joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

6/24/2017

Don’t build the Titanic when a paddle boat will do

by @ 1:01 pm. Filed under general

When poking around today I found a comment I made on a post two years ago, I thought I would share it here as it is just as true today.

…complexity kills. A lot of my work is around trying to figure out and fix stuff where people got too complex for the task at hand. Either they weren’t very good at what they did and made it complex accidently, the environment grew beyond intents over time and was patched into complexity, or someone was trying to be fancy and thought a complex solution was sexier and made them look smarter or something (I call this consultant / vendor syndrome). For the record, the simplest most elegant solutions are the most sexy. Those are the ones that have real life down the road and are more likely not to be ripped out and replaced. I personally am far more impressed and joyful at simple solutions than complex ones stacked up with all sorts of various interconnections. Don’t build the Titanic when a paddle boat will do.

This goes when fixing anything, you don’t always have to fix the entire problem in one fell swoop. Sometimes it not only makes sense, but makes infinitely more sense to solve issues in small bite-size pieces that slowly work you back to how something should really be done. When I worked for HP Enterprise Services I regularly saw cases where they would try to fix something but building a whole new solution that was a massive undertaking and would be paralyzed and unable to do anything until that was completed and unfortunately more times than not those massive solutions would end up getting killed before anything got done and so we would never move off the dime and fix even small things because people didn’t look at solving them at the micro level and wanted only to deal with them at the macro level. That is when I first started saying “don’t build the Titanic when a paddle boat will do”. I said it because I would visualize our many issues and problems as us floating down the river without so much as a stick to our name and someone would say let’s fix that and the solution was to build the Titanic and everyone would have great job and expectations and two years later nothing was built and nothing was going to be built and in the meanwhile we are still waterlogged in the river and could have been much better off if we had just built a paddleboat.

   joe

Rating 3.00 out of 5

5/29/2017

We do it for the result, not the process.

by @ 11:34 am. Filed under general

Last Friday I wrote the email below and sent it to the Directory Services team (which I am the Technical Expert for). I have received some very positive feedback so I thought I would share the verbiage here as well because this really applies to every medium to senior level person in the business and if you are a low level person in the business it is something you should keep in mind as well. Also if you haven’t read the Amazon Letter to the ShareHolders referenced, please do yourself a favor and read that as well.

==

From: Joe Richards
Sent: Friday, May 26, 2017 6:14 PM
Subject: We do it for the result, not the process.

I wanted to send out an email to the team calling out the signature I have had on my emails for a while.

This text came as a warning from the CEO of a competitor and it is very sage advice. It is important information for this team to keep at the top of our minds at all times. Even though this was only recently published by our competitor this basic concept was taught to me in the late 90’s and has been a fundamental underlying mindset of nearly every team I have had any input into and has worked very well.

Good process serves you so you can serve customers. But if you’re not watchful, the process can become the thing. This can happen very easily in large organizations. The process becomes the proxy for the result you want. You stop looking at outcomes and just make sure you’re doing the process right.[1]

We care about the outcomes, not whether or not we followed process properly because our deliverable isn’t the process, our deliverable is the result we are trying to achieve when we are following the process. What matters are the outcomes. This aligns with the old joke, “The operation was a success but the patient died”. We have and build processes to make it more likely we will get to successful correct outcomes. We OWN the process, if we don’t get the right outcome, we OWN the resulting failure. When we fail, we take that failure and analyze it with an eye to fix the process to prevent future failure.

By now you have probably heard me say several times, “Does this step add value to the process?” or “Does this process add value to what we are doing?” as well as “Question everything.” If something isn’t adding value or worse, puts us in a position to fail, it must be questioned and, if not removed outright, corrected to make sure it gives us the needed value and allows a successful result.

This isn’t cart blanche to throw out all process but it is a responsibility on each of our parts to question process and try to correct it in a feasible manner that leads us to the correct result.  Even if we are in the middle of some process and we see a potential bad result coming, if we have time and/or the potential badness outweighs moving forward we stop and figure it out or we get clarification before proceeding. Anytime something doesn’t feel right, question it.

