As usual, the boss of the helpdesk (and his golf buddies) think that change = interruptions to support. I'm going to convince them that change = accountability + the same level of support.
On 30 September 2010 14:38, Maglinger, Paul <[email protected]> wrote: > What are they trying to accomplish? Do they believe that everyone needs > domain admin rights just to change passwords or unlock accounts? I’d try to > find out what they need to do and then restrict them accordingly. Help desk > doesn’t need rights to be able to change administrator passwords, free reign > to all files, and add machines to the domain (just to name a few). > > > > *From:* James Rankin [mailto:[email protected]] > *Sent:* Thursday, September 30, 2010 8:18 AM > *To:* NT System Admin Issues > *Subject:* Re: Restricting groups in Active Directory > > > > I am raising this up with IS management, as it is unsupportable - there's > no point in me putting a structure together that can just be pulled apart at > will. > > > There's no way around it, so I'm just going to have to trust in my own > stubbornness to get the buy-in I need :-) Audit was going to be one of the > hot words to throw into the debate, though. I'd be interested myself in > seeing the results of any previous audits they've had here. > > On 30 September 2010 14:08, Andrew S. Baker <[email protected]> wrote: > > *>>**However, the business are adamant that every member of the support > teams (from helpdesk upwards) will be given a Domain Admin account. Am I > right in assuming this means that they could simply add themselves into the > groups I am setting up, because even if I restrict these groups via an ACL, > they could just take ownership of the group?* > > > > You might need to enlist the assistance of... dare I say it? ... Auditors. > > > > If everyone is a domain admin, then they can all do whatsoever they want in > the domain. > > > > Seriously, is your organization not subject to some you sort of regulatory > compliance? Who is your CTO/CIO? > > > > *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> > *Exploiting Technology for Business Advantage...* > * * > > > > On Thu, Sep 30, 2010 at 7:49 AM, James Rankin <[email protected]> > wrote: > > However, the business are adamant that every member of the support teams > (from helpdesk upwards) will be given a Domain Admin account. Am I right in > assuming this means that they could simply add themselves into the groups I > am setting up, because even if I restrict these groups via an ACL, they > could just take ownership of the group? > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
