Hug a developer

This video is way too good not to share:

This video is quite funny through most of it, but when it reaches the little boy I practically burst into tears.  Sometimes I think my job and this industry just does not lend itself to parenting at all.  I guess others agree.

Thoughts from Texas

Howdy from Dallas, Texas, where a new chapter of my life could be opening up. I’m not sure why or how, but it could happen.

I am nervous but then I am not. If the interviews are all about how I function under pressure, that’s fine I guess. We shall see.

Should I keep you up to date with how the interview goes tomorrow?

Sleep now. Study in the morning.

Obama Assassination Plot? –

Obama Assassination Plot? –

Just in case any of you thought I was crazy when I said this country was too immature to elect a black president… I know it’s TMZ, but still.

I guess I’m just a little surprised they’re starting this early.

The delegates and the manager must all use Outlook 2007 when you use delegates in Outlook 2007

The delegates and the manager must all use Outlook 2007 when you use delegates in Outlook 2007.

Important post out there for you sysadmins dealing with Exchange and delegation scenarios.

Dope-smoking hippy parents put everyone at risk for disease

It seems some parents out there are coming out against immunization for their children.  MSNBC has the story.

This is just fracking brilliant.  Now you’re going to let your child be put as risk for these killer diseases and expose the live bacteria to my children just because you’re some stupid-ass hippy parent who wants to be all New Age and shit?  Get a brain.  Why do you think we almost eradicated these diseases?  When was the last time you knew any children that died from these diseases?  Can’t put up with a little prick to the arm?  Grow up and get responsible, dumbasses.

I cannot fathom for an instant why parents would put their children at risk like this.  I hope when the children grow up they thank you for your negligence.  I’ll leave it up to you to determine how.

Reblog this post [with Zemanta]

How a resource forest can make you cry

Typically Active Directory is managed using th...Image via Wikipedia

This post is focused on those of you who have decided to deploy Exchange in a resource forest.  You’re in for tears.  While the resource forest is technically a supported deployment method for Exchange, I’m going to point out what can go wrong in your Exchange world that will keep your admins up at night.

Let’s start with the definition of a resource forest, just in case you’re not sure.  The resource forest approach means that you have one Active Directory forest where your user accounts live and another Active Directory forest where your application (Exchange, in this case) lives.  You have user accounts in the resource forest that are disabled and then externally associated with the users in the user forest.  This of course, requires a trust between the two forests, which you likely have anyway, right?  Right.

A disabled user in the resource forest means the attribute msExchMasterAccountSID is empty.  This value is required for Exchange to identify and resolve the user account when permissions are calculated against a mailbox or folder in a mailbox; for instance, in a delegation scenario.  If your user accounts and Exchange live in the same forest, then this is set to “SELF” in Active Directory Users and Computers/Exchange Advanced/Mailbox Permissions.  This will write the SID of the user account into the msExchMasterAccountSID attribute and then be used to identify the user.  This also means that the forest is able to “track” the operations of this account.  If the account is disabled or deleted, when ACL‘s are calculated against the msExchMasterAccountSID value, everything is hunky dory and happy.

When you have a resource forest setup and you externally associate a user from the user forest to a disabled user in the resource forest, what you’re really doing is writing the SID from the user object in the user forest to the msExchMasterAccountSID.  Now, that’s the SID that will be stamped on a folder or object that gets ACL’d with your permissions… keep in mind, this is the SID from the user forest.

Now when Exchange needs to calculate the permissions, it will run across that SID and go talk to a domain controller to resolve it.  The DC will refer to the trusted user forest DC for resolution, but it proxies this communication over to the trusted DC, then returns with the answer.  This traffic pattern can be headache-inducing all to itself, but that’s a topic for another day.

So now here’s the problem.  Because these SIDs are external to the forest, it has no way of realizing if the SID is valid or not.  In other words, if you whack a user account in the user forest, the resource forest has no way of being notified of that SID’s destruction.  You now have what I call “SID ghosting.”  I’m sure there’s a term for it, but that’s the term I use around here.

Let’s look at an example.

Mary D. is a manager.  She has an administrative assistant, Ken G.  She assigns delegate permissions to Ken G. so he can manage the calendar.  What she has really done is stamp Ken G.’s SID from the user forest on her calendar as a permission object.  If you were to look at her calendar with pfdavadmin and check the permissions, you would see Ken’s access expressed as USERFOREST\KenG, not RESOURCEFOREST\KenG.  This is because the SID value from Ken’s account in the user forest is stamped in his msExchMasterAccountSID attribute in the resource forest.

Now let’s pretend Ken G. was looking at pr0n one day and got busted.  He’s terminated at the user forest and his account is deleted.  Now the resource forest still has his account and the ACL still exists on the calendar.  To preserve Ken G.’s data, his account in the resource forest is not deleted, but let’s say they shut down mail delivery by setting his mailbox quota to 0 or something.

What you have now is thus: every time Mary gets a meeting invitation, she will get an automatic bounce from Ken G.’s mailbox.

From a usability perspective, this sounds crazy.  If it’s happening to a top end manager (which, let’s face it, is where this will usually happen), they’re likely to go berserk and demand that you fix it right away.  When you research it, you find out that Ken G.’s SID is still stamped on Mary’s calendar.  This is because the resource forest has no way of knowing that the user object in the user forest was whacked and the mail delivery is now failing due to the disabled mailbox in the resource forest.