We are professionals. We own a service and the processes around it. Process is only a tool to help guide us in the correct direction to do the right thing and we have to be aware enough of and understanding enough of what it is that we are doing and do everything with great purpose such that we can see when the process is failing us and correct it. If we have a failure, our answer should not be, “We followed the process.” It should be “Yes, we failed, we will correct things so it doesn’t happen again.” We are professionals.

    joe

[1] The whole letter to the Amazon shareholders from which this snippet was pulled can be found at https://www.amazon.com/p/feature/z6o9g6sysxur57t and is a great read.

Good process serves you so you can serve customers. But if you’re not watchful, the process can become the thing. This can happen very easily in large organizations. The process becomes the proxy for the result you want. You stop looking at outcomes and just make sure you’re doing the process right.

Rating 4.33 out of 5

5/13/2017

Everything I Need to Know I Learned in Monty Python and the Holy Grail

by @ 6:35 pm. Filed under general

Be pragmatic: Everyone told the King of Swamp Castle that he was “daft to build a castle on a swamp,” and sure enough, his first attempt sank into the muck. “So I built a second one,” he says. “That sank into the swamp. So I built a third. That burned down, fell over, then sank into the swamp. But the fourth one stayed up.”

This is the kind of thinking that produces epic SAP implementation failures. The King and his melancholy son Alice … I mean, Herbert … could’ve spared themselves a lot of trouble if they had listened to trusted advisors and built on another site. Be pragmatic and be willing to shift your plan as events and conditions warrant. Oh, and no singing.

<SNIP>

https://msdn.microsoft.com/en-us/magazine/mt742864.aspx?f=255&MSPPError=-2147217396

Rating 4.00 out of 5

5/11/2017

Getting the DN of the parent of an object

by @ 10:33 pm. Tags:
Filed under general, tech

Do you remember how several years ago I added to AdFind the ability to display the parent of the object you searched for? Microsoft finally added that ability as well for any LDAP query as of Windows Server 2012 R2 and ADLDS for Windows 8.1/Windows Server 2012 R2.

The attribute is called msDS-parentdistname.

[Thu 05/11/2017  22:10:46.92]
E:\>adfind -e k16 -f name=unix* msDS-parentdistname -dpdn

AdFind V01.50.00cpp Joe Richards (support@joeware.net) May 2017

Using server: K16TST-DC1.k16tst.test.loc:389
Directory: Windows Server 2016
Base DN: DC=k16tst,DC=test,DC=loc

dn:OU=Unix,OU=TestOU,DC=k16tst,DC=test,DC=loc
>parentdn: OU=TestOU,DC=k16tst,DC=test,DC=loc
>msDS-parentdistname: OU=TestOU,DC=k16tst,DC=test,DC=loc

dn:CN=UnixCN,CN=TestContainer,DC=k16tst,DC=test,DC=loc
>parentdn: CN=TestContainer,DC=k16tst,DC=test,DC=loc
>msDS-parentdistname: CN=TestContainer,DC=k16tst,DC=test,DC=loc

dn:CN=unixCNgroup,CN=UnixCN,CN=TestContainer,DC=k16tst,DC=test,DC=loc
>parentdn: CN=UnixCN,CN=TestContainer,DC=k16tst,DC=test,DC=loc
>msDS-parentdistname: CN=UnixCN,CN=TestContainer,DC=k16tst,DC=test,DC=loc

dn:CN=unixgroup,OU=Unix,OU=TestOU,DC=k16tst,DC=test,DC=loc
>parentdn: OU=Unix,OU=TestOU,DC=k16tst,DC=test,DC=loc
>msDS-parentdistname: OU=Unix,OU=TestOU,DC=k16tst,DC=test,DC=loc

dn:CN=unixgroup2,OU=Unix,OU=TestOU,DC=k16tst,DC=test,DC=loc
>parentdn: OU=Unix,OU=TestOU,DC=k16tst,DC=test,DC=loc
>msDS-parentdistname: OU=Unix,OU=TestOU,DC=k16tst,DC=test,DC=loc

5 Objects returned

Now I could change AdFind to just use that attribute but since I know for a fact people who are using AdFind for earlier Windows versions and for non-Microsoft LDAP implementations it will stay right where it is.

     joe

Rating 4.00 out of 5

5/10/2017

AdFind -sslinfo

by @ 9:06 pm. Tags:
Filed under general, tech

One of the new switches I have added to AdFind V01.50.00 is the –sslinfo switch.

