RE: [ActiveDir] AD Security permission continues to be "auto-removed"

[joe]

I read the below and thought...   Yes Mr. President, until something bad happens there is no reason to take that nuclear device away from the students. They don't meet any of our terrorist criteria so there is only minimal concern. If they cause damage, we will know better for next time...   Do not wait for technical solutions for policy problems. You will wait a long time. If I received a dollar for every time I was told someone couldn't do their job in some new way I proposed they do it I would be retired. Not once have I run into a case where someone couldn't do their job after the change and usually, they had better clue what they were doing too because they tried to figure out what they couldn't do with whatever I was taking away so they could prove they needed it.   This isn't anything new anywhere by any shot. People don't like to lose power unless they actually understand with great power comes great responsibility. If I walk into your network to check things out for you, I want a normal ID with Exchange view, no more. People are usually surprised and are like, don't you want Enterprise Admin... My response is "What and be able to be blamed the moment something blows up, NFW." Anytime something gets screwed up in a forest because of a change, the first people to look to blame are anyone with EA or DA, the next ones are anyone who can elevate to those levels.   When I was at the Widget company, I once opened up ADUC (yeah it was a weird day...) and low and behold I see an object where an object shouldn't be and the first words out of my mouth were to shout across the room... Vern, you aren't supposed to use your Domain Admin ID[1]. Vern said something like... I knew I shouldn't have done that. He was trying to help someone out. Perfect reason why he actually shouldn't have had a DA ID. :) EAs and DAs shouldn't be "helping people out", they should follow very strict processes and procedures that are thought up and agreed upon in advance. While there are times you may have to fly by the seat of your pants to figure things out, it should be a very odd case and should be done by the most senior tech who is responsible for coming up with the processes in the first place. Does this piss people off... yes, quite often. However, the role of the DA/EA is not to make individual people happy, it is to keep the overall AD and security safe and stable. Intelligent management understands that and should be happy to hear an EA/DA say no to some stupid request they make because that is why they pay them.     joe       [1] Vern was my manager, we had 3 engineers with EA/DA and Vern was the manager. He had an ID because he was always the backup to the team in case we were all hit by a bus or couldn't otherwise respond to a page. Unlike most CIO's, he was a techie and could fix things if required and also he used his ID to do things that we all as a team said was stupid to do but someone from above absolutely ordered it to be done. Basically if something stupid was required to be done, he rather do it himself as the manager than force an engineer to do it.       -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm      From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Friday, June 23, 2006 12:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed" I guess my point of view is this.  I do what is equitable for the situation, and try to maintain the peace as best as possible.  I myself use dual credentials, encourage others to do it as well, but I also understand that “people do what works”, and CYA with a message to my direct reports about concerns I have.  So until a situation arises that warrants a change in practice that I can champion, I patiently wait, and hope for no major disaster.  Now I will say, when we came across this issue, we were able to make a stronger case to remove collaboration credentials from protected groups, still there was a lot of resistance from admins to change the way they went about their work.  This has changed with more people becoming security aware, and the organizations going through security audits, etc.    I am not disagreeing that multiple credentials are not a best practice, but until MS sneaks a few more of these tweaks into their system, we will deal bad administration practices for quite some time.  And getting people to do what is “Best” can put into a lot of “Political, Emotional, and Geopolitical” battles unless you have solid backing.   Todd     From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, June 23, 2006 12:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed"   Yeah, like rename Domain Admins to "Unimportant People" and create a new group called Domain Admins and put the CIO in it. There is no excuse for a CIO to be in Domain Admins unless the company is under 5 people.   The only people who should be in domain admins are the people you expect to fix everything when the world hits the floor. If someone isn't in that category, they don't get rights to modify everything because it just puts them in a position to cause work for someone else.   I would tell that to the CIO of any company. If the CIO wants, he can hold the envelope that has the password for the builtin Admin account, that password should be like 250 characters so he/she isn't interested in actually trying to use it.   -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm        From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Friday, June 23, 2006 11:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed" Only Sith deal in absolutes… :P   When you have a CIO that likes to be in the Domain Admins group, you sometimes have to pick your battles.   Todd   From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, June 23, 2006 10:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed"   There is no debate on admins having multiple creds, one for admin work and one for normal work. Just do it. :)   To put it nicely, if a company doesn't do this, they are just being silly[1].   I am trying to figure out if there is ever a valid reason I think that an admin should have a single ID in a company. I can't come up with one.      joe       [1] Instead of silly think of mean words used to describe really silly people.   -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm        From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Friday, June 23, 2006 6:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed" One more thing to add to this from my experience.   I think we had situations arise where someone was trying to pragmatically modify or read attributes on accounts in the protected groups and was not able to due to their membership within a protected group.  This of course started the hot debate on admins having multiple credentials, one for administrative duties, the other for collaborative and identity purposes.   Todd   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 22, 2006 9:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed"   I have a 2-part discussion of this behavior starting here: http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx   It's a bit headache-inducing, but at least you will get the benefit of knowing that it is "by design"   HTH Sincerely,    _____                                  (, /  |  /)               /)     /)       /---| (/_  ______   ___// _   //  _  ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/                             /)                                     (/       Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J B Sent: Thursday, June 22, 2006 5:08 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Security permission continues to be "auto-removed" We have some users that have mobile devices that connect to Exchange.  The 3rd party application uses a dedicated account to send mail from the devices.  This account needs to have "Send As..." permissions on each of the user accounts' security settings.  We have set it in all users (about two dozen) but one user in particular has a problem.  We set the permission and give it "Send As..." rights (just like all the others - no different), but usually within an hour, the newly added permission is gone - not just the "Send As" setting, but the whole account name is gone from this user's security settings as if we never added it in the first place.  We have five DC's and I have tried adding it from each DC with the same results.  I am baffled by this.  Does anyone have any suggestions?