What are they trying to accomplish? Do they believe that everyone needs domain admin rights just to change passwords or unlock accounts? I'd try to find out what they need to do and then restrict them accordingly. Help desk doesn't need rights to be able to change administrator passwords, free reign to all files, and add machines to the domain (just to name a few).
From: James Rankin [mailto:[email protected]] Sent: Thursday, September 30, 2010 8:18 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker <[email protected]> wrote: >>However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? You might need to enlist the assistance of... dare I say it? ... Auditors. If everyone is a domain admin, then they can all do whatsoever they want in the domain. Seriously, is your organization not subject to some you sort of regulatory compliance? Who is your CTO/CIO? ASB (My XeeSM Profile) <http://XeeSM.com/AndrewBaker> Exploiting Technology for Business Advantage... On Thu, Sep 30, 2010 at 7:49 AM, James Rankin <[email protected]> wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
