ICC logo IFAS logo

ICC Meeting:



A meeting of the ICC was held on Friday, February 8th, 2008 in the ICS conference room. The meeting was chaired and called to order by Steve Lasley at about 10:00 am. For some reason, the VC was created under conference ID 7830172 rather than the usual 7830130; Steve will try and get that corrected for next time.

PRESENT: Twenty members participated.
Remote participants: Bill Black, Dan Cromer, Mari Jayne Frederick, Dave Palmer, Mike Ryabin and Louise Ryan.
On-site participants: David Baudree, Benjamin Beach, Dennis Brown, Andrew Carey, Lance Cozart, Marion Douglas, Diana Hagan, Wayne Hyde, Dwight Jesseman, Winnie Lante, Steve Lasley, Chris Leopold, Ligia Ortega and Wendy Williams.

STREAMING AUDIO: available here


Agendas were distributed and the sign-up sheet was passed around.

Report from the chairman

New members:

Steve mentioned adding Billie Lofland (Senior TV Producer/Director, Hillsborough County UF/IFAS Extension) to the ICC-L. Billy wanted to keep in touch with video conference-related announcements which go out via that list at times. Steve was not aware of any other membership changes, but asked folks to let him know if they hear of someone coming or going.

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.


Update from yesterday's ITPAC meeting

A number of the topics we usually discuss here at ICC meetings each month were covered in some respect at the ITPAC meeting yesterday. Consequently, those sections of our agenda were incorporated for discussion here.

Web Policy and Domain Policy status

Pete Vergot supplied follow-up on the status of these policy documents. Basically, things have stagnated and Joe Joyce is going to investigate.

Yesterday afternoon there was a meeting of the Web Working Group (Larry Arrington, Joe Joyce, Dan Cromer, Dave Palmer and Ashley Wood). That group has essentially finished its work and wants to push the policy issues off to a new Web Working Group which is yet to be appointed. At that meeting, Dave Palmer expressed concern with portions of the Domain Policy document relating to the effect of consolidation on search engine relevancy; Dave apparently has a number of small web sites with separate domain names and he fears that consolidating those will cause problems. As a result, Joe Joyce had asked that Dave raise his concerns with us and that we report back our position on those. Dave took issue specifically the following excerpt:

"Multiple Web sites weaken the potential impact of the overall 
organization on the Web. Each additional Web site dissipates 
relevance ranking, as search engines see a range of Web sites, 
each with a relatively small set of links.   Multiple Web 
sites also make it difficult for site visitors to see all the 
resources available.  If each unit has a single Web site, then 
all incoming links converge under a single Web site address, 
thus making the unit more relevant, visible, and credible to 
search engines and visitors.  Currently, IFAS manages over 700 
domain names, about 75% of which have been identified as 
weakening our overall Web impact."

Dave had solicited and received input from Danny Sullivan on the above excerpt and Mr. Sullivan's view was that the effect of consolidation on page ranking has not been proven either way. Dave was thus concerned that the policy was espousing as fact something which was truly a matter of opinion. Dave was also greatly concerned that moving sites to a folder within another site (i.e., consolidation) would disrupt search engines and break published links. He did not see the value of disrupting our clientele if resultant improvements in page rankings were in doubt. Dave would like this policy to remain on hold until the new Web Working Group is formed, so that they could look into the matter more fully.

Ligia Ortega defended the policy as currently written saying that her own research and experience has shown that consolidation does indeed improve page rankings. If a site that already has high relevance is moved, that relevance does not go away because the redirect instructs the search engine of the change.

Dave had not understood how redirects are actually implemented and had believed that they either involved laboriously adding code to each page within a site or that they would redirect all pages within the old location to the homepage of the new. It is actually much simpler than that and a single setting for the site causes all old links to redirect to their respective new locations. Steve mentioned that he had begun consolidation of several sites to folders within his departmental site and that the redirection worked wonderfully. Mari Jayne Frederick (MJ) echoed Steve's sentiment on that. They have done some consolidation on their sites at Homestead and everything has worked fine without any problems.

