Ok, so the "special" people in IT get accounts, you crank-up auditing and wait to yank them back.
And, you are planning to create separate accounts, right? On Thu, Sep 30, 2010 at 2:01 PM, James Rankin <[email protected]> wrote: > I'm sure it'll be a bit trickier convincing the "special" people in IT. :-) > > My initial sounding-out of the powers-that-be didn't go too badly, so > fingers crossed tomorrow might see some positive developments. > > > On 30 September 2010 18:57, Jonathan Link <[email protected]> wrote: > >> If it's already been navigated, then it should be a short corollary to if >> they don't need domain admin rights, they don't get them. >> >> >> >> On Thu, Sep 30, 2010 at 1:49 PM, James Rankin <[email protected]>wrote: >> >>> I can easily use a "Server Admins" group - just involves a little extra >>> work granting some user rights, that's all >>> >>> On the other query, users don't run as admins. They're Citrix-based so >>> that hurdle hasn't arisen - or already been navigated. >>> >>> >>> On 30 September 2010 18:25, Brian Desmond <[email protected]>wrote: >>> >>>> *Please don’t try and use the Server Operators group. It doesn’t >>>> actually grant hardly anything on your member servers but it will hand out >>>> all sorts of strange permissions you never expected to your DCs. It’s there >>>> for legacy (NT4) compatibility. You shouldn’t be populating any of the * >>>> Operators groups. * >>>> >>>> * * >>>> >>>> *Thanks,* >>>> >>>> *Brian Desmond* >>>> >>>> *[email protected]* >>>> >>>> * * >>>> >>>> *c – 312.731.3132* >>>> >>>> * * >>>> >>>> *From:* James Rankin [mailto:[email protected]] >>>> *Sent:* Thursday, September 30, 2010 7:19 AM >>>> >>>> *To:* NT System Admin Issues >>>> *Subject:* Re: Restricting groups in Active Directory >>>> >>>> >>>> >>>> I am seriously going to try to get them to accept Server Operators level >>>> as a compromise. They can still kill servers all they want, but they should >>>> be able to be locked out of the finer points of VMWare, XenApp and >>>> AppSense. >>>> Time for my first head-butting session with management in this job. If they >>>> won't budge - it's going straight on the (not yet existent) risk register. >>>> >>>> Cheers, >>>> >>>> On 30 September 2010 13:05, William J. Robbins <[email protected]> >>>> wrote: >>>> >>>> The short answer is yes, if they are domain admins they can do anything >>>> they like provided they have the knowledge. Including add themselves to the >>>> Enterprise Admins group since you said you were in a single domain, which I >>>> interpret as no "empty root." >>>> >>>> You could change the ACL's, but again they can undo that with the >>>> knowledge. >>>> >>>> The help desk!? Seriously? Well good luck to you in the new position, >>>> sounds like you may need some. >>>> >>>> >>>> WJR >>>> - from my Crackberry. >>>> >>>> "If you find yourself in a fair fight, your tactics suck." >>>> ------------------------------ >>>> >>>> *From: *James Rankin <[email protected]> >>>> >>>> *Date: *Thu, 30 Sep 2010 12:49:52 +0100 >>>> >>>> *To: *NT System Admin Issues<[email protected]> >>>> >>>> *ReplyTo: *"NT System Admin Issues" < >>>> [email protected]> >>>> >>>> *Subject: *Restricting groups in Active Directory >>>> >>>> >>>> >>>> I've just started a new job and we're building an all-new >>>> infrastructure. One of the key things I'm looking at it is restricting >>>> access to the most sensitive functions of some of the infrastructure, >>>> mainly >>>> in VMWare and XenApp. I'm currently looking at doing this by using AD >>>> groups >>>> - creating groups for each support team and adding those groups to the >>>> relevant areas in XenApp and VirtualCenter to give them the necessary >>>> permissions. >>>> >>>> However, the business are adamant that every member of the support teams >>>> (from helpdesk upwards) will be given a Domain Admin account. Am I right in >>>> assuming this means that they could simply add themselves into the groups I >>>> am setting up, because even if I restrict these groups via an ACL, they >>>> could just take ownership of the group? >>>> >>>> Could I edit the ACL for these groups and Deny Domain Admins the Modify >>>> Ownership privilege? Or can they override that as well somehow? Is there >>>> some way I could handle this even if everyone gets given Domain Admin >>>> access, or will I have to convince them to do things *properly* using >>>> delegation of privilege? >>>> >>>> All input is welcomed, >>>> >>>> TIA, >>>> >>>> >>>> >>>> JRR >>>> >>>> -- >>>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put >>>> into the machine wrong figures, will the right answers come out?' I am not >>>> able rightly to apprehend the kind of confusion of ideas that could provoke >>>> such a question." >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to [email protected] >>>> with the body: unsubscribe ntsysadmin >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to [email protected] >>>> with the body: unsubscribe ntsysadmin >>>> >>>> >>>> >>>> >>>> -- >>>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put >>>> into the machine wrong figures, will the right answers come out?' I am not >>>> able rightly to apprehend the kind of confusion of ideas that could provoke >>>> such a question." >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to [email protected] >>>> with the body: unsubscribe ntsysadmin >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to [email protected] >>>> with the body: unsubscribe ntsysadmin >>>> >>> >>> >>> >>> -- >>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >>> the machine wrong figures, will the right answers come out?' I am not able >>> rightly to apprehend the kind of confusion of ideas that could provoke such >>> a question." >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
