I'd like to have data in hand before asking those kinds of questions. Kind of like trial lawyers - never ask a question of a witness in front of a jury that you don't already know the answer for.
On Mon, May 5, 2008 at 11:35 AM, Kim Longenbaugh <[EMAIL PROTECTED]> wrote: > You could always just ask somebody, unless of course you already did > that and no one's owning up. > > In which case, when you find out who really did it, then you can fire > them for lying! > > > -----Original Message----- > From: Kurt Buff [mailto:[EMAIL PROTECTED] > > Sent: Monday, May 05, 2008 1:01 PM > To: NT System Admin Issues > > > Subject: Re: Domain Admin monkey business > > > I suspect a contractor brought in to cover while I was gone, but I'm > parsing logs now to see if I can determine that. > > Fortunately, I syslog everything I can, so should be able to track it > down fairly quickly. > > On Mon, May 5, 2008 at 10:59 AM, Steve Ens <[EMAIL PROTECTED]> wrote: > > Fire them all! or at least fifty lashes. > > > > > > > > On Mon, May 5, 2008 at 12:56 PM, Kurt Buff <[EMAIL PROTECTED]> > wrote: > > > Found it. > > > > > > Someone put the group in the Administrators group. > > > > > > I'm quite unhappy, and I'm investigating. > > > > > > > > > > > > > > > On Mon, May 5, 2008 at 10:37 AM, Barsodi.John <[EMAIL PROTECTED]> > > wrote: > > > > Check the Account Operators group? > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: Kurt Buff [mailto:[EMAIL PROTECTED] > > > > Sent: Monday, May 05, 2008 10:30 AM > > > > To: NT System Admin Issues > > > > Subject: Domain Admin monkey business > > > > > > > > I've been on vacation for a couple of weeks, and came back to a > bit of > > > > a situation. The helpdesk staff now seem to be able to control > > > > accounts in the domain - they can set/reset passwords, > disable/enable > > > > accounts, update group memberships, etc. > > > > > > > > I've looked, and domain admins looks as expected. > > > > > > > > Am I correct in believing that the only other way this can happen > is > > > > through OU delegation? If so, how do I check to see what's > changed WRT > > > > delegation - how do I audit that? > > > > > > > > Kurt > > > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > > > > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > > > > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > > > > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > > > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > > > > > > > > > > > > > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
