We were in a similar situation- all our Service Desk (help desk) guys were domain admins, for example! (NWEA was a small shop of about 100 users and SD guys actually doubled as helping SE's stand up servers, etc, took a while for them to grow out of that).
We did a big AD reorg a couple of years ago, created some new OU's, stuck DA's, and servers, and service accounts in one tree of them, put users (including Service Desk), workstations, e-mail and most security groups in the other. Yanked SD guys from domain admin (took a while to get the delegations right, but worth it). It now takes DA perms to get to the DA accounts and servers OU, SD has full delegation on the OU created for tings they need to manage. Dave -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Friday, November 18, 2011 7:35 AM To: NT System Admin Issues Subject: Re: Delegation question On Fri, Nov 18, 2011 at 10:15 AM, Christopher Bodnar <[email protected]> wrote: > Our internal auditors want us to take away the ability of helpdesk > staff to change domain admin passwords ... I'd say that's a good idea. > if all the domain admin accounts were in one OU I could do this by > revoking access to that OU ... Generally speaking, it's better to simply only add Allow permissions where needed, and avoid using Deny at all. (Not sure if that's what you mean by "revoke" here.) > but unfortunately that is not the case and I don't think it's possible > the way things are setup right now (service accounts in domain admins, > etc...). Sounds like you need to change the way things are now then. :) > What I'm afraid of is that something will break if I move those > accounts, specifically the service accounts. Anything you do can break things, including doing nothing. Observe. Research. Analyze. Test. Deploy. In that order, going back as often as needed. Specifically, use tools like GPMC, RSOP, etc., to see what Group Policies are applied to those OUs, and what the resulting GP settings will be. Then plan changes to your GPO/OU/link scheme that keep things intact. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
