No they tend to tell us to do things that will break our DC operations, so then we inform them that we can't do this, and they say okay. Then the following month they ask us to do it again. Repeat & rinse.
Todd -----Original Message----- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, June 23, 2006 2:01 PM To: [email protected] Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed" Why? Do they make you change how you want to do admin work. ;o) LOL couldn't resist. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Friday, June 23, 2006 12:59 PM To: [email protected] Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed" Not a big fan of "Security" people. :) Todd -----Original Message----- From: Al Lilianstrom [mailto:[EMAIL PROTECTED] Sent: Friday, June 23, 2006 12:35 PM To: [email protected] Subject: Re: [ActiveDir] AD Security permission continues to be "auto-removed" Myrick, Todd (NIH/CC/DCRI) [E] wrote: > Only Sith deal in absolutes... :P > > > > When you have a CIO that likes to be in the Domain Admins group, you > sometimes have to pick your battles. > Talk to your security people. When we first put up AD the computer security folks set a maximum limit to the number of people that could be DAs. Maybe it could be a number that would keep the CIO out? > > Todd > > > > ------------------------------------------------------------------------ > > *From:* joe [mailto:[EMAIL PROTECTED] > *Sent:* Friday, June 23, 2006 10:18 AM > *To:* [email protected] > *Subject:* RE: [ActiveDir] AD Security permission continues to be > "auto-removed" > > > > There is no debate on admins having multiple creds, one for admin work > and one for normal work. Just do it. :) > We took that one step farther. - Regular user account for 'normal' work - An admin account for server administration - An da account for domain admin work It's a bit of a pain to keep the password straight (for some) but accountability is there and one uses the account you need for the job. It's been more of a pain taking local admin access away from people on their desktops. al > > To put it nicely, if a company doesn't do this, they are just being > silly[1]. > > > > I am trying to figure out if there is ever a valid reason I think that > an admin should have a single ID in a company. I can't come up with one. > > > > joe > > > > > > > > [1] Instead of silly think of mean words used to describe really silly > people. > > > > -- > > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > > > > > > ------------------------------------------------------------------------ > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Myrick, Todd > (NIH/CC/DCRI) [E] > *Sent:* Friday, June 23, 2006 6:50 AM > *To:* [email protected] > *Subject:* RE: [ActiveDir] AD Security permission continues to be > "auto-removed" > > One more thing to add to this from my experience. > > > > I think we had situations arise where someone was trying to > pragmatically modify or read attributes on accounts in the protected > groups and was not able to due to their membership within a protected > group. This of course started the hot debate on admins having multiple > credentials, one for administrative duties, the other for collaborative > and identity purposes. > > > > Todd > > > > ------------------------------------------------------------------------ > > *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > *Sent:* Thursday, June 22, 2006 9:34 PM > *To:* [email protected] > *Subject:* RE: [ActiveDir] AD Security permission continues to be > "auto-removed" > > > > I have a 2-part discussion of this behavior starting here: > http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx > > > > It's a bit headache-inducing, but at least you will get the benefit of > knowing that it is "by design" > > > > HTH > > > Sincerely, > _____ > (, / | /) /) /) > /---| (/_ ______ ___// _ // _ > ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ > (_/ /) > (/ > Microsoft MVP - Directory Services > www.readymaids.com <http://www.readymaids.com/> - we know IT > www.akomolafe.com <http://www.akomolafe.com/> > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > > > > > ------------------------------------------------------------------------ > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *J B > *Sent:* Thursday, June 22, 2006 5:08 PM > *To:* [email protected] > *Subject:* [ActiveDir] AD Security permission continues to be "auto-removed" > > We have some users that have mobile devices that connect to Exchange. > The 3rd party application uses a dedicated account to send mail from the > devices. This account needs to have "Send As..." permissions on each of > the user accounts' security settings. We have set it in all users > (about two dozen) but one user in particular has a problem. We set the > permission and give it "Send As..." rights (just like all the others - > no different), but usually within an hour, the newly added permission is > gone - not just the "Send As" setting, but the whole account name is > gone from this user's security settings as if we never added it in the > first place. We have five DC's and I have tried adding it from each DC > with the same results. I am baffled by this. Does anyone have any > suggestions? > -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
