17 August 2006

167 - Dolly et al

As LAN Account Admins, the job we do is easiest when we can clone existing new users to make new users. The feature is built into Windows NT's User Manager to Active Directory's NetIQ DRA (or other AD tools). Alas, we are not supposed to clone users because auditors don't allow it. Requesters are supposed to specify exactly what groups new users are to be added to. Yeah, right. Recently, the firm came up with a web database that list user info such as group membership, so for a while this db was supposed to be the solution to the age-old problem: how the heck would requesters know what to ask for? Requesters normally just put down something like, "Give this new chap whatever this existing chap has." With the new db, requesters would look up the so-called model user and export his group membership to Excel, then attach the xls to the request. End of story. Not so fast, because it was recently decided by the power that be that this wonderful db gives out too much info and access to it had to be clamped down. In the mean time, we are not supposed to clone users. It's a lose-lose situation. Requesters would have to find out, somehow, the groups to request for. Most of the time they would list the folders the new users need access to. We Account Admins in turn have to go to the folders and look up its Access Control List (ACL or "ackel"), sometimes even having to run DumpSec to get the ACLs for all the subfolders below the ones listed. In the end, it's more work for everybody.

BTW, in researching for this cartoon, I learned that the sheep name Dolly was in honor of Dolly Parton. The cell that was used to make Dolly was extracted from some mammary part of the "mother" sheep. Those scientists sure have a sense of humor, eh?

The faces accompanying the note about the cloning work done in Korea, or South Korea to be exact, is that of Dr. Hwang Hoo-Suk. He was a great pioneer on cloning but was later found to have faked his findings.

No comments:

Post a Comment