Let’s make it worse.  What is Ken G. had an assistant?  What if that assistant had another assistant?  What if your users created a delegation chain about twenty people deep?  Well, then what might happen is Mary would get a meeting invitation and then she’d get a bounce from someone way down in the chain, perhaps someone she doesn’t even know!  That one is really hair raising.

How do you debug this?  Well, so far that we’ve determined, the best you can do is open up pfdavadmin and figure out who delegated rights to whom and follow the breadcrumb trail.  If your users overuse delegation, this can be a painful exercise.  They should not be adding more than 4 delegates to their mailbox under any circumstances, but that’s a talk for another day.  Anything more than 4 delegates and they probably only need sharing permissions anyway, so consider using that instead.

If you’re really paying attention, apply all of this knowledge to Sharepoint.  Try setting permissions to your trusted user objects in the user forest.

Now think of all this (Sharepoint included) and think of the day that management decides that this just isn’t working – you need to get all applications and user objects into the same forest.  Did your brain just explode?  If not, you’re not paying attention.  Key words are SID and msExchMasterAccountSID and Sharepoint permissions.

Run.  Run screaming from the resource forest.  Friends don’t let friends set this up.


Reblog this post [with Zemanta]

Communism in China

I keep reading a lot of tweets from folks that are not much more than USA fanboys preaching the goodness of the red-blooded Yanks and how China is just a bunch of commie bastards and I’m getting pretty sick of it.

First of all, that kind of talk does nothing to help peace in the world.  Shut up.

Secondly, let’s examine the country of China.  China is a country full of over a billion people and thousands of ethnic tribes with thousands of dialects of thousands of languages.  When you have a country where people can barely communicate with one another, how do you have a democracy?  You can’t really do it, that’s how.  In places where democratic-style freedoms can be enjoyed, they are (a la Shanghai and Hong Kong).

As sick as it may sound, I believe this also relates to the human rights abuses and crises that we so often pinpoint.  I agree that the laws are tough and unusual, but again – with a population that could absolutely turn the entire country into a complete lawless anarchy (is that redundant?), what else do you do?

Now for protesting at the Olympics.  C’mon people.  Is there nothing safe?  Can we not have a gathering of countries without politics and harsh words?  Wait for the next WTO meeting if you want a real chance to protest.  Just because the world’s eyes are on you does not mean that you have the obligation to ruin the chance for forgiveness and giving peace a chance.

I’m also trying to get my head around the idea that it’s a GOOD IDEA to go to a country like this that has laws against protesting… bucking the system and trying to do things that you get away with in the USA… and then fracking whining all of the net and other communication mechanisms when you get fracking ARRESTED.  Newsflash, id10ts… this is a country with laws UNLIKE OURS.  If you’re IN THEIR COUNTRY, you must FOLLOW THEIR LAWS.  If I ever get my head around that mentality, I’ll let you know.

Now for the darker side of things.

Yes, I agree there are human rights abuses in China, but these are largely the part of corrupt government officials.  Before you try to convince me that this is a problem only in China,  you need to look no further than the current fucking morons running our country to understand that government corruption is rampant even in the good ol’ US of A.

Stop and take a look at your own country before you criticize what another country is doing – and give them the chance to explain why they’re Commies to begin with.  It makes sense, trust me.  The human rights abuses do not, but human rights abuses are occurring here in the USA every day as well – why is China any different?

Reblog this post [with Zemanta]

The Blog Flock

Leo Laporte.Image via Wikipedia

I see it happen every day.  There’s a cast of characters out there – Leo Laporte, Chris Pirillo, Jason Calacanis, John Dvorak, Robert Scoble (whom I absolutely DESPISE because of that “I’m the man!” snapshot on his blog… makes me want to beat him with his fucking tripod)… a whole elite clique of cynical blog/journalists who bring up topics and lead folks around them.

The listeners (and I admit, I’m one of them) follow them from point A to point B every morning, midday and afternoon.  It can be a link they found, a story they found, what have you.  Now take these salt shakers and add the wire press (Reuters, Associated Press, etc.) and you have the flock.

I started thinking about this tonight while listening to John Dvorak’s Tech5 podcast.  One regular complaint of Mr. Dvorak is the redundancy in the news business today.  One story gets picked up by a wire service and it explodes all over the net with thousands of redundant postings.  Add the Cynic Clique into the mix and then you’ve grabbed their listeners to comment on the stories at whatever social network has the spotlight today.

Web 2.0 and social networking is likely to fail.  There is an enormous amount of time and originality being wasted here on a daily basis.  I’m starting to wonder when people move on.

I guess it should start with myself.

Reblog this post [with Zemanta]

Lawsuit says eatery to blame for 9-foot tapeworm –

Lawsuit says eatery to blame for 9-foot tapeworm –


Fugitive mom ‘uncomfortable,’ wants out of prison –

Fugitive mom ‘uncomfortable,’ wants out of prison –

I don’t recall anything in my life’s teachings that says prison should be comfortable.  Isn’t that why you avoid it?

Reblog this post [with Zemanta]