Not really. I can see that the IT staff in general would want to retain admin rights generally and limit rights to users based on what they need. IT staff at that organization need to adjust to a least permissions framework, too. If they've already pushed that framework down to the users or if the users have always operated under such a framework, then it should be a fairly easy concept to grasp and there will already be precedent for limiting administrative user rights.
On Thu, Sep 30, 2010 at 12:29 PM, Crawford, Scott <[email protected]>wrote: > You’re **incredibly** optimistic. Do you actually think there’s a chance > that a company that wants all of IT to be Domain Admins has seen the light > and doesn’t let users run as local admins? > > > > *From:* Jonathan Link [mailto:[email protected]] > *Sent:* Thursday, September 30, 2010 10:34 AM > > *To:* NT System Admin Issues > *Subject:* Re: Restricting groups in Active Directory > > > > Lemme ask this... since there's a need to get management buy in. Is > everyone in the organization running as local admin? If not, then an > analogy can be drawn. Afterall, if helpdesk had to support staff who ran as > admin, well, that would be more difficult, right? It's a good argument to > shutdown the helpdesk golfing buddies. If everyone does run as admin, then > you have a mighty challenge, sir. > > > > > > On Thu, Sep 30, 2010 at 10:36 AM, Don Guyer <[email protected]> > wrote: > > When I first arrived here, “everyone and their Grandmother” in IT were > Domain Admins. After months of kicking and screaming, we were able to > convince management that we need to narrow that list down. It did take quite > a bit of work, but needed to be done. > > > > Don Guyer > > Systems Engineer - Information Services > > Prudential, Fox & Roach/Trident Group > > 431 W. Lancaster Avenue > > Devon, PA 19333 > > Direct: (610) 993-3299 > > Fax: (610) 650-5306 > > [email protected] > > > > *From:* William Robbins [mailto:[email protected]] > *Sent:* Thursday, September 30, 2010 10:24 AM > > > *To:* NT System Admin Issues > *Subject:* Re: Restricting groups in Active Directory > > > > I'll see your +1 and raise +11 > > - WJR > > On Thu, Sep 30, 2010 at 09:04, Jeff Steward <[email protected]> wrote: > > +1 > > > > -Jeff Steward > > On Thu, Sep 30, 2010 at 9:47 AM, Andrew S. Baker <[email protected]> > wrote: > > Change = accountability + better levels of support due to less stuff > mysteriously breaking. > > > > > *ASB *(My XeeSM Profile) <http://xeesm.com/AndrewBaker> > *Exploiting Technology for Business Advantage...* > * * > > > > On Thu, Sep 30, 2010 at 9:40 AM, James Rankin <[email protected]> > wrote: > > As usual, the boss of the helpdesk (and his golf buddies) think that > change = interruptions to support. I'm going to convince them that change = > accountability + the same level of support. > > On 30 September 2010 14:38, Maglinger, Paul <[email protected]> wrote: > > What are they trying to accomplish? Do they believe that everyone needs > domain admin rights just to change passwords or unlock accounts? I’d try to > find out what they need to do and then restrict them accordingly. Help desk > doesn’t need rights to be able to change administrator passwords, free reign > to all files, and add machines to the domain (just to name a few). > > > > *From:* James Rankin [mailto:[email protected]] > > *Sent:* Thursday, September 30, 2010 8:18 AM > > *To:* NT System Admin Issues > > *Subject:* Re: Restricting groups in Active Directory > > > > I am raising this up with IS management, as it is unsupportable - there's > no point in me putting a structure together that can just be pulled apart at > will. > > > > There's no way around it, so I'm just going to have to trust in my own > stubbornness to get the buy-in I need :-) Audit was going to be one of the > hot words to throw into the debate, though. I'd be interested myself in > seeing the results of any previous audits they've had here. > > On 30 September 2010 14:08, Andrew S. Baker <[email protected]> wrote: > > *>>**However, the business are adamant that every member of the support > teams (from helpdesk upwards) will be given a Domain Admin account. Am I > right in assuming this means that they could simply add themselves into the > groups I am setting up, because even if I restrict these groups via an ACL, > they could just take ownership of the group?* > > > > You might need to enlist the assistance of... dare I say it? ... Auditors. > > > > If everyone is a domain admin, then they can all do whatsoever they want in > the domain. > > > > Seriously, is your organization not subject to some you sort of regulatory > compliance? Who is your CTO/CIO? > > > > *ASB *(My XeeSM Profile) <http://xeesm.com/AndrewBaker> > *Exploiting Technology for Business Advantage...* > * * > > > > On Thu, Sep 30, 2010 at 7:49 AM, James Rankin <[email protected]> > wrote: > > However, the business are adamant that every member of the support teams > (from helpdesk upwards) will be given a Domain Admin account. Am I right in > assuming this means that they could simply add themselves into the groups I > am setting up, because even if I restrict these groups via an ACL, they > could just take ownership of the group? > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
