+1 -Jeff Steward
On Thu, Sep 30, 2010 at 9:47 AM, Andrew S. Baker <[email protected]> wrote: > Change = accountability + better levels of support due to less stuff > mysteriously breaking. > > > *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> > *Exploiting Technology for Business Advantage...* > * * > > > > On Thu, Sep 30, 2010 at 9:40 AM, James Rankin <[email protected]>wrote: > >> As usual, the boss of the helpdesk (and his golf buddies) think that >> change = interruptions to support. I'm going to convince them that change = >> accountability + the same level of support. >> >> On 30 September 2010 14:38, Maglinger, Paul <[email protected]> wrote: >> >>> What are they trying to accomplish? Do they believe that everyone >>> needs domain admin rights just to change passwords or unlock accounts? I’d >>> try to find out what they need to do and then restrict them accordingly. >>> Help desk doesn’t need rights to be able to change administrator passwords, >>> free reign to all files, and add machines to the domain (just to name a >>> few). >>> >>> >>> >>> *From:* James Rankin [mailto:[email protected]] >>> *Sent:* Thursday, September 30, 2010 8:18 AM >>> *To:* NT System Admin Issues >>> *Subject:* Re: Restricting groups in Active Directory >>> >>> >>> >>> I am raising this up with IS management, as it is unsupportable - there's >>> no point in me putting a structure together that can just be pulled apart at >>> will. >>> >>> >>> There's no way around it, so I'm just going to have to trust in my own >>> stubbornness to get the buy-in I need :-) Audit was going to be one of the >>> hot words to throw into the debate, though. I'd be interested myself in >>> seeing the results of any previous audits they've had here. >>> >>> On 30 September 2010 14:08, Andrew S. Baker <[email protected]> wrote: >>> >>> *>>**However, the business are adamant that every member of the support >>> teams (from helpdesk upwards) will be given a Domain Admin account. Am I >>> right in assuming this means that they could simply add themselves into the >>> groups I am setting up, because even if I restrict these groups via an ACL, >>> they could just take ownership of the group?* >>> >>> >>> >>> You might need to enlist the assistance of... dare I say it? ... >>> Auditors. >>> >>> >>> >>> If everyone is a domain admin, then they can all do whatsoever they want >>> in the domain. >>> >>> >>> >>> Seriously, is your organization not subject to some you sort of >>> regulatory compliance? Who is your CTO/CIO? >>> >>> >>> >>> *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> >>> *Exploiting Technology for Business Advantage...* >>> * * >>> >>> >>> >>> On Thu, Sep 30, 2010 at 7:49 AM, James Rankin <[email protected]> >>> wrote: >>> >>> However, the business are adamant that every member of the support teams >>> (from helpdesk upwards) will be given a Domain Admin account. Am I right in >>> assuming this means that they could simply add themselves into the groups I >>> am setting up, because even if I restrict these groups via an ACL, they >>> could just take ownership of the group? >>> >>> >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >>> >>> >>> >>> -- >>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >>> the machine wrong figures, will the right answers come out?' I am not able >>> rightly to apprehend the kind of confusion of ideas that could provoke such >>> a question." >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >> >> >> >> -- >> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >> the machine wrong figures, will the right answers come out?' I am not able >> rightly to apprehend the kind of confusion of ideas that could provoke such >> a question." >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