Diana Hagan offered some articles which discussed this subject further and mentioned she had no problem with changing the wording of the excerpt if that would improve the acceptability of the document. Diana pointed out, however, that there were many advantages to consolidation beyond just search relevancy optimization, advantages which relate to the manageability and usability of our sites. Ligia added that security is another related concern which consolidation can address.

Since Joe Joyce was wanting feedback from the ICC, Steve crafted the following response to Dave on our behalf and cc'ed it to Joe:

  As I said at the meeting, I understand your concerns about 
redirection as I had those too until I actually experienced it. 
Again, the redirection is done at the web site level (not via 
code on individual pages) and all old links-—no matter how 
deeply nested—-are redirected to their relative location on the 
new site. People’s stored favorites, old published links, etc. 
all continue to work. No problems. Likewise, the search engines 
equate the new location with the old.
  As for the page ranking/relevance issue I am by no means 
expert. I do know there are many other server management 
reasons for wanting to consolidate as well. Though the page 
ranking argument Ligia Ortega outlined certainly makes sense 
to me, page ranking is a very complex and ever changing target. 
While I respect your authoritative source, I also respect the 
research Ligia has done. To be candid, I merely _suspect_ 
consolidation will help with site relevance and thus page 
rankings, but I am quite confident that consolidation at the 
very least will not cause any harm in that regard.
  As you heard, the ICC had already discussed the very issues 
you raised at past meetings (though not the particular excerpt 
you highlighted and had received comment on). We did and do 
feel that consolidation is the way to go and that this domain 
policy supports that end appropriately; the benefits are many 
and the detriments few. Consequently, the ICC would recommend 
proceeding with policy implementation.

That said, Steve would urge Diana to modify the excerpt as she had offered. We seek to attend primarily to the end goal, which in this case is improving the IFAS web presence. The ICC concurs that consolidation is our best means to that goal and if a rewording of this section can make the policy more palatable to all, then that can and should be done.

The outsourcing of IFAS IT to CNS

Steve gave an overview of this topic which was discussed at ITPAC. His summary was that CNS has been asked to provide a quote for taking over many of the service functions of IT, including IT/SA. Joe Joyce does not believe that the CNS offer will be attractive, but wants to investigate. Steve agrees with Joe Joyce that the costs which CNS would need to charge are unlikely to be competitive with our current costs. He is also confident that CNS cannot match IT/SA's overall broad range of services.

Joe Joyce seemed to think, however, that the outsourcing of Exchange provided us the same level of service for less money. Dan Cromer responded to that by saying that our costs are the same, but the level of service has improved. Neither took into account that we lost a position which provided us a whole lot more than e-mail support in the process. In Steve's opinion it will be very important to get Dr. Joyce the correct information in order for him to make the best overall decision in this matter, and Steve urges IT/SA to do so; this decision shouldn't be based on just a cost comparison of a CNS quote vs. IFAS budget figures.

Videoconferencing certification

IFAS is going to support this effort by Video & Collaboration Services, but not to the extremes which the latter might like to specify. While IFAS agrees that certification is a good thing, we don't believe that incomplete compliance with that specification should necessarily exclude a functioning unit from connection via the bridge. Also, we will require some exceptions to any mandate that all Polycom units be left on 24/7. Joe Joyce plans to send out a message to all unit heads indicating that it will be their responsibility to see that this certification is accomplished for the Polycoms in their units and to appoint an official local contact person for videoconferencing.

Dan also mentioned a problem that has arisen in the past couple months with bridged VCs where connections have been dropped on a regular basis. Dan has learned that this apparently started after a change was made on the gatekeeper and the problem seems not to be related to the Codian bridge itself.

Dan also reiterated information Dean Delker and he had supplied to the ICC-L about Codian bridge changes which were made recently.

E-mail updates

Dan had provided an e-mail update at ITPAC. Since Dwight Jesseman was in attendance at todays meeting, Steve took the opportunity to ask him how the migration has been going from his perspective.

