Why? Do they make you change how you want to do admin work. ;o) LOL couldn't resist.
-- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Friday, June 23, 2006 12:59 PM To: [email protected] Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed" Not a big fan of "Security" people. :) Todd -----Original Message----- From: Al Lilianstrom [mailto:[EMAIL PROTECTED] Sent: Friday, June 23, 2006 12:35 PM To: [email protected] Subject: Re: [ActiveDir] AD Security permission continues to be "auto-removed" Myrick, Todd (NIH/CC/DCRI) [E] wrote: > Only Sith deal in absolutes... :P > > > > When you have a CIO that likes to be in the Domain Admins group, you > sometimes have to pick your battles. > Talk to your security people. When we first put up AD the computer security folks set a maximum limit to the number of people that could be DAs. Maybe it could be a number that would keep the CIO out? > > Todd > > > > ------------------------------------------------------------------------ > > *From:* joe [mailto:[EMAIL PROTECTED] > *Sent:* Friday, June 23, 2006 10:18 AM > *To:* [email protected] > *Subject:* RE: [ActiveDir] AD Security permission continues to be > "auto-removed" > > > > There is no debate on admins having multiple creds, one for admin work > and one for normal work. Just do it. :) > We took that one step farther. - Regular user account for 'normal' work - An admin account for server administration - An da account for domain admin work It's a bit of a pain to keep the password straight (for some) but accountability is there and one uses the account you need for the job. It's been more of a pain taking local admin access away from people on their desktops. al > > To put it nicely, if a company doesn't do this, they are just being > silly[1]. > > > > I am trying to figure out if there is ever a valid reason I think that > an admin should have a single ID in a company. I can't come up with one. > > > > joe > > > > > > > > [1] Instead of silly think of mean words used to describe really silly > people. > > > > -- > > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > > > > > > ------------------------------------------------------------------------ > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Myrick, Todd > (NIH/CC/DCRI) [E] > *Sent:* Friday, June 23, 2006 6:50 AM > *To:* [email protected] > *Subject:* RE: [ActiveDir] AD Security permission continues to be > "auto-removed" > > One more thing to add to this from my experience. > > > > I think we had situations arise where someone was trying to > pragmatically modify or read attributes on accounts in the protected > groups and was not able to due to their membership within a protected > group. This of course started the hot debate on admins having multiple > credentials, one for administrative duties, the other for collaborative > and identity purposes. > > > > Todd > > > > ------------------------------------------------------------------------ > > *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > *Sent:* Thursday, June 22, 2006 9:34 PM > *To:* [email protected] > *Subject:* RE: [ActiveDir] AD Security permission continues to be > "auto-removed" > > > > I have a 2-part discussion of this behavior starting here: > http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx > > > > It's a bit headache-inducing, but at least you will get the benefit of > knowing that it is "by design" > > > > HTH > > > Sincerely, > _____ > (, / | /) /) /) > /---| (/_ ______ ___// _ // _ > ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ > (_/ /) > (/ > Microsoft MVP - Directory Services > www.readymaids.com <http://www.readymaids.com/> - we know IT > www.akomolafe.com <http://www.akomolafe.com/> > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > > > > > ------------------------------------------------------------------------ > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *J B > *Sent:* Thursday, June 22, 2006 5:08 PM > *To:* [email protected] > *Subject:* [ActiveDir] AD Security permission continues to be "auto-removed" > > We have some users that have mobile devices that connect to Exchange. > The 3rd party application uses a dedicated account to send mail from the > devices. This account needs to have "Send As..." permissions on each of > the user accounts' security settings. We have set it in all users > (about two dozen) but one user in particular has a problem. We set the > permission and give it "Send As..." rights (just like all the others - > no different), but usually within an hour, the newly added permission is > gone - not just the "Send As" setting, but the whole account name is > gone from this user's security settings as if we never added it in the > first place. We have five DC's and I have tried adding it from each DC > with the same results. I am baffled by this. Does anyone have any > suggestions? > -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
