You can't individually revoke the rights for one group. The members of the DAs group (plus all the other odd admin groups) are covered by AdminSDHolder which only has one ACL template for all the groups.
Thanks, Brian Desmond [email protected] w - 312.625.1438 | c - 312.731.3132 From: Ziots, Edward [mailto:[email protected]] Sent: Monday, November 21, 2011 7:44 AM To: NT System Admin Issues Subject: RE: Delegation question Why not just revoke, the rights on the DA group for Helpdesk to modify passwords or change them? I see where the auditors want clear separation from Helpdesk and DA, and other privileged accounts. /Auditor hat on.. Basically they want to make sure that there is no "privileged" escalation to DA, when a helpdesk analyst resets a DA password and them logs on as DA and does nefarious stuff ( as commented before), /Security engineer hat on but there should be a log of the helpdesk analyst doing the password reset in the AD logs on the AD account and then the logon access of the DA account and where from, which should leave the audit trail to followup and correct the action and deal with the situation in which the helpdesk analyst created. So auditing and accountability is covered, keeping both sides happy, and again how likely of a situation is it in your companies, ( times in past it has happened etc etc, and what administrative action has happened to those individuals that have tried to perpetrate this ?) Also if there is going to be a group that is covering PCI/SOX issues from a Sec engineering, auditing focus I would love to get in on that discussion, since there is going to be some changes on my end soon. Sincerely, EZ Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization email:[email protected] phone:401-639-3505 [CISSP_logo] From: James Rankin [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Friday, November 18, 2011 12:06 PM To: NT System Admin Issues Subject: Re: Delegation question Thats a bit crazy. What happens when rogue helpdesk guy resets a DA password and uses it for nefarious purposes? Prevention is surely better than cure in this case. However I have worked at a lot of customers with crazy requirements, to be fair. On 18 November 2011 16:50, Christopher Bodnar <[email protected]<mailto:[email protected]>> wrote: I've asked that many times. And been told that it is a requirement. Chris Bodnar, MCSE, MCITP Technical Support III Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected]<mailto:[email protected]> Phone: 610-807-6459<tel:610-807-6459> Fax: 610-807-6003<tel:610-807-6003> From: Brian Desmond <[email protected]<mailto:[email protected]>> To: "NT System Admin Issues" <[email protected]<mailto:[email protected]>> Date: 11/18/2011 11:37 AM Subject: RE: Delegation question ________________________________ Why do they need the ability to reset passwords on protected accounts? Thanks, Brian Desmond [email protected]<mailto:[email protected]> w - 312.625.1438<tel:312.625.1438> | c - 312.731.3132<tel:312.731.3132> From: Christopher Bodnar [mailto:[email protected]] Sent: Friday, November 18, 2011 9:15 AM To: NT System Admin Issues Subject: Delegation question Currently our helpdesk staff have the ability to reset passwords for all user accounts, including domain admin accounts. Our internal auditors want us to take away the ability of helpdesk staff to change domain admin passwords, but not to remove their ability to reset passwords for users in "protected groups" that's where I'm running into a wall. theoretically if all the domain admin accounts were in one OU I could do this by revoking access to that OU, but unfortunately that is not the case and I don't think it's possible the way things are setup right now (service accounts in domain admins, etc...). What I'm afraid of is that something will break if I move those accounts, specifically the service accounts. Any thoughts on this? Chris Bodnar, MCSE, MCITP Technical Support III Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected]<mailto:[email protected]> Phone: 610-807-6459<tel:610-807-6459> Fax: 610-807-6003<tel:610-807-6003> ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ***** IMPORTANT INFORMATION/DISCLAIMER ***** This document should be read only by those persons to whom it is addressed. If you have received this message it was obviously addressed to you and therefore you can read it, even it we didn't mean to send it to you. However, if the contents of this email make no sense whatsoever then you probably were not the intended recipient, or, alternatively, you are a mindless cretin; either way, you should immediately kill yourself and destroy your computer (not necessarily in that order). Once you have taken this action, please contact us.. no, sorry, you can't use your computer, because you just destroyed it, and possibly also committed suicide afterwards, but I am starting to digress...... The originator of this email is not liable for the transmission of the information contained in this communication. Or are they? Either way it's a pretty dull legal query and frankly one I'm not going to dwell on. But should you have nothing better to do, please feel free to ruminate on it, and please pass on any concrete conclusions should you find them. However, if you pass them on via email, be sure to include a disclaimer regarding liability for transmission. In the event that the originator did not send this email to you, then please return it to us and attach a scanned-in picture of your mother's brother's wife wearing nothing but a kangaroo suit, and we will immediately refund you exactly half of what you paid for the can of Whiskas you bought when you went to Pets At Home yesterday. We take no responsibility for non-receipt of this email because we are running Exchange 5.5 and everyone knows how glitchy that can be. In the event that you do get this message then please note that we take no responsibility for that either. Nor will we accept any liability, tacit or implied, for any damage you may or may not incur as a result of receiving, or not, as the case may be, from time to time, notwithstanding all liabilities implied or otherwise, ummm, hell, where was I...umm, no matter what happens, it is NOT, and NEVER WILL BE, OUR FAULT! The comments and opinions expressed herein are my own and NOT those of my employer, who, if he knew I was sending emails and surfing the seamier side of the Internet, would cut off my manhood and feed it to me for afternoon tea. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<inline: image001.jpg>>