Dwight reported that the migration seems to be going very smoothly. He talked with 4H who migrated last weekend and received no ill-reports. Mobile devices have been somewhat of an issue--at least from the client side. Having to type in a PIN on those is an unpleasant surprise to some. The inactivity timeout setting on that is up for discussion at the next Exchange Advisory Committee meeting. The IFAS representative on that is Mark Rieger and he would be the one to contact should you wish to express your opinion.

In regard to linking to webmail from a web site, Ligia asked Dwight if it was okay to link directly to the logon page versus to http://www.mail.ufl.edu where our old address of http://webmail.ifas.ufl.edu now points. Dwight responded that doing that was perfectly fine.

Dwight would like people to keep an eye on the UF Exchange migration schedule. That gets updated the Monday prior to each bi-weekly move and the order does get adjusted from time-to-time.

Barracuda Spam Settings

Steve toured the Barracuda web interface noting that there have been some discussions with various experienced Barracuda admins concerning the default spam scoring settings which have been deployed. The consensus of those discussions was that we would like the default spam scoring settings for IFAS users to be as follows:

SettingSPAM Score Range
Allow:0.0 - 2.0
Quarantine:2.1 - 8.9
Block:9.0 - Up
Tag:No Tagging

Raising the block level in this way effectively prevents any blocking of legitimate email; this would address the greatest concern with the current defaults. Also, rather than tag and deliver some of the messages as is being done, with the above settings all suspected spam would be quarantined at a fairly aggressive level.

While it was originally believed that different defaults could be set for different domains, that proved not to be the case. Consequently, a single default setting must be negotiated. Again, the Exchange Advisory Committee will have to address that issue. Dwight said he would confirm whether or not that was on the agenda for their next meeting, which he believed was set for February 22nd. Again, Mark Rieger would be the IFAS representative to contact with your opinions on this matter. Dwight noted that there is a great deal of quite technical information that the committee members need to understand in order to make an informed decision on this; trying to distill that into an executive summary will be difficult.

Anticipating that this might not be resolved to his satisfaction, Steve has already written a FAQ for his users on How should I configure my Barracuda settings?. The good news on this is that each user may configure these settings individually as desired. There are a couple of concerns in that regard, however. First of all, the user interface advertizes in-built "Recommended" settings that we certainly don't want users to implement:

Barracuda's in-built recommendations

The Barracuda appliance is positioned prior to Exchange within our e-mail flow and we definitely want to implement a quarantine in order to reduce the load on the Exchange servers. The other related concern is that users might disable the Barracuda entirely. This will be a matter for user education in any case as some may resent having another place to scan (in addition to the Junk E-mail folder) looking for false positives. UF Exchange is trying to offset that inconvenience by sending daily digests via e-mail and by allowing users to logon to the Barracuda at any time.

Steve also demonstrated how Barracuda places information into the header of each e-mail message which it processes (right-click a message and chose "Message Options..." in Outlook). The information tells you scoring values it used, the score it gave, and even provides information on how that score was derived. Additionally, it provides a "Debug-ID" which can be provided to the UF Exchange admins to allow them to investigate details of exactly how a particular message was handled by the Barracuda appliance. Dwight mentioned that once a mail store is moved to Exchange 2007, the headers will also include the Exchange SCL score as well. An example from one of Steve's paid newsletters (which would have been blocked under the default settings) is shown below:

X-ASG-Debug-ID: 1201801230-1f3301850000-KsSPYe
X-Barracuda-Connect: smtp03.osg.ufl.edu[xxx.xxx.xxx.xxx]
X-Barracuda-Start-Time: 1201801230
X-Barracuda-Bayes: INNOCENT GLOBAL 0.5000 1.0000 0.0100
X-Barracuda-Virus-Scanned: by UF Exchange Barracuda 2 at mail.ufl.edu
X-Barracuda-Envelope-From: apache@ActionMessage.com
X-Barracuda-Quarantine-Per-User: PER_USER
X-Barracuda-Spam-Score: 4.17
X-Barracuda-Spam-Status: Yes, SCORE=4.17 using per-user scores of 
           TAG_LEVEL=1000.0 QUARANTINE_LEVEL=2.1 KILL_LEVEL=9.0 
           tests=BSF_SC0_SA067, BSF_SC0_SA085b, BSF_SC7_SA015f, 
X-Barracuda-Spam-Report: Code version 3.1, rules version 3.1.40988
	Rule breakdown below
	 pts rule name              description
	---- ---------------------- -----------------------------------
	3.00 BSF_SC0_SA067          BODY: Custom Rule SA067
	0.40 BSF_SC0_SA085b         URI: Custom Rule SA085b
	0.00 HTML_MESSAGE           BODY: HTML included in message
	0.26 HTML_FONT_BIG          BODY: HTML tag for a big font size
	0.50 BSF_SC7_SA015f         Custom Rule SA015f

