Blog

Follow up #1 on How does Identity Management Impact the Bottom Line? Selling IDM

In my presentation last week at #OCGUS15 The Redmond Summit put on by my friends at OCG, on “How does Identity Management Impact the Bottom Line? Selling IDM” I illustrated how understanding more about Financial statements such as Profit/Loss statements as well as Balance Sheets can be helpful. So here is a link to learn more:

•http://www.investopedia.com/articles/basics/06/financialreporting.asp

Among other things this is helpful to be able to articulate how your projects and programs can impact the bottom line such as how User provisioning/Deprovisioning impacts the Profit and Loss Statement:

Continue reading

Redmond Summit 2015

I am looking forward to presenting in an hour or so on “How Identity Management Impacts the bottom line.”

Yesterday I had fun delivering a session on “ADFS vs Password Sync? It depends” This morning Alex Simons of Microsoft revealed a few new things that change some of my advice.

1. Soon Azure AD can do the location restriction by application for SSO. This potentially eliminates a deal breaker for some people
2. You can now run Password Sync and ADFS at the same time.

Both of which make it more likely that you will do Password Sync. The second one makes it more likely that you will run both because Password Sync can be a warm standby for failing over from ADFS.

Continue reading

'Twas the night before Christmas

‘Twas the night before Christmas, when all through the internet
Not an identity was stirring, not even a Passport .NET
The user accounts requests were submitted with care
Hoping that their access would soon be there

The users were nestled all snug in their beds
While visions of being able to do their jobs danced in their heads
The servers and computers were in sleep mode
Awaiting someone to move a mouse and send the wake up code

Continue reading

Speaking at 2015 Redmond Summit (Jan 27-29 '15)

I will be speaking at the 2015 Redmond Summit: Where Identity Meets Enterprise Mobility.
This summit is put on by my friends at Oxford Computer Group.

I will be speaking on Password Sync vs.  ADFS. Then the next day I will speak on the Business track about How Identity Management Impacts the Bottom Line.

See you there

January 27-29, 2015 in Redmond, WA on the Microsoft Campus

Join OCG, Microsoft, and industry experts for two and a half days of networking and talks on the latest thinking on identity and enterprise mobility. If you’re overwhelmed by devices, have a hybrid environment, wish to simplify access, or manage identity in an increasingly complex digital world then you won’t want to miss this event. Sessions will assess and look in detail at the largest release of new identity products in Microsoft’s history, including Enterprise Mobility Suite, Intune, Azure Active Directory, Hybrid Identity, and more! Discover how other organizations have tackled the same problems you face through case studies and get technical insight from Microsoft product managers and engineers. Registration is $800 per delegate. Find our more and register!

Continue reading

What AD Attributes are indexed? ANR? Tuple? PowerShell

Import-Module ActiveDirectory
Write-Host “Tuple Index Enabled Attributes”
Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext)  -SearchScope OneLevel -LDAPFilter “(searchFlags:1.2.840.113556.1.4.803:=32)” -Property objectClass, name, whenChanged,  whenCreated, LDAPDisplayNAme  | Out-GridView
Write-Host “ANR Enabled Attributes”
Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext)  -SearchScope OneLevel -LDAPFilter “(searchFlags:1.2.840.113556.1.4.803:=4)” -Property objectClass, name, whenChanged,  whenCreated, LDAPDisplayNAme | Out-GridView
Write-Host “Indexed Enabled Attributes”
Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext)  -SearchScope OneLevel -LDAPFilter “(searchFlags:1.2.840.113556.1.4.803:=1)” -Property objectClass, name, whenChanged,  whenCreated, LDAPDisplayNAme  | Out-GridView

The above script is something I use to quickly look and see what is indexed in an AD environment

Continue reading

SQL Maintenance for FIM and anything other databases

An easy way to take care for your FIM databases is to “use Ola Hallengren’s script (http://ola.hallengren.com/scripts/MaintenanceSolution.sql). Download the script, adjust the backup paths and run the script on each instance of SQL Server. It will automatically create several jobs some for maintaining the system databases and some for maintain the user databases. You will need to create schedules for each of the jobs.” – FIM Best Practices Volume 1

I love using Ola script for index maintenance because it is so much smart than the Database Maintenance wizard which wants to spend lots of time rebuilding indexes that only needed to be reorganized and messing with indexes that were just fine or too small to matter. A table with less than 1000 pages is usually too small to matter. Less than 5% fragmentation and why bother. Less than 20% and a reorg will usually solve it. Over 20% and you should usually rebuild.

Continue reading

Mistaken Identity

Years ago, I walked into the client site a few months into an Identity Management project, and the PM told me his account had been deactivated by mistake as an employee with the same last name and same first initial was terminated, and they termed his account by mistake.

Ironic.

A few years before that I visited a client whose VP of HR had his account disabled when they let the janitor go. Again same last name but this time the same first name.

Continue reading

Phoenix MVP Roadshow Transform the DataCenter Wed Sept 24 4 PM-8PM

Register Now! to attend MVP Roadshow Sept 24th 4 PM - 8PM

I will be presenting on why we want to get to Active Directory based on Windows Server 2012 R2 and how to get there. My fellow MVP’s will be covering the rest of the agenda. I also created an IT clue game to play in small groups where the objective is to figure out who stole the data and how it could have been prevented.

Continue reading

ADUC Common Queries: Days Since Last Logon

Recently a client asked me how Active Directory Users and Computers (ADUC) performs the Days Since Last Logon query found in the Find Dialog box’s Common Queries option.

LastLogon is not replicated so to really get it you have to query every single DC. So I was reasonably certain that the query didn’t use LastLogon but rather used the LastLogonTimestamp which was created “to help identify inactive computer and user accounts.”  Assuming default settings “the lastLogontimeStamp will be 9-14 days behind the current date.”

Continue reading

Happy Independence Day -- Using PowerShell for Reporting

Unfortunately, my Independence day is not free – I am working. Just so happens I need to report on when computer objects are getting migrated to a new AD forest. Day 1 4 Day 2 30 Day 3 25 etc.

Now I could have taken the data and imported it into SQL and then busted out some awesome queries in no time flat. But my buddy Craig Martin, keeps insisting how awesome this PowerShell stuff is. So I decided to give it a try, plus if I can get it to work then it will be faster to run this repeatedly from PowerShell rather than needing to import it into SQL Server. I am actually a big believer in using the right tool for the job. Otherwise you end up blaming the tool for failing you when you should have picked a different tool, one better suited for your task.

Continue reading