|
I guess my point of view is this. I do what is equitable for the situation, and try to maintain the peace as best as possible. I myself use dual credentials, encourage others to do it as well, but I also understand that “people do what works”, and CYA with a message to my direct reports about concerns I have. So until a situation arises that warrants a change in practice that I can champion, I patiently wait, and hope for no major disaster. Now I will say, when we came across this issue, we were able to make a stronger case to remove collaboration credentials from protected groups, still there was a lot of resistance from admins to change the way they went about their work. This has changed with more people becoming security aware, and the organizations going through security audits, etc.
I am not disagreeing that multiple credentials are not a best practice, but until MS sneaks a few more of these tweaks into their system, we will deal bad administration practices for quite some time. And getting people to do what is “Best” can put into a lot of “Political, Emotional, and Geopolitical” battles unless you have solid backing.
Todd
From: joe
[mailto:[EMAIL PROTECTED]
Yeah, like rename Domain Admins to "Unimportant People" and create a new group called Domain Admins and put the CIO in it. There is no excuse for a CIO to be in Domain Admins unless the company is under 5 people.
The only people who should be in domain admins are the people you expect to fix everything when the world hits the floor. If someone isn't in that category, they don't get rights to modify everything because it just puts them in a position to cause work for someone else.
I would tell that to the CIO of any company. If the CIO wants, he can hold the envelope that has the password for the builtin Admin account, that password should be like 250 characters so he/she isn't interested in actually trying to use it.
-- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Only Sith deal in absolutes… :P
When you have a CIO that likes to be in the Domain Admins group, you sometimes have to pick your battles.
Todd
From: joe
[mailto:[EMAIL PROTECTED]
There is no debate on admins having multiple creds, one for admin work and one for normal work. Just do it. :)
To put it nicely, if a company doesn't do this, they are just being silly[1].
I am trying to figure out if there is ever a valid reason I think that an admin should have a single ID in a company. I can't come up with one.
joe
[1] Instead of silly think of mean words used to describe really silly people.
-- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] One more thing to add to this from my experience.
I think we had situations arise where someone was trying to pragmatically modify or read attributes on accounts in the protected groups and was not able to due to their membership within a protected group. This of course started the hot debate on admins having multiple credentials, one for administrative duties, the other for collaborative and identity purposes.
Todd
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
I have a 2-part discussion of this behavior starting here: http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx
It's a bit headache-inducing, but at least you will get the benefit of knowing that it is "by design"
HTH
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J B We have some users that have mobile devices that connect to Exchange. The 3rd party application uses a dedicated account to send mail from the devices. This account needs to have "Send As..." permissions on each of the user accounts' security settings. We have set it in all users (about two dozen) but one user in particular has a problem. We set the permission and give it "Send As..." rights (just like all the others - no different), but usually within an hour, the newly added permission is gone - not just the "Send As" setting, but the whole account name is gone from this user's security settings as if we never added it in the first place. We have five DC's and I have tried adding it from each DC with the same results. I am baffled by this. Does anyone have any suggestions? |
RE: [ActiveDir] AD Security permission continues to be "auto-removed"
Myrick, Todd \(NIH/CC/DCRI\) [E] Fri, 23 Jun 2006 10:23:23 -0700
- RE: [ActiveDir] AD Security permission co... deji
- RE: [ActiveDir] AD Security permissi... Myrick, Todd \(NIH/CC/DCRI\) [E]
- RE: [ActiveDir] AD Security perm... joe
- RE: [ActiveDir] AD Security ... Myrick, Todd \(NIH/CC/DCRI\) [E]
- RE: [ActiveDir] AD Secur... Marcus.Oh
- RE: [ActiveDir] AD Secur... joe
- Re: [ActiveDir] AD ... J B
- RE: [ActiveDir] AD ... Myrick, Todd \(NIH/CC/DCRI\) [E]
- RE: [ActiveDir]... joe
- RE: [Active... Deji Akomolafe
- RE: [Active... Myrick, Todd \(NIH/CC/DCRI\) [E]
- RE: [ActiveDir] AD ... Brian Desmond
- Re: [ActiveDir] AD Secur... Al Lilianstrom
- RE: [ActiveDir] AD ... Myrick, Todd \(NIH/CC/DCRI\) [E]
- RE: [ActiveDir]... joe
- RE: [Active... Myrick, Todd \(NIH/CC/DCRI\) [E]
- Re: [Active... Al Lilianstrom
- Re: [ActiveDir] AD Security permissi... J B
