GPO (WMI Filter?) I agree with Joe here (it happens sometimes). Leave the DDP
alone for this kind of stuff, esp. if it is also the GPO you use to manage
domain account policy. I don't have any problem with you linking the GPO at the
domain if it truly applies to almost all users in the domain, esp. if the
alternative is having to link the same GPO all over the place to get full
coverage anyway. Just put it in a different GPO than the DDP and use a Deny
Apply Group Policy ACE for your CEO (or better yet a group containing
your CEO).
And, as to why the CEO shouldn't be subject to the same
policy as everyone else, its called American Capitalism :-). Since when was a
CEO subject to the same anything as the rest of the employees?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, February 08, 2005 9:07 AM To: [email protected] Subject: RE: [ActiveDir] Exclude a specific user (or group) from a GPO (WMI Filter?) If you have any intention of excluding your CEO or anyone
else from any other policies you should probably better scope your GPOs. Don't
make the changes in the domain policy, in fact I rarely recommend anyone change
things in that policy except for the things that they absolutely have to. Put
the policies down on the OU(s) where the users/computers are. Then place the
users and computers in the OU specific to the policy they should have.
BTW, why shouldn't the CEO have a machine configured like
everyone else?
joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason B Sent: Tuesday, February 08, 2005 10:52 AM To: [email protected] Subject: [ActiveDir] Exclude a specific user (or group) from a GPO (WMI Filter?) In this example, I want to exclude our CEO from
having a forced IE start page through GPO, while the remainder of our domain
keeps a forced homepage. Is the best way to go about this, to write a WMI
filter to exclude that specific user, or is there some better way to do it, as
we have this set in our Default Domain Policy?
If so, can anyone point me to a good tutorial for
writing such a WMI script?
Thanks.
|