Dennis Brown asked how often the Barracuda digests were e-mailed to users. That is controllable by the user themselves by logging into the Barracuda and going to the "Quarantine Settings" sub-tab of the "Preferences" main tab. The options there are daily, weekly or never and the user can even specify the notification address for those. Dwight said that these go out at 8:00AM each morning unless the user has changed that in their settings or if they have nothing in their quarantine.

Dennis also asked about tagged messages. Tagged messages preface the subject line with "[POSSIBLE SPAM]". The hub transport within Exchange evaluates tagged messages to an SCL score of "9", which should send them to the Junk-Email folder (unless the user has a rule set that moves the message elsewhere). If you forward or reply to those, they will not go into the Junk E-mail of the recipient, however.

User Lookup Tool

The UF Exchange group has provided a very useful web-based tool which is available to those with IF-ADMx accounts. This tool is provided at https://helpdesk.ad.ufl.edu and requires ufad\if-admx credentials. By entering a user's UFID or Gatorlink username you may see all sorts of useful information, some of which was never before available to you:

  • The Gatorlink forwarding address - this previously unavailable item can help you diagnose e-mail flow problems
  • The official business email address
  • Account distinguished name in UFAD
  • Network Managed By
  • Exchange - this allows you to tell if an account is mail enabled or whether they actually have a mailbox
  • Mailbox: Server Version - this will tell you if the mail store has been migrated yet (2007)
  • Mailbox: Messages - number of messages
  • Mailbox: Deleted Item Size
  • Mailbox: Size
  • Mailbox: Quota details
  • Mailbox: Forwarding Setting - this is Active Directory forwarding
  • Mailbox: Hidden from Address Book

Chris Leopold asked Dwight if there might be any way to include the logon information (group memberships and drive mappings) for IFAS users, as https://itsa.ifas.ufl.edu/userinfo currently does. Dwight replied that UF Exchange has to think globally. Andrew Cary noted that we do login scripts entirely differently than others and suggested that perhaps an API could be implemented where we could supply the URL with a username to tie this to our own Userinfo Page.

Web updates (Sharepoint)

Steve noted that Ben Beach had done a very nice demonstration of the new productions Sharepoint services at ITPAC. Steve and Ben quickly demonstrated the highlights of that.

Our Sharepoint Services solution has been divided into the following seven sites:

Since Sharepoint uses an SQL back-end for storage, splitting things up this way will avoid putting all our eggs into one basket and getting into a situation where a single database problem could bring down the entire system.

You and your users will want to manually add each of these sites into IE's "Local internet" sites. This will allow the sites to use your ufad logon credentials and prevent authentication prompts when entering and traversing these sites. If you are at home and using this, you can add them to your Local intranet sites, run a VPN, and then go to the Sharepoint site; it will then use your UFAD credentials again w/o prompting. The only issues will be for those sites that are not on UFAD, that are county supported, and which have their own county firewalls.

OU Admins will want to locate the ". IFAS-WSS-Owner-OUname" security group with ADUC and add themselves as owners of their Departmental site. A corresponding ". IFAS-WSS-Member-OUname" group contains your unit's autogroup to control Member access to your Departmental site. All UFAD has read access by default. You can control that aspect and even set up a finer-level structure for your own unit.

