ard [mailto:ezi...@lifespan.org]
Sent: Monday, June 11, 2012 6:43 AM
To: NT System Admin Issues
Subject: RE: Reality check
Only if they have AGPM installed Don... not all have it.
Its definitely nice though, and helps keep GPO's controlled and audited.
Z
Edward Ziots
CISSP, Security +, Network
For immediate assistance, please open a Service Desk ticket or call the
helpdesk @ 610-492-3839.
-Original Message-
From: Ziots, Edward [mailto:ezi...@lifespan.org]
Sent: Monday, June 11, 2012 9:43 AM
To: NT System Admin Issues
Subject: RE: Reality check
Only if they have AGPM installed
o:dgu...@che.org]
Sent: Monday, June 11, 2012 8:07 AM
To: NT System Admin Issues
Subject: RE: Reality check
On top of that you can use Group Policy Management's Change Control feature for
approving/unapproving remote tech's GPO submissions.
Regards,
Don Guyer
Catholic Health Eas
08, 2012 4:28 PM
To: NT System Admin Issues
Subject: RE: Reality check
You can delegate off the GPO stuff as well.
-Original Message-
From: David Lum [mailto:david@nwea.org]
Sent: Friday, June 8, 2012 1:03 PM
To: NT System Admin Issues
Subject: RE: Reality check
Already did exactl
>From a security principles standpoint, that was spot on. Falls under the
concept of Least Privilege. Provide absolutely ALL the privilege needed to
perform required duties, but not any privilege in excess. Domain admin for
a local install would be a violation of best practice.
From: David
From: David Lum [mailto:david@nwea.org]
Sent: Friday, June 08, 2012 12:29 PM
To: NT System Admin Issues
Subject: RE: Reality check
“separation of privileges or separation of duties which should be firmly
entrenched in most workplaces”
HAHAHAHAHHAHAHHAHAHAA! Oh wait, you said “should
You can delegate off the GPO stuff as well.
-Original Message-
From: David Lum [mailto:david@nwea.org]
Sent: Friday, June 8, 2012 1:03 PM
To: NT System Admin Issues
Subject: RE: Reality check
Already did exactly this for the Service Desk a couple years ago, the only
different for
bet it'd take a while before they noticed...like the next time they went
> to mess with a GPO (which is rare, but it happens).
>
> Dave
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Friday, June 08, 2012 11:47 AM
> To: NT System Admin
e, but it happens).
Dave
-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Friday, June 08, 2012 11:47 AM
To: NT System Admin Issues
Subject: Re: Reality check
If that's all they need, then delegation is your friend. It's pretty dang easy
to set up, too.
Create a
riday, June 08, 2012 10:23 AM
>
>
> To: NT System Admin Issues
> Subject: Re: Reality check
>
>
>
> In your shoes I might be tempted to present them with a fait accompli -
> over the weekend strip their user accounts of DA privileges and create new
> accounts for them that a
Yeah after seeing other responses I did exactly that. Better than a "per
server" account.
-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Friday, June 08, 2012 10:00 AM
To: NT System Admin Issues
Subject: Re: Reality check
On Fri, Jun 8, 2012 at 6:11 AM,
Issues
Subject: Re: Reality check
In your shoes I might be tempted to present them with a fait accompli - over
the weekend strip their user accounts of DA privileges and create new accounts
for them that allows them to do what they need to do.
Of course, you'd want to show the manager o
m they’re normal accounts
> are DA accounts.
>
> ** **
>
> Hmm…that might be a vent…
>
> ** **
>
> *From:* Ziots, Edward [mailto:ezi...@lifespan.org]
> *Sent:* Friday, June 08, 2012 6:57 AM
>
> *To:* NT System Admin Issues
> *Subject:* RE: Reality check
&
On Fri, Jun 8, 2012 at 6:11 AM, David Lum wrote:
> A fellow team member (not an SE, but more of an application owner type of
> tech person) needs Local Admin access to a server to install and configure a
> new application on it. I understand the need and agree with it.