This is some functionality I have long wanted to have in AdFind because getting info about the certs the Domain Controllers (or ADLDS) is presenting can be very useful information, especially for troubleshooting. That being said this switch should probably still have the BETA tag on it because it isn’t fully integrated into the rest of AdFind. That means you won’t be able to ask for just specific attributes that it outputs for the certs or get the info in CSV format or do ANY of the output manipulation that you can do with most things. You will also notice the normal server info header info isn’t there either.

I do intend to fix it and make it work in the normal way. The reason it is done this way is because it was a last minute add because I needed it (which is why AdFind and 90% of its functionality was produced anyway) and it is outside the normal LDAP data stream flow so is outside of the space where I have all of the searching/formating functionality.

If you haven’t checked it out though it is pretty cool.

[Wed 05/10/2017 20:59:31.16]
E:\issues\OU_DC>adfind -hh k16tst-dc1.k16tst.test.loc -sslinfo

AdFind V01.50.00cpp Joe Richards (support@joeware.net) May 2017

dn:CN=Certificate Info,CN=k16tst-dc1.k16tst.test.loc
>ciEncodingType: X509_ASN_ENCODING (0x01)
>ciVersion: CERT_V3 (0x02)
>ciNotBefore: 2017/04/27-09:24:40 Eastern Daylight Time
>ciNotAfter: 2018/04/27-09:24:40 Eastern Daylight Time
>ciSignatureAlgorithm: 1.2.840.113549.1.1.13
>ciIssuer: CN=CA1,DC=k16tst,DC=test,DC=loc
>ciSubject: CN=K16TST-DC1.k16tst.test.loc
>ciAltNameDNSName: K16TST-DC1.k16tst.test.loc
>ciAltNameDNSName: k16tst.test.loc
>ciAltNameDNSName: K16TST

dn:CN=SSL Connection Information,CN=k16tst-dc1.k16tst.test.loc
>ciProtocol: Transport Layer Security 1.2 client-side (SP_PROT_TLS1_2_CLIENT)
>ciCipherAlgorithm: AES 256-bit encryption algorithm (CALG_AES_256)
>ciCipherStrength: 256 bits
>ciHashAlgorithm: 384 bit SHA hashing algorithm (CALG_SHA_384)
>ciHashStrength: 0 bits
>ciKeyExchAlgorithm: Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
>ciKeyExchStrength: 255 bits

The command completed successfully

[Wed 05/10/2017 20:59:33.33]
E:\issues\OU_DC>adfind -hh k16tst-dc2.k16tst.test.loc -sslinfo

AdFind V01.50.00cpp Joe Richards (support@joeware.net) May 2017

dn:CN=Certificate Info,CN=k16tst-dc2.k16tst.test.loc
>ciEncodingType: X509_ASN_ENCODING (0x01)
>ciVersion: CERT_V3 (0x02)
>ciNotBefore: 2017/04/08-12:15:53 Eastern Daylight Time
>ciNotAfter: 2018/04/08-12:15:53 Eastern Daylight Time
>ciSignatureAlgorithm: 1.2.840.113549.1.1.13
>ciIssuer: CN=CA1,DC=k16tst,DC=test,DC=loc
>ciSubject: CN=K16TST-DC2.k16tst.test.loc
>ciAltNameDNSName: K16TST-DC2.k16tst.test.loc

dn:CN=SSL Connection Information,CN=k16tst-dc2.k16tst.test.loc
>ciProtocol: Transport Layer Security 1.2 client-side (SP_PROT_TLS1_2_CLIENT)
>ciCipherAlgorithm: AES 256-bit encryption algorithm (CALG_AES_256)
>ciCipherStrength: 256 bits
>ciHashAlgorithm: 384 bit SHA hashing algorithm (CALG_SHA_384)
>ciHashStrength: 0 bits
>ciKeyExchAlgorithm: Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
>ciKeyExchStrength: 255 bits

The command completed successfully

Rating 3.00 out of 5

5/4/2017

AdFind V01.50.00 Released

by @ 9:49 pm. Tags:
Filed under general, tech, updates

May the Fourth be with you. Smile 

I have uploaded the release version of AdFind V01.50.00 to the www.joeware.net web site. You can find it at:

http://www.joeware.net/freetools/tools/adfind

I have mentioned previously some of the updates, the big change was to change from using the Code Gear (Embarcadero previously Borland) Builder C++ to Visual Studio 2015 and then to Visual Studio 2017. That conversion alone results in a 20%+ improvement in performance.

