I'll see your +1 and raise +11 - WJR
On Thu, Sep 30, 2010 at 09:04, Jeff Steward <[email protected]> wrote: > +1 > > -Jeff Steward > > On Thu, Sep 30, 2010 at 9:47 AM, Andrew S. Baker <[email protected]>wrote: > >> Change = accountability + better levels of support due to less stuff >> mysteriously breaking. >> >> >> *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> >> *Exploiting Technology for Business Advantage...* >> * * >> >> >> >> On Thu, Sep 30, 2010 at 9:40 AM, James Rankin <[email protected]>wrote: >> >>> As usual, the boss of the helpdesk (and his golf buddies) think that >>> change = interruptions to support. I'm going to convince them that change = >>> accountability + the same level of support. >>> >>> On 30 September 2010 14:38, Maglinger, Paul <[email protected]>wrote: >>> >>>> What are they trying to accomplish? Do they believe that everyone >>>> needs domain admin rights just to change passwords or unlock accounts? I’d >>>> try to find out what they need to do and then restrict them accordingly. >>>> Help desk doesn’t need rights to be able to change administrator passwords, >>>> free reign to all files, and add machines to the domain (just to name a >>>> few). >>>> >>>> >>>> >>>> *From:* James Rankin [mailto:[email protected]] >>>> *Sent:* Thursday, September 30, 2010 8:18 AM >>>> *To:* NT System Admin Issues >>>> *Subject:* Re: Restricting groups in Active Directory >>>> >>>> >>>> >>>> I am raising this up with IS management, as it is unsupportable - >>>> there's no point in me putting a structure together that can just be pulled >>>> apart at will. >>>> >>>> >>>> There's no way around it, so I'm just going to have to trust in my own >>>> stubbornness to get the buy-in I need :-) Audit was going to be one of the >>>> hot words to throw into the debate, though. I'd be interested myself in >>>> seeing the results of any previous audits they've had here. >>>> >>>> On 30 September 2010 14:08, Andrew S. Baker <[email protected]> wrote: >>>> >>>> *>>**However, the business are adamant that every member of the support >>>> teams (from helpdesk upwards) will be given a Domain Admin account. Am I >>>> right in assuming this means that they could simply add themselves into the >>>> groups I am setting up, because even if I restrict these groups via an ACL, >>>> they could just take ownership of the group?* >>>> >>>> >>>> >>>> You might need to enlist the assistance of... dare I say it? ... >>>> Auditors. >>>> >>>> >>>> >>>> If everyone is a domain admin, then they can all do whatsoever they want >>>> in the domain. >>>> >>>> >>>> >>>> Seriously, is your organization not subject to some you sort of >>>> regulatory compliance? Who is your CTO/CIO? >>>> >>>> >>>> >>>> *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> >>>> *Exploiting Technology for Business Advantage...* >>>> * * >>>> >>>> >>>> >>>> On Thu, Sep 30, 2010 at 7:49 AM, James Rankin <[email protected]> >>>> wrote: >>>> >>>> However, the business are adamant that every member of the support teams >>>> (from helpdesk upwards) will be given a Domain Admin account. Am I right in >>>> assuming this means that they could simply add themselves into the groups I >>>> am setting up, because even if I restrict these groups via an ACL, they >>>> could just take ownership of the group? >>>> >>>> >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to [email protected] >>>> with the body: unsubscribe ntsysadmin >>>> >>>> >>>> >>>> >>>> -- >>>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put >>>> into the machine wrong figures, will the right answers come out?' I am not >>>> able rightly to apprehend the kind of confusion of ideas that could provoke >>>> such a question." >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to [email protected] >>>> with the body: unsubscribe ntsysadmin >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to [email protected] >>>> with the body: unsubscribe ntsysadmin >>>> >>> >>> >>> >>> -- >>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >>> the machine wrong figures, will the right answers come out?' I am not able >>> rightly to apprehend the kind of confusion of ideas that could provoke such >>> a question." >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
