|
1. I have been really lax on this what with other crap I
have been dealing with. However I am about to implement cleanup which will upset
people and will remove anything older than 90 days. After 60 days the machines
(W2K+) have to be rejoined anyway.
2. No. The network folks are actually locking most people
out of direct network access. Most people without a business reason that is
really good will get External OWA and that is about it. Anyone who will have
dialup or VPN access to the network will need to do it from a company owned
laptop.
3. Not sure I understand this one. Server accounts can only
be created by the people on the team I am on... 3 people. Workstations can be
created by any one of thousands of workstation admins. However they follow our
standards or we make their computer accounts unuseable by throwing them into
jail.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Tuesday, January 06, 2004 9:02 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Computer Accounts and request for comments on provisioning. Hey everyone… Happy New Year…
I am doing some research to help establish some new
standards for provisioning Workstations in our AD domains. In the past,
any Windows NT workstation that was going to need to access domain resources was
added to the domain. This means machines that were on the corporate
network, and home machines. The problem we are having is that home
machines are not being maintained as well as the corporate machines, and the
home machines don’t connect into the corporate network very frequently. We
are in the process of consolidating several resource domains as well, and we are
trying to decide which accounts to move, and which ones not to move. When
we move computer accounts the process requires that the local user profiles get
re ACLed, as well as the local file systems. So the questions I have that I am looking for feed back
on are as follows. 1.
On average how long do you allow
computer accounts to stay deactivate in your domain, and what issues do you run
into when machines are disconnected longer than say the 60 days. (I think
I remember reading somewhere that secure channel passwords get reset every 30
days on machine accounts). If the passwords are out of sync when the
machine try to join the domain again, will they auto renegotiate a new secure
channel password even though the password is out of sync or does it always
require resetting the secure channel? 2.
Do you allow machines that are
primarily home machines connect in as domain resources, or do you use other
means to provide remote access to domain resources? If so what alternative
means do you provide remote access to resources? 3.
Finally, do you require machines to
go through a provisioning process when the computer account is created and
removed from the domain? If so, how do you manage the process. In
today’s domains, I would think it would be desirable with the need to have
certificates issued for EFS, etc. Thanks in Advance for any feedback you all
offer. Todd
|
- [ActiveDir] Computer Accounts and request for comme... Myrick, Todd (NIH/CIT)