Ben has done a great job on the "My IFAS Help" tab, answering the question "What is this site and why should I use it?". There is a link to an excellent end-user FAQ at the bottom of that. There is also an "Owner's FAQ" which discusses how to create groups, assign permissions, create sub-sties, handle versioning on components, and setup e-mail alerts. You are all urged to peruse those materials in detail and get with Ben on any questions which might arise. Both the user and owner FAQs are wikis and can be edited by the corresponding audience should new items and their solutions arise. Using the "Issues with My IFAS" link you can create an issue and assign it; if you and another owner are in the same OU group and you notice there is a problem that you want the other person to handle, you can create and assign that to them.

Steve mentioned that this system allows individuals to subscribe to e-mail alerts for various document libraries and calendars. By doing so, a user is informed via e-mail when changes are made to a location they wish to watch. There will be training issues in getting people started on using this. Steve noted that some of the ITPAC members, for example, were a bit overwhelmed by the depth of Ben's demo there. Diana mentioned that she has some non-technical groups using this successfully, however, and the learning curve on that hasn't proven to be too terribly steep. Diana also mentioned the survey features as being very useful.

Steve asked about the ability to authenticate beyond UFAD. Ben noted that Brian Gray is already using this feature for collaboration with three off-campus groups. This feature uses forms authentication over SSL. Enabling that involves Ben renaming the site, extending this application to that site, and creating an .asp forms-based authentication page which uses a container on the SQL backend to keep the user accounts/passwords. Then the system will use those accounts to support authentication for the remote users onto that site.

Ben asked about how people wanted to link committees into the structure. Currently those are beneath the IFAS Administration site, but could potentially be distributed among the various sites.

Upcoming UF IT Advisory Committee for Network Infrastructure meeting

Steve mentioned that he will be presenting his usual harangue at next week's meeting and will report on how that goes.

CNS coming to March ICC meeting to discuss and answer questions on the Wall-plate

Steve has invited John Madey to our next meeting. John is the individual from CNS who does the scheduled initial interviews with units about whether or not they want to join the Wall-plate program. Steve would like people to send questions they might have so Steve can forward those to John prior. Some of the questions Steve has accumulated so far include:

  • Exactly how can a unit determine their one-time start-up costs for joining? What are all the various factors which must be considered?
  • VoIP service features - Which of these are activated and/or available?
  • Advantages of IP Telephony - Which of these are available now as opposed to being a potential at some future date?
  • Bench switches - What are the details of those? How are they configured? How many may a unit have?
  • Port modification requests - How are those requested and how quickly can they be handle, for example in the case of moving a port to WIPA?

Winnie Lante noted that her unit is not only migrating to UF Exchange in the next move, but is going onto VoIP very shortly as well. There is always snail-mail should problems arise :-)

Update on UF Exchange

Prior UF Exchange discussion.

See here for today's discussion details.

Split DNS solution for UFAD problems

Steve wants to leave this as a standing agenda item, but realizes that a solution will be a very long time in coming due to the complexities involved.


SharePoint Production Sites

Prior SharePoint discussion.

See here for today's discussion details.

Virtualization of Core Services

Wayne noted that the following likely should go under the topic "de-virtualization" since we are getting rid to the virtual file server (if-srv-file03) and going to a new cluster.

Upcoming File Server Cluster: Volume Shadow Copy issues

There is a limit of 64 shadow copies per source volume so Wayne Hyde originally intended to implement 32 snapshots a week providing 2 weeks-worth for VSC-based file recovery. It turns out, however, that having a large number of shadow copies greatly increases the time it takes for a disk resource to move between nodes. Consequently, we are going to cut back to a max of 34 shadow copies and do 3 snaps a day instead of 5. Weekends will still have 1 snap via the following schedule:

  • 7am daily (MTWRFSS)
  • 11am daily (MTWRF)
  • 3pm daily (MTWRF)

This should still provide 2-weeks coverage but with a coarser granularity. Backups are still being tested prior to putting the new file server cluster into production.

