To us, there isn't really a benefit between a basic setting and setting up a new user from scratch. I want the ability to make it impossible for the Techs to copy the user because inevitably, I'll have a few of my guys leave over the next few years and I'll bring on a few new guys and the policy of never copying a user will not get communicated to them and they'll copy a user and that person will get access they shouldn't have. I'd like to make it so that someone setting up a new user isn't able to copy a user at all, whether it be because they forgot or because they didn't know our internal policy. That way, there are no mistakes that lead to security breaches in our folder security. In the last two years, it has happened 3 times where someone had permissions they shouldn't because their account was copied from someone else and inherited permissions they shouldn't have had. Mistakes happen, but I'd like to be able to technically make it harder for that to happen. I hope that makes sense. Thanks!
Aaron -----Original Message----- From: Thomas Nilsen [mailto:[EMAIL PROTECTED] Sent: Thursday, May 29, 2008 2:59 PM To: Active Directory Admin Issues Subject: RE: Disallowing "copy user" in AD Not sure if you can disable copy user function, but why not just set up a disabled dummy account as a template with the most basic settings and allow your helpdesk techs to copy from that user only? Regards, Thomas >-----Original Message----- >From: Aaron [mailto:[EMAIL PROTECTED] >Sent: Thursday, May 29, 2008 9:22 PM >To: Active Directory Admin Issues >Subject: Disallowing "copy user" in AD > > >We have had problems with Help Desk techs "copying" a user in >Active Directory to set up a new user that is very similar in >roles to an existing user. However, they don't always look >over the Memberships closely enough and sometimes an employee >that was "copied" from an existing employee in AD had >permissions they shouldn't. I have put in a new policy that >copying a user in AD is no longer allowed and that all new >users must be setup from scratch. Is there a way to enforce >this in AD? I would like for the Help Desk to be able to >create new users, delete users, edit users, just not copy >users. Can this be done? >~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in >eWEEK Test! ~ > ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~ > DISCLAIMER: This message contains information that may be privileged or confidential and is the property of the Roxar Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorised to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~ ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~