>
> Instead of just throwing
: NT System Admin Issues
Subject: RE: Reality check
“separation of privileges or separation of duties which should be firmly
entrenched in most workplaces”
HAHAHAHAHHAHAHHAHAHAA! Oh wait, you said “should”
Dude, our users are still local admins and I’m the only one who seems to care,
not one of
;
Subject: RE: Reality check
“separation of privileges or separation of duties which should be firmly
entrenched in most workplaces”
HAHAHAHAHHAHAHHAHAHAA! Oh wait, you said “should”
Dude, our users are still local admins and I’m the only one who seems to care,
not one of the 5 Service Des
System Admin Issues
Subject: RE: Reality check
Seems strange that business users would have admin access to a server, which
wouldn’t obey separation of privileges or separation of duties which should be
firmly entrenched in most workplaces ( again YMMV as stated before).
Z
Edward Ziots
CISSP
No, he created LA_ account, for example, mine would be
LA_jonathan.link.
On Fri, Jun 8, 2012 at 10:23 AM, Ken Schaefer wrote:
> You created a general account? Rather than a specific account for the
> user?
>
> ** **
>
> In general though, in a small environment I would create a Domain grou
You created a general account? Rather than a specific account for the user?
In general though, in a small environment I would create a Domain group of some
kind (e.g. Universal or Global). The Domain group would be based on a business
need/business unit/etc. Add that group to the Local Administr
Engineer
Lifespan Organization
ezi...@lifespan.org
From: Christopher Bodnar [mailto:christopher_bod...@glic.com]
Sent: Friday, June 08, 2012 9:28 AM
To: NT System Admin Issues
Subject: Re: Reality check
It depends on your environment. That's almost identical to the procedure we
have here.
I don't think so. In the last three organizations I've been at, all have a
similar process and setup. Different naming standard, but same purpose and
results. However, we didn't use GPO to setup the group on the server. That
sounds pretty neat and automated.
Now back to my hub transport outa
It depends on your environment. That's almost identical to the procedure
we have here. When provisioning a new server here, part of the process is
to create a new AD group with this naming convention:
ACME_ADMINS_SERVERNAME
This group is then placed in the local administrators group of the serv
It depends... :-)
On Fri, Jun 8, 2012 at 9:11 AM, David Lum wrote:
> A fellow team member (not an SE, but more of an application owner type of
> tech person) needs Local Admin access to a server to install and configure
> a new application on it. I understand the need and agree with it.
>
>
New VHD file format? Must be related to live migration?
-Original Message-
From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Friday, December 16, 2011 7:59 AM
To: NT System Admin Issues
Subject: RE: Reality check (an easy one)
The major thing I don't like about this sce
se SQL.
From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Friday, December 16, 2011 7:28 AM
To: NT System Admin Issues
Subject: Re: Reality check (an easy one)
In the case of upgrading 2008 to 2008 R2, I've done it a handful of times with
no complaints to note. In this specific case, it s
he VM - get the best of all the new worlds. :-)
Regards,
Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com
-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Friday, December 16, 2011 10:08 AM
To: NT System Admin Issues
Subject: Re: Reality che
In the case of upgrading 2008 to 2008 R2, I've done it a handful of times
with no complaints to note. In this specific case, it should be easy.
If they have enough hardware, though, I would definitely use that, because
there would be zero downtime and no real chance to have any problems.
* *
*A
On Fri, Dec 16, 2011 at 9:42 AM, David Lum wrote:
> Step 1 is very straightforward right? Going from 64-bit non-R2 to R2 can be
> done in-place with no worries?
I don't like in-place upgrades on Windows. Never have. Given how
little configuration is living in your host OS, doing a clean insta
On 21 Jan 2010 at 16:04, Mayo, Bill wrote:
> I am terribly frustrated with an application vendor who is on-site to
> add a new module to on of our critical software packages, and I want to
> confirm it is not just me being difficult. This system already has the
> requirement that a workstation b
ry 21, 2010 5:50 PM
To: NT System Admin Issues
Subject: RE: Reality check
I have myself used that software in the past for that purpose. Because of
the way this software works (counters, cancel buttons, dialogs when there is
a problem, etc), I don't think it would work. Beyond that, this vendo
We also have a program that has to be logged in to run. Not only does it need
to have a user logged in, it won't auto-start. I have it in "start-up" but it
still takes manual intervention. It is maddening.
-Original Message-
From: Mayo, Bill [mailto:bem...@pittcountync.gov]
Sent: Thu
t didn't
>>> happen.
>>>
>>> Thanks to all for the confirmation that I am not just difficult (at
>>> least