Re: [ActiveDir] AD Security permission continues to be "auto-removed"

Al Lilianstrom Fri, 23 Jun 2006 12:08:54 -0700

Myrick, Todd (NIH/CC/DCRI) [E] wrote:

No they tend to tell us to do things that will break our DC operations,
so then we inform them that we can't do this, and they say okay.  Then
the following month they ask us to do it again.  Repeat & rinse.

Our security people used to be that way. Unix was the only way to dothings and they wanted to redo AD so that it acted like Unix with MITKerberos. Spent a couple of months proving them wrong.

The new security people understand AD, have apps that use it forauthentication from Unix and are willing to help us out so that it'salways available. We help them put together the policies that affectWindows systems here so we can nudge things our way.

al

Todd

-----Original Message-----
From: joe [mailto:[EMAIL PROTECTED]Sent: Friday, June 23, 2006 2:01 PM
To: [email protected]
Subject: RE: [ActiveDir] AD Security permission continues to be
"auto-removed"

Why? Do they make you change how you want to do admin work. ;o)
LOL couldn't resist.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Friday, June 23, 2006 12:59 PM
To: [email protected]
Subject: RE: [ActiveDir] AD Security permission continues to be
"auto-removed"

Not a big fan of "Security" people.  :)

Todd

-----Original Message-----
From: Al Lilianstrom [mailto:[EMAIL PROTECTED]Sent: Friday, June 23, 2006 12:35 PM
To: [email protected]
Subject: Re: [ActiveDir] AD Security permission continues to be
"auto-removed"

Myrick, Todd (NIH/CC/DCRI) [E] wrote:
Only Sith deal in absolutes... :P
When you have a CIO that likes to be in the Domain Admins group, yousometimes have to pick your battles.
Talk to your security people. When we first put up AD the computersecurity folks set a maximum limit to the number of people that could be
DAs. Maybe it could be a number that would keep the CIO out?
Todd
------------------------------------------------------------------------
*From:* joe [mailto:[EMAIL PROTECTED]
*Sent:* Friday, June 23, 2006 10:18 AM
*To:* [email protected]
*Subject:* RE: [ActiveDir] AD Security permission continues to be"auto-removed"
There is no debate on admins having multiple creds, one for admin work
and one for normal work. Just do it. :)
We took that one step farther.

- Regular user account for 'normal' work
- An admin account for server administration
- An da account for domain admin work
It's a bit of a pain to keep the password straight (for some) butaccountability is there and one uses the account you need for the job.
It's been more of a pain taking local admin access away from people ontheir desktops.
        al
To put it nicely, if a company doesn't do this, they are just beingsilly[1].
I am trying to figure out if there is ever a valid reason I think that
an admin should have a single ID in a company. I can't come up with
one.
   joe
[1] Instead of silly think of mean words used to describe really silly
people.
--
O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] *On Behalf Of *Myrick,
Todd
(NIH/CC/DCRI) [E]
*Sent:* Friday, June 23, 2006 6:50 AM
*To:* [email protected]
*Subject:* RE: [ActiveDir] AD Security permission continues to be"auto-removed"
One more thing to add to this from my experience.
I think we had situations arise where someone was trying topragmatically modify or read attributes on accounts in the protectedgroups and was not able to due to their membership within a protectedgroup. This of course started the hot debate on admins having
multiple
credentials, one for administrative duties, the other for
collaborative
and identity purposes.
Todd
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
*Sent:* Thursday, June 22, 2006 9:34 PM
*To:* [email protected]
*Subject:* RE: [ActiveDir] AD Security permission continues to be"auto-removed"
I have a 2-part discussion of this behavior starting here:http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx
It's a bit headache-inducing, but at least you will get the benefit of
knowing that it is "by design"
HTH


Sincerely,
_____(, / | /) /) /)/---| (/_ ______ ___// _ // _
 ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)(/Microsoft MVP - Directory Services
www.readymaids.com <http://www.readymaids.com/> - we know IT
www.akomolafe.com <http://www.akomolafe.com/>
Do you now realize that Today is the Tomorrow you were worried aboutYesterday? -anon
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] *On Behalf Of *J B
*Sent:* Thursday, June 22, 2006 5:08 PM
*To:* [email protected]
*Subject:* [ActiveDir] AD Security permission continues to be
"auto-removed"
We have some users that have mobile devices that connect to Exchange.
The 3rd party application uses a dedicated account to send mail from
the
devices.  This account needs to have "Send As..." permissions on each
of
the user accounts' security settings. We have set it in all users(about two dozen) but one user in particular has a problem. We set
the
permission and give it "Send As..." rights (just like all the others -
no different), but usually within an hour, the newly added permission
is
gone - not just the "Send As" setting, but the whole account name isgone from this user's security settings as if we never added it in the
first place.  We have five DC's and I have tried adding it from each
DC
with the same results. I am baffled by this. Does anyone have anysuggestions?


--

Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED]
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] AD Security permission continues to be "auto-removed"

Reply via email to