Change = accountability + better levels of support due to less stuff mysteriously breaking.
*ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 9:40 AM, James Rankin <[email protected]> wrote: > As usual, the boss of the helpdesk (and his golf buddies) think that change > = interruptions to support. I'm going to convince them that change = > accountability + the same level of support. > > On 30 September 2010 14:38, Maglinger, Paul <[email protected]> wrote: > >> What are they trying to accomplish? Do they believe that everyone needs >> domain admin rights just to change passwords or unlock accounts? I’d try to >> find out what they need to do and then restrict them accordingly. Help desk >> doesn’t need rights to be able to change administrator passwords, free reign >> to all files, and add machines to the domain (just to name a few). >> >> >> >> *From:* James Rankin [mailto:[email protected]] >> *Sent:* Thursday, September 30, 2010 8:18 AM >> *To:* NT System Admin Issues >> *Subject:* Re: Restricting groups in Active Directory >> >> >> >> I am raising this up with IS management, as it is unsupportable - there's >> no point in me putting a structure together that can just be pulled apart at >> will. >> >> >> There's no way around it, so I'm just going to have to trust in my own >> stubbornness to get the buy-in I need :-) Audit was going to be one of the >> hot words to throw into the debate, though. I'd be interested myself in >> seeing the results of any previous audits they've had here. >> >> On 30 September 2010 14:08, Andrew S. Baker <[email protected]> wrote: >> >> *>>**However, the business are adamant that every member of the support >> teams (from helpdesk upwards) will be given a Domain Admin account. Am I >> right in assuming this means that they could simply add themselves into the >> groups I am setting up, because even if I restrict these groups via an ACL, >> they could just take ownership of the group?* >> >> >> >> You might need to enlist the assistance of... dare I say it? ... >> Auditors. >> >> >> >> If everyone is a domain admin, then they can all do whatsoever they want >> in the domain. >> >> >> >> Seriously, is your organization not subject to some you sort of regulatory >> compliance? Who is your CTO/CIO? >> >> >> >> *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> >> *Exploiting Technology for Business Advantage...* >> * * >> >> >> >> On Thu, Sep 30, 2010 at 7:49 AM, James Rankin <[email protected]> >> wrote: >> >> However, the business are adamant that every member of the support teams >> (from helpdesk upwards) will be given a Domain Admin account. Am I right in >> assuming this means that they could simply add themselves into the groups I >> am setting up, because even if I restrict these groups via an ACL, they >> could just take ownership of the group? >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> >> >> >> -- >> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >> the machine wrong figures, will the right answers come out?' I am not able >> rightly to apprehend the kind of confusion of ideas that could provoke such >> a question." >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
