"I see. And how many directories have you designed for Fortune 500 companies?"
That made me laugh. On Thu, Sep 30, 2010 at 4:38 PM, William Robbins <[email protected]>wrote: > I see. And how many directories have you designed for Fortune 500 > companies? > > I'm protecting them from people that think it's no big deal to continue to > design a directory as if it were still 1996...but that's just me and my 10 > years of experience designing directories for enterprise environments > talking. > > You go right ahead doing it your way, I'll do it mine. > > - WJR > > > > On Thu, Sep 30, 2010 at 15:22, Brian Desmond <[email protected]>wrote: > >> *Your average Fortune 500 probably doesn’t have the network requirements >> to demand it. I’ve worked in places that do and I’ve worked in a lot of >> places that don’t.* >> >> * * >> >> *You’re looking at a lot more than two servers plus the man hours and >> overhead when you add it up. I’m not sure what you feel you’re protecting >> yourself or your customers from by continuing to deploy this design.* >> >> * * >> >> *Thanks,* >> >> *Brian Desmond* >> >> *[email protected]* >> >> * * >> >> *c – 312.731.3132* >> >> * * >> >> *Active Directory, 4th Ed** - http://www.briandesmond.com/ad4/* >> >> *Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian* >> >> * * >> >> *From:* William Robbins [mailto:[email protected]] >> *Sent:* Thursday, September 30, 2010 2:43 PM >> >> *To:* NT System Admin Issues >> *Subject:* Re: Restricting groups in Active Directory >> >> >> >> Very limited huh? You mean like the Fortune 500? >> >> How much money does two servers cost? How much does it cost when some >> idiot gives himself inappropriate creds and makes a critical error? >> >> - WJR >> >> On Thu, Sep 30, 2010 at 14:27, Brian Desmond <[email protected]> >> wrote: >> >> *All it does is cost money in most orgs. The need for separate domains is >> down to segregating domain NC replication and there’s a very limited set of >> places where you actually need to start doing that. * >> >> * * >> >> *Thanks,* >> >> *Brian Desmond* >> >> *[email protected]* >> >> * * >> >> *c – 312.731.3132* >> >> * * >> >> *From:* William Robbins [mailto:[email protected]] >> *Sent:* Thursday, September 30, 2010 2:21 PM >> >> >> *To:* NT System Admin Issues >> *Subject:* Re: Restricting groups in Active Directory >> >> >> >> Ever tried it? Ever successfully done it? >> >> >> >> I have, and I'm tired of hearing that argument that empty root is >> useless. *Most *folks don't know, nor care to make the effort to >> exploit this. >> >> They will, and know how to very easily, add themselves to a group in a >> flat domain. >> >> - WJR >> >> On Thu, Sep 30, 2010 at 12:25, Brian Desmond <[email protected]> >> wrote: >> >> *Even if they were a domain admin in a child they could add themselves to >> the EAs group in a root domain if they really wanted to.exploit this* >> >> * * >> >> *Thanks,* >> >> *Brian Desmond* >> >> *[email protected]* >> >> * * >> >> *c – 312.731.3132* >> >> * * >> >> *From:* William J. Robbins [mailto:[email protected]] >> *Sent:* Thursday, September 30, 2010 7:05 AM >> >> >> *To:* NT System Admin Issues >> *Subject:* Re: Restricting groups in Active Directory >> >> >> >> The short answer is yes, if they are domain admins they can do anything >> they like provided they have the knowledge. Including add themselves to the >> Enterprise Admins group since you said you were in a single domain, which I >> interpret as no "empty root." >> >> >> You could change the ACL's, but again they can undo that with the >> knowledge. >> >> The help desk!? Seriously? Well good luck to you in the new position, >> sounds like you may need some. >> >> >> WJR >> - from my Crackberry. >> >> "If you find yourself in a fair fight, your tactics suck." >> ------------------------------ >> >> *From: *James Rankin <[email protected]> >> >> *Date: *Thu, 30 Sep 2010 12:49:52 +0100 >> >> *To: *NT System Admin Issues<[email protected]> >> >> *ReplyTo: *"NT System Admin Issues" < >> [email protected]> >> >> *Subject: *Restricting groups in Active Directory >> >> >> >> I've just started a new job and we're building an all-new infrastructure. >> One of the key things I'm looking at it is restricting access to the most >> sensitive functions of some of the infrastructure, mainly in VMWare and >> XenApp. I'm currently looking at doing this by using AD groups - creating >> groups for each support team and adding those groups to the relevant areas >> in XenApp and VirtualCenter to give them the necessary permissions. >> >> However, the business are adamant that every member of the support teams >> (from helpdesk upwards) will be given a Domain Admin account. Am I right in >> assuming this means that they could simply add themselves into the groups I >> am setting up, because even if I restrict these groups via an ACL, they >> could just take ownership of the group? >> >> Could I edit the ACL for these groups and Deny Domain Admins the Modify >> Ownership privilege? Or can they override that as well somehow? Is there >> some way I could handle this even if everyone gets given Domain Admin >> access, or will I have to convince them to do things *properly* using >> delegation of privilege? >> >> >> >> All input is welcomed, >> >> TIA, >> >> >> >> JRR >> >> -- >> >> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >> the machine wrong figures, will the right answers come out?' I am not able >> rightly to apprehend the kind of confusion of ideas that could provoke such >> a question." >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