I have to eat some dinner so I will try to write some more blog entries later on about some of the new features. Mostly at this point you all know what the tool does and this just does it a little more better before.

    joe 

Rating 4.60 out of 5

5/2/2017

AdFind close to the finish line…

by @ 5:04 am. Filed under general, tech

I believe we will see AdFind released in the next few days. It seems to be very stable, I use it every single day for literally thousands of queries of a very large production Active Directory environments (millions of user accounts). Speed perfs are amazingly useful especially for the Security Descriptors. I got most of what I wanted into it though to be honest what I mostly wanted was a stable Visual Studio version with Windows 2016 decodes. I am working on updating the web page now. I had to go find the old web site source code as I switched laptops since the last time I released and silly me didn’t put the web site code with the rest of my source code… When am I going to learn that web pages are like app code if not actual app code and needs version control just like my cpp files?? I guess now. Smile

BTW, sad day. I finally bit the bullet and switched it from reporting Active Directory Application Mode if the ADAM service is older than the 2003 era service. The reason being that the number of emails I was receiving saying “Hey it is calling my ADLDS server an Active Directory Application Mode Server, what is wrong with the tool??” has increased substantially and I don’t have the time to explain to every admin who doesn’t understand the history. Overall, quick rant… The quality of admins (in general, just not AD) has been going down in the world, sadly, as well as those who understand the history. I am not the only one seeing this, I have had conversations with several well known (to me and the general AD public) MVPs and former MVPs who feel the same. Even though the product is in the C:\Windows\ADAM folder and has ADAM in the default installation path a lot of people now no longer know what ADAM is… Congratulations Microsoft Marketing…

Long live ADAM!

adam

Rating 4.00 out of 5

4/28/2017

Flash Back Friday

by @ 7:11 pm. Filed under general, tech

 

But the schema says description is multivalued…

http://blog.joeware.net/2006/01/21/222/

Rating 3.00 out of 5

4/23/2017

The Pollexy Project–Special Needs Voice Assistance

by @ 6:10 pm. Filed under general, tech

I kept meaning to share this with everyone because I really want to get this video everywhere I can to get as much exposure as possible to it out in the world.

Troy is a friend of mine that works for Amazon, he has a 16 year old son with Autism. See what cool thing he cooked up to help him out. This is absolutely awesome work.

https://www.youtube.com/watch?v=BUewiOZTNzM

I really think this is just the start of what we are going to do with voice tech to make the world better and safer.

And the blog – https://aws.amazon.com/blogs/aws/pollexy-building-a-special-needs-voice-assistant-with-amazon-polly-and-raspberry-pi/

Rating 4.00 out of 5

4/22/2017

Now this is a great email…

by @ 2:07 pm. Filed under general

I have been going through thousands of emails I was behind on and in great part there are a lot of “thanks but…” emails, this one is simply a thanks email. Loved it.

 

To: support@joeware.net
Subject: Thank you!

I just wanted to let you know that between ADFind, and some Unix/bash regular expressions-based pixie dust, I’ve been able to extract tons of information out of the active directory domain where I work…

Like a list of every (unique) job title used, a list of every sever used as a network home, etc, etc, etc…

It’s been incredibly helpful in tracking the likely causes of some of the odd behaviors that the other techs and I have noticed over the years (specifically users in the same job who don’t have the same policies/access to things).

If you’re curious, I’d be happy to go into detail.

I strongly believe that life would be better if we were as compelled to thank people and tell them what they’re doing right as we are to complain. So, I wanted to thank you (in as direct a way as I can) for everything and offer my wishes that everything is going well for you. 🙂

– Kevin

Rating 4.33 out of 5

[joeware – never stop exploring… :) is proudly powered by WordPress.]