Meeting with help desk personnel: If you see an account with "secured" in the Notes field do not change the password. If auditing shows you did anyway you will be terminated.
Not elegant, no. On Aug 7, 2013, at 9:13, "Ken Schaefer" <[email protected]> wrote: > OK – let’s forget the theoreticals about what the Helpdesk should do or not > do – you have specific requirements. Let’s assume they are correct. > > Here are some questions (space left for answers): > > What specifically have you done already that is “not acting as expected” > (your words)? > > Have you examined the specific ACLs on the user objects that the delegation > wizard produced & what are they? > > Do they fit what you expect? > > Speculation: maybe a deny ACE would do what you need – but let’s not get > ahead of ourselves. > > Cheers > Ken > > From: [email protected] [mailto:[email protected]] > On Behalf Of Liby Philip Mathew > Sent: Wednesday, 7 August 2013 11:55 PM > To: [email protected] > Subject: [NTSysADM] RE: Delegation of privileges to helpdesk security group > except password reset. > > Z, > The basic task of help desk is to reset the password. But, in my case it is > the other way. That is the reason I have mentioned “weird situation”. I > have delegated the requirement. But it is not acting as expected. I will > wait for some time for the replication to complete as the domain is spread > between few sites which are across different continents. > > > Regards > Liby Philip Mathew > > From: [email protected] [mailto:[email protected]] > On Behalf Of Ziots, Edward > Sent: Wednesday, August 07, 2013 16:32 > To: [email protected] > Subject: [NTSysADM] RE: Delegation of privileges to helpdesk security group > except password reset. > > I believe you might need to use Dscalcs to do this but I would start with the > delegation of control wizard first on a test OU and then see the results. But > the guidance in the thread is correct the users and groups should be > separated out, but I don’t see why the helpdesk should not be able to reset > the password especially if you are auditing the accounts for password reset > as apart of your controls (so that the helpdesk folks aren’t blindly > resetting accounts and then logging on as those users and doing nefarious > stuff). > > HTH > Z > > Edward E. Ziots, CISSP, CISA, Security +, Network + > Security Engineer > Lifespan Organization > [email protected] > Work:401-255-2497 > > > This electronic message and any attachments may be privileged and > confidential and protected from disclosure. If you are reading this message, > but are not the intended recipient, nor an employee or agent responsible for > delivering this message to the intended recipient, you are hereby notified > that you are strictly prohibited from copying, printing, forwarding or > otherwise disseminating this communication. If you have received this > communication in error, please immediately notify the sender by replying to > the message. Then, delete the message from your computer. Thank you. > <image001.jpg> > > > From: [email protected] [mailto:[email protected]] > On Behalf Of Liby Philip Mathew > Sent: Wednesday, August 07, 2013 9:17 AM > To: [email protected] > Subject: [NTSysADM] RE: Delegation of privileges to helpdesk security group > except password reset. > > I agree on that. But how? > > Regards > Liby Philip Mathew > > From: [email protected] [mailto:[email protected]] > On Behalf Of Guyer, Don > Sent: Wednesday, August 07, 2013 15:49 > To: [email protected] > Subject: [NTSysADM] RE: Delegation of privileges to helpdesk security group > except password reset. > > Don’t think you want to do this at the root but, at the OU level, where > User/Computer accounts and Groups reside. > > Regards, > > Don Guyer > Catholic Health East - Information Technology > Enterprise Directory & Messaging Services > 3805 West Chester Pike, Suite 100, Newtown Square, Pa 19073 > email: [email protected] > Office: 610.550.3595 | Cell: 610.955.6528 | Fax: 610.271.9440 > For immediate assistance, please open a Service Desk ticket or call the > helpdesk @ 610-492-3839. > > <image002.jpg> > > > From: [email protected] [mailto:[email protected]] > On Behalf Of Liby Philip Mathew > Sent: Wednesday, August 07, 2013 6:54 AM > To: [email protected] > Subject: [NTSysADM] Delegation of privileges to helpdesk security group > except password reset. > > Hi, > We have a weird situation in which helpdesk shouldn’t reset the password. > But, they should be having privileges such add/remove/modify, > user/group/OU/move objects between OU etc. > What is the best way to delegate this permissions to helpdesk security group > at the root of the domain? > Any help appreciated. > Thanks > Liby > Disclaimer > [The information contained in this e-mail message and any attached files are > confidential information and intended solely for the use of the individual or > entity to whom they are addressed. This transmission may contain information > that is privileged, confidential or exempt from disclosure under applicable > law. If you have received this e-mail in error, please notify the sender > immediately and delete all copies. If you are not the intended recipient, any > disclosure, copying, distribution, or use of the information contained herein > is STRICTLY PROHIBITED. Path Solutions accepts no responsibility for any > errors, omissions, computer viruses and other defects.] > > P Protect our planet: Do not print this email unless necessary. > > Confidentiality Notice: > This e-mail, including any attachments is the > property of Catholic Health East and is intended > for the sole use of the intended recipient(s). > It may contain information that is privileged and > confidential. Any unauthorized review, use, > disclosure, or distribution is prohibited. If you are > not the intended recipient, please delete this message, and > reply to the sender regarding the error in a separate email. >
<<inline: image001.jpg>>
<<inline: image002.jpg>>
