|
Out of curiousity, what are you calling
`jail?’ Are you simply disabling the account, or are you putting it
into a homebrewed OU with specific restrictions? Eternally curious, -James R. Rogers From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe 1. I have been really lax on this what
with other crap I have been dealing with. However I am about to implement
cleanup which will upset people and will remove anything older than 90 days.
After 60 days the machines (W2K+) have to be rejoined anyway. 2. No. The network folks are actually
locking most people out of direct network access. Most people without a
business reason that is really good will get External OWA and that is about it.
Anyone who will have dialup or VPN access to the network will need to do
it from a company owned laptop. 3. Not sure I understand this one. Server
accounts can only be created by the people on the team I am on... 3 people.
Workstations can be created by any one of thousands of workstation admins.
However they follow our standards or we make their computer accounts unuseable
by throwing them into jail. joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Hey everyone… Happy New Year… I am doing some research to help establish some new standards for
provisioning Workstations in our AD domains. In the past, any Windows NT
workstation that was going to need to access domain resources was added to the
domain. This means machines that were on the corporate network, and home
machines. The problem we are having is that home machines are not being
maintained as well as the corporate machines, and the home machines don’t
connect into the corporate network very frequently. We are in the process
of consolidating several resource domains as well, and we are trying to decide
which accounts to move, and which ones not to move. When we move computer
accounts the process requires that the local user profiles get re ACLed, as
well as the local file systems. So the questions I have that I am looking for feed back on are as
follows. 1.
On average how long do you allow computer accounts to stay
deactivate in your domain, and what issues do you run into when machines are
disconnected longer than say the 60 days. (I think I remember reading
somewhere that secure channel passwords get reset every 30 days on machine
accounts). If the passwords are out of sync when the machine try to join
the domain again, will they auto renegotiate a new secure channel password even
though the password is out of sync or does it always require resetting the secure
channel? 2.
Do you allow machines that are primarily home machines connect in
as domain resources, or do you use other means to provide remote access to
domain resources? If so what alternative means do you provide remote
access to resources? 3.
Finally, do you require machines to go through a provisioning
process when the computer account is created and removed from the domain?
If so, how do you manage the process. In today’s domains, I would
think it would be desirable with the need to have certificates issued for EFS,
etc. Thanks in Advance for any feedback you all offer. Todd |
smime.p7s
Description: S/MIME cryptographic signature