Upcoming File Server Cluster: Mac client issue

Please get Wayne a list of your Mac users! Unless they are using DAVE they are not able to utilize DFS paths. This means that rather than access our file server via paths like \\ad.ufl.edu\ifas they will have to use the machine SMB share path of \\if-srv-file03\data instead. When we move to the new file server cluster, those machine specific paths will break and will have to be edited to switch out the actual fileserver names with the new virtual node name. You will be given plenty of warning so you will be able to help your Mac users with this issue.

Dan Cromer mentioned he would encourage a policy that encouraged all Mac users get this DAVE software. Dan feels that if you have a Mac and want to join UFAD, you should have DAVE.

Upcoming File Server Cluster: Quotas and FSM filters

Not everyone uses quotas. Wayne is suggesting putting an overall quota for each unit but not setting finer controls; his is open to suggestions however.

IFAS WebDAV implementation

Mark asked why this remains on the project list. Steve responded that we had never officially announced that service was available because no movement has occurred in getting this documented for end users.

Vista Deployment via SMS and WDS

Steve wants to leave this matter as a standing agenda item for future discussion.

Re-enabling the Windows firewall

Steve wants to leave this matter as a standing agenda item for future discussion.


Server-Side Include (SSI) support on the IFAS web server

Chris noted that this subject isn't specific to SSI, but really entails how IIS uses file name extensions to determine which program to run to process a request. This recently became an issue for some sites built on templates which were using SSI, but which had been using .htm or .html extensions for those files. The configuration of those sites had originally been set to handle ".htm" and ".htm" files via the SSI .dll rather than via the default .htm handler. This non-standard configuration worked until settings were changes at the top level which propagated down through all websites and restored such processes to the defaults.

To avoid this in the future, Chris wants to make sure that all web pages utilize standard file extensions which are appropriate to the purpose of the page. In the case of pages utilizing SSI, those pages should have the ".shtm" or ".shtml" extension.

No one had any problems with standardizing our file extensions and Chris said that Mark Ross would get something written up on this and post those standard extension-to-application mappings to the ICC-L so all would be aware. There will be some work in correcting problem sites, but then we should be good from that point forward. Marion Douglas mentioned that such issues point out the fact that links should be made to directories rather than to specific "index." files; any links done the proper way would not be broken by changes in files extensions.

Barracuda spam scoring recommendations

See here for today's discussion on this topic.

ePO version 4 is awaiting deployment

Wayne is awaiting some updates which are due later this month prior to moving ahead with ePO 4.

Wayne also mentioned that they are looking into GPO processing issues that seem to be affecting a number of our machines. This was made apparent via ePO. Originally computers were structured in ePO by OU to help with reporting, but that got to be too cumbersome with ePO 3.0 and Wayne moved to using "on-campus" and "off-campus" groups. There are still hundreds of machines reporting that they are in the old groups, however, and that indicates they are not getting Group Policy.

Steve mentioned that he recently finally understood that Wayne has configured the WSUS servers to provide just the catalog of updates. The updates themselves are pulled directly from Microsoft--which makes sense. This arose when Steve asked Wayne if he had applied the hotfix described in Knowledge Base article 938759. Because of how we manage our WSUS, this shouldn't be a problem for us.

Volume Shadow Copy on the file server

See here for today's discussion on this topic.

Patching updates

This will be a fairly heavy month for patches from Microsoft. Supposedly 7 critical and 5 important patches will be pushed.

Wayne wanted to warn folks that IE7 is going to be pushed out next Tuesday by Microsoft (along with Win2K SP2). Mike Ryabin noted that some of his users still have issues with IE7, especially those who are trying to use some distance education features. Mike wasn't sure of the exact details of the problem but knew that IE6 or Firefox had been used as a work-around. Wayne responded that he would recommend Firefox as the workaround there because IE6 is definitely going away.

Mike asked if there was any way to selectively keep IE6 and Wayne responded "no". By searching on "ie7 coming" Steve found an article entitled IE7 Coming Through on WSUS, Blocker Toolkit or Not which would seem to suggest that this could indeed be controlled at the WSUS server.

