Oh, I'm a fully paid-up member of the choir on this one, and I have seen all the benefits first hand. I just get the feeling these guys are going to be more of a PITA than any I've worked with before.
On 30 September 2010 14:22, Michael B. Smith <[email protected]> wrote: > I just finished a two-year project at one of my clients (not full-time > for me; but they had someone working on it full-time). We went from 64 > accounts in Domain Admins down to 4. There was much wailing and gnashing of > teeth – but now, whenEVER something changes in AD – we have a way to find > out who did it. Plausible deniability is gone. Shockingly (NOT), things are > much more stable now. Fewer cooks in the kitchen is a very good thing. > > > > Regards, > > > > Michael B. Smith > > Consultant and Exchange MVP > > http://TheEssentialExchange.com > > > > *From:* James Rankin [mailto:[email protected]] > *Sent:* Thursday, September 30, 2010 9:18 AM > > *To:* NT System Admin Issues > *Subject:* Re: Restricting groups in Active Directory > > > > I am raising this up with IS management, as it is unsupportable - there's > no point in me putting a structure together that can just be pulled apart at > will. > > > There's no way around it, so I'm just going to have to trust in my own > stubbornness to get the buy-in I need :-) Audit was going to be one of the > hot words to throw into the debate, though. I'd be interested myself in > seeing the results of any previous audits they've had here. > > On 30 September 2010 14:08, Andrew S. Baker <[email protected]> wrote: > > *>>**However, the business are adamant that every member of the support > teams (from helpdesk upwards) will be given a Domain Admin account. Am I > right in assuming this means that they could simply add themselves into the > groups I am setting up, because even if I restrict these groups via an ACL, > they could just take ownership of the group?* > > > > You might need to enlist the assistance of... dare I say it? ... Auditors. > > > > If everyone is a domain admin, then they can all do whatsoever they want in > the domain. > > > > Seriously, is your organization not subject to some you sort of regulatory > compliance? Who is your CTO/CIO? > > > > *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> > *Exploiting Technology for Business Advantage...* > * * > > > > On Thu, Sep 30, 2010 at 7:49 AM, James Rankin <[email protected]> > wrote: > > However, the business are adamant that every member of the support teams > (from helpdesk upwards) will be given a Domain Admin account. Am I right in > assuming this means that they could simply add themselves into the groups I > am setting up, because even if I restrict these groups via an ACL, they > could just take ownership of the group? > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
