I wasn't having a discussion about appropriate levels of rights - I'm well aware of those. I was just wondering if there was any way to lock a group out from the depradations of Domain Admins by using some cunning permissions voodoo. Clearly there's not, so it's off to thrash the details out.
I'm not going to waste my time designing a new support structure that is just going to get broken, so I won't back down on this. Thanks for everyone's input, On 30 September 2010 14:32, Andrew S. Baker <[email protected]> wrote: > I'm fearful that IS management will be of no help to you, since they > haven't been able to prevent the situation from occuring to this point. > > Really, this is 2010. Do we even need to *have* this discussion about > admin levels and appropriate level of rights? > > My guess is that you better start thinking about how much political clout > you're going to expend on this. I'd say it is one of the most important > battles you can fight for, but the ultimate decision is up to you. :) > > > *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> > *Exploiting Technology for Business Advantage...* > * * > > > > On Thu, Sep 30, 2010 at 9:18 AM, James Rankin <[email protected]>wrote: > >> I am raising this up with IS management, as it is unsupportable - there's >> no point in me putting a structure together that can just be pulled apart at >> will. >> >> There's no way around it, so I'm just going to have to trust in my own >> stubbornness to get the buy-in I need :-) Audit was going to be one of the >> hot words to throw into the debate, though. I'd be interested myself in >> seeing the results of any previous audits they've had here. >> >> >> On 30 September 2010 14:08, Andrew S. Baker <[email protected]> wrote: >> >>> *>>**However, the business are adamant that every member of the support >>> teams (from helpdesk upwards) will be given a Domain Admin account. Am I >>> right in assuming this means that they could simply add themselves into the >>> groups I am setting up, because even if I restrict these groups via an ACL, >>> they could just take ownership of the group?* >>> >>> You might need to enlist the assistance of... dare I say it? ... >>> Auditors. >>> >>> If everyone is a domain admin, then they can all do whatsoever they want >>> in the domain. >>> >>> Seriously, is your organization not subject to some you sort of >>> regulatory compliance? Who is your CTO/CIO? >>> >>> >>> *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> >>> *Exploiting Technology for Business Advantage...* >>> * * >>> >>> >>> >>> On Thu, Sep 30, 2010 at 7:49 AM, James Rankin <[email protected]>wrote: >>> >>>> However, the business are adamant that every member of the support teams >>>> (from helpdesk upwards) will be given a Domain Admin account. Am I right in >>>> assuming this means that they could simply add themselves into the groups I >>>> am setting up, because even if I restrict these groups via an ACL, they >>>> could just take ownership of the group? >>> >>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