Steve mentioned the Microsoft toolkit for disabling automatic delivery, but Andrew said that expires this month. It should also be noted that this tool blocks only installation that occurs by using Windows Update and Automatic Update. The toolkit does not block distribution that occurs by using WSUS. (See KB946202)

Steve noted that two recent updates: Adobe Reader 8.1.2 and Quicktime 7.4.1. Wayne noted that there is new version of Firefox out as well. It remains difficult to keep up with all the third party updates.

MS Office News update

Office 2008 for the Macintosh is now available at http://software.ifas.ufl.edu (ufad\if-admx credentials required).

Thanks to Winnie Lante, Steve discovered that the IFAS Office 2007 install point was not installing Outlook in cached Exchange mode. That has now been corrected and SP1 has been added to the install as well. Winnie wanted to know if there was any way to avoid checking each user for that setting; Steve believed that this could be controlled via GPO.

Public folder file deletion policies and procedures

Steve wants to leave this matter as a standing agenda item for future discussion.

Job Matrix Update status

Steve wants to leave this matter as a standing agenda item for future discussion.

Remedy system status

Steve wants to leave this matter as a standing agenda item for future discussion.

Other news

Computer disabling and removal from UFAD

Mike Ryabin asked about this as he noticed that machine accounts are now being deleted when computers (often laptops) are left off the network too long. Not only are these somewhat difficult to re-join, but deleting those loses useful documentation on the machine (namely the description and managed by fields which are often a pain to hunt down the details for and recreate.

Andrew Carey responded that there are two aspects of this issue. The first is that, as he understands it, UFAD will tombstone a machine after 60 days. [By tombstoning, Andrew means the object is deleted via a particular process. A deleted object is renamed, has most of its attributes cleared, and is moved to a hidden "Deleted Objects" container. This tombstoning process is necessary to support deleting objects within the multi-master DC environment.] This basically renders it useless and from that point on you will not be able to reconnect it.

The second aspect is that we have two scripts which we utilize for Co-Managed OUs. One disables computer accounts after 90 days; this will disable such accounts which are not tombstoned for some reason. This is what causes the big red X on the object within ADUC. The other script looks for computer objects with passwords older than 120 days and deletes them. Steve asked Andrew when this latter portion was implemented. Andrew responded that Chris had this in place for quite some time, but it was broken. Andrew recently fixed it.

Andrew hadn't been aware of past discussions on this matter, both at the March 2006 ICC meeting and via discussion on the ICC-L. The latter was represented primarily by a thread entitled "Expired Computers List" from January of 2006 and by a Chris Hughes posting entitled "Delete Expired Computers of 4/24/06. Apparently the delete at 120 days never worked until Andrew fixed it, but Steve believes that we need to relook at this issue before proceeding. Andrew has been kind enough to halt that portion until we can arrive at a consensus via the ICC.

Steve admits that he never fully understood the domain computer password process because he had often been able get machines whose passwords were older than 90 days communicating again by simply re-enabling the account in ADUC. This has obviously been Mike Ryabin's experience as well. Since we seem to get many computer accounts disabled by our script, it seems clear that UFAD is not deleting those--at least not for the most part. Steve tested the ability to re-enable accounts over the weekend and was successful in doing that without having to re-join.

Using Joe Richard's OldCmp utility with a command string of:

oldcmp -report -b "OU=ENTNEM,OU=IFAS,OU=Departments,ou=uf,DC=ad,DC=ufl,DC=edu"

Steve found two of his departmental laptops to have a password age of 96 days and for which the computer accounts had been disabled. After re-enabling those accounts, Steve was able to boot the machines, logon with domain accounts, manage remotely and the like. Obviously, there is something going on with all this that we don't fully understand.

Getting on the IFAS-announce-L list

Dennis asked about this. Dan Cromer replied that individuals may request that by sending an e-mail to "listserv@lists.ifas.ufl.edu" with "subscribe ifas-announce-L" in the message body. Dan doesn't yet have any good way to add new employees automatically, but is looking at various options for that.

Upcoming blocking of .PSTs on the IFAS file server

This won't happen until after the e-mail migration is complete, but Chris Leopold announced that it is their intention to eventually block the placement of .PST on the file server.

The meeting was adjourned on time, just a bit after noon.