Okay, now that is a script I would like to see :) Todd ________________________________
From: joe [mailto:[EMAIL PROTECTED] Sent: Fri 6/23/2006 5:46 PM To: [email protected] Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed" Hi Deji. The misunderstanding here seems to be that I walked in and was suddenly empowered to make those changes at the widget factory. That so rarely happens it isn't worth mentioning. In actual fact, I looked at the existing mess and started working out what needed to be done to correct it and then started working towards that goal convincing whomever I could that it was the way that we needed to go if we actually wanted a secure/stable environment. You were there, you recall how I took DA away right? I first argued that it was dangerous for that many people to have it and then started pointing out various issues that could be caused by people having those rights and possible issues that could come up that we have been lucky not to see until I got enough management to go, yeah that makes sense even if I had to make someone look silly in the process. Then I dropped most of the DAs and the loudest folks got dropped to Account/Server Ops with all of them claiming they would never be able to do their job. Stability increased overnight. The next step was to remove the account/server op rights by showing it really wasn't needed and again could cause issues that didn't need to exist and then eventually, bam those were gone too. From what I have seen, most people on the inside aren't even trying to lock the environment down, they start with a "I will never get that done" attitude and so they never start. They are standing around hoping someone above will get a clue all of a sudden and just tell them to clean up, that isn't going to happen. The upper folks aren't thinking about your daily ops. They don't know what is dangerous unless they are told by the experts. I think some folks also don't want to bring it up as they aren't sure they would be the ones keeping the rights themselves. Me, I don't look at DA rights and think cool, I think pain in the ass. As for consulting, as you know, that is a completely different ball of wax. Just the same, I don't let that stop me from telling customers that they are doing things in very insecure ways and for the most part, they listen and start correcting it. You don't say, oh wow, that is bad you shouldn't do it because x and y best practice says you shouldn't. I rarely utter the word best practice because they are all generally debatable depending on the environment. Instead I will say, hi Mr. manager, did you know that you have junior admins who can read your mail whenever they like or check out their performance reviews you are working on when they like or knock the environment down to its knees if they make simple mistakes?[1] There are those times where folks don't want to listen at all and I just document what I told them and continue on doing what I am there to do. The next time I get called in to deal with something if it was something I forecast would happen I kindly point that out. Once that happens once or twice even the folks who brushed me off previously start realizing that hey, maybe there is something to this. Certainly they don't like hearing nor having their management hearing that what happened could have been avoided had they listened to the person they paid to come in and make recommendations. If an environment is running perfectly stable and efficiently, there is no reason to change. I can count on 0 hands the number of business environments I have personally seen that I would say fit that criteria. That is why people are asking folks to come in and help them change. Do them a favor and tell them what they need to hear, not just what you think they want to hear and want to tell them for fear of them getting mad. If you are brought in to design something for someone, it is your job to try and design the best thing you feel you can for them. If they argue the design, try to understand what they are saying because you could be missing a huge point. But if it is simply this is because it is the way we have always done it and they feel that they know everything that is good and right, why did they bring you in at all? You bring in outsiders to help you do something different and see the environment in a different way than everyone else inside sees it. joe [1] One company I wrote a script that chased through and found everyone who had admin rights on any DCs in any domain in the forest and printed that out and said, here are the people who can blow up your entire AD with a simple mistake. Then the output from another script dumped everyone who could escalate themselves to administrators on DCs without physical access to the DCs and printed that out and said here are the people who with minimal hacking attempts can escalate themselves to administrators and blow up your entire AD. The first listing was almost 1000 users, the second listing was over 1000. They started cleaning up. It wasn't an immediate kick everyone out, but that got the point across such that they felt, hey maybe this isn't going to take care of itself. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Friday, June 23, 2006 3:18 PM To: [email protected] Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed" joe, joe, joe...... One of these days, you'll learn that you go to war with the army you have <fill in the rest>..... You see, some of us take security as seriously as you do. Most of us, unfortunately, have come to the realization that there are more powerful and better-armed design and operational considerations that go into how a specific environment is operated. These considerations are, more often than not, more compelling and powerful than "best practices". It is an illusion to think that you can walk into any environment and show them the evils of EA/DA privileges, then mandate that the client yank those privileges from people, and have the client say "Yes, Sir! Doing so right now!". Much as you'd like to see IT infrastructure operated in secured fashion in conformance to "Best Practices" or any of the other prescriptive guidance out there, you will be disappointed that, more often than, your wish will not come true. There are so many competing influences and interests, and your opinion will just be one of them. As Todd was saying, the admin does not get to make decisions. Sad, but true. Admins make recommendations that are, in their views, in the best interest of the infrastructure. Operational, political, budgetary, technological, philosophical, environmental, governmental, legal and many other factors combine and conspire to defeat or whittle down such proposals, and there is nothing the admin can do about it. Of course, the admin could quit. But, then how many times would the admin quit before (s)he realizes that it's a battle field out there and quitting is an exercise in futility? Your present employer is in the business of designing and implementing solutions to meet clients' requirements. If you get put on a project and you went ahead and write up all these fancy industry-standard-ITIL-MOF-MSF-Best-Practices-compliant design plans, present it to the client and the client comes back to you and say "all well and good, but this is NOT how we operate. HERE is how we operate, now please design something around our operational posture", what would you do? Tell the client to blow you? Tell the client "No, you don't understand. This is THE best/optimal way to do what you are about to do. Follow my script, or else you'll be sorry later"? What if you presented all the ramifications and implications of any other design options and make them look REALLY bad, yet the client refuses to see it your way? Because your way doesn't fit into their way? Would you up and quit? I am not saying your idea is not admirable or good. I'm just saying that the way you were able to drive and influence decisions at Widget is not realistically the way most admins are able to do things. Most are more constrained than you were at Widget. And, if I were a betting man, I'd wager that you are now more constrained in your new world than you were in the previous world. Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com <http://www.readymaids.com> - we know IT www.akomolafe.com <http://www.akomolafe.com> -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: joe Sent: Fri 6/23/2006 11:15 AM To: [email protected] Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed" I read the below and thought... Yes Mr. President, until something bad happens there is no reason to take that nuclear device away from the students. They don't meet any of our terrorist criteria so there is only minimal concern. If they cause damage, we will know better for next time... Do not wait for technical solutions for policy problems. You will wait a long time. If I received a dollar for every time I was told someone couldn't do their job in some new way I proposed they do it I would be retired. Not once have I run into a case where someone couldn't do their job after the change and usually, they had better clue what they were doing too because they tried to figure out what they couldn't do with whatever I was taking away so they could prove they needed it. This isn't anything new anywhere by any shot. People don't like to lose power unless they actually understand with great power comes great responsibility. If I walk into your network to check things out for you, I want a normal ID with Exchange view, no more. People are usually surprised and are like, don't you want Enterprise Admin... My response is "What and be able to be blamed the moment something blows up, NFW." Anytime something gets screwed up in a forest because of a change, the first people to look to blame are anyone with EA or DA, the next ones are anyone who can elevate to those levels. When I was at the Widget company, I once opened up ADUC (yeah it was a weird day...) and low and behold I see an object where an object shouldn't be and the first words out of my mouth were to shout across the room... Vern, you aren't supposed to use your Domain Admin ID[1]. Vern said something like... I knew I shouldn't have done that. He was trying to help someone out. Perfect reason why he actually shouldn't have had a DA ID. :) EAs and DAs shouldn't be "helping people out", they should follow very strict processes and procedures that are thought up and agreed upon in advance. While there are times you may have to fly by the seat of your pants to figure things out, it should be a very odd case and should be done by the most senior tech who is responsible for coming up with the processes in the first place. Does this piss people off... yes, quite often. However, the role of the DA/EA is not to make individual people happy, it is to keep the overall AD and security safe and stable. Intelligent management understands that and should be happy to hear an EA/DA say no to some stupid request they make because that is why they pay them. joe [1] Vern was my manager, we had 3 engineers with EA/DA and Vern was the manager. He had an ID because he was always the backup to the team in case we were all hit by a bus or couldn't otherwise respond to a page. Unlike most CIO's, he was a techie and could fix things if required and also he used his ID to do things that we all as a team said was stupid to do but someone from above absolutely ordered it to be done. Basically if something stupid was required to be done, he rather do it himself as the manager than force an engineer to do it. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Friday, June 23, 2006 12:57 PM To: [email protected] Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed" I guess my point of view is this. I do what is equitable for the situation, and try to maintain the peace as best as possible. I myself use dual credentials, encourage others to do it as well, but I also understand that "people do what works", and CYA with a message to my direct reports about concerns I have. So until a situation arises that warrants a change in practice that I can champion, I patiently wait, and hope for no major disaster. Now I will say, when we came across this issue, we were able to make a stronger case to remove collaboration credentials from protected groups, still there was a lot of resistance from admins to change the way they went about their work. This has changed with more people becoming security aware, and the organizations going through security audits, etc. I am not disagreeing that multiple credentials are not a best practice, but until MS sneaks a few more of these tweaks into their system, we will deal bad administration practices for quite some time. And getting people to do what is "Best" can put into a lot of "Political, Emotional, and Geopolitical" battles unless you have solid backing. Todd ________________________________ From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, June 23, 2006 12:13 PM To: [email protected] Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed" Yeah, like rename Domain Admins to "Unimportant People" and create a new group called Domain Admins and put the CIO in it. There is no excuse for a CIO to be in Domain Admins unless the company is under 5 people. The only people who should be in domain admins are the people you expect to fix everything when the world hits the floor. If someone isn't in that category, they don't get rights to modify everything because it just puts them in a position to cause work for someone else. I would tell that to the CIO of any company. If the CIO wants, he can hold the envelope that has the password for the builtin Admin account, that password should be like 250 characters so he/she isn't interested in actually trying to use it. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Friday, June 23, 2006 11:01 AM To: [email protected] Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed" Only Sith deal in absolutes... :P When you have a CIO that likes to be in the Domain Admins group, you sometimes have to pick your battles. Todd ________________________________ From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, June 23, 2006 10:18 AM To: [email protected] Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed" There is no debate on admins having multiple creds, one for admin work and one for normal work. Just do it. :) To put it nicely, if a company doesn't do this, they are just being silly[1]. I am trying to figure out if there is ever a valid reason I think that an admin should have a single ID in a company. I can't come up with one. joe [1] Instead of silly think of mean words used to describe really silly people. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Friday, June 23, 2006 6:50 AM To: [email protected] Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed" One more thing to add to this from my experience. I think we had situations arise where someone was trying to pragmatically modify or read attributes on accounts in the protected groups and was not able to due to their membership within a protected group. This of course started the hot debate on admins having multiple credentials, one for administrative duties, the other for collaborative and identity purposes. Todd ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 22, 2006 9:34 PM To: [email protected] Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed" I have a 2-part discussion of this behavior starting here: http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx It's a bit headache-inducing, but at least you will get the benefit of knowing that it is "by design" HTH Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com <http://www.readymaids.com/> - we know IT www.akomolafe.com <http://www.akomolafe.com/> Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J B Sent: Thursday, June 22, 2006 5:08 PM To: [email protected] Subject: [ActiveDir] AD Security permission continues to be "auto-removed" We have some users that have mobile devices that connect to Exchange. The 3rd party application uses a dedicated account to send mail from the devices. This account needs to have "Send As..." permissions on each of the user accounts' security settings. We have set it in all users (about two dozen) but one user in particular has a problem. We set the permission and give it "Send As..." rights (just like all the others - no different), but usually within an hour, the newly added permission is gone - not just the "Send As" setting, but the whole account name is gone from this user's security settings as if we never added it in the first place. We have five DC's and I have tried adding it from each DC with the same results. I am baffled by this. Does anyone have any suggestions? List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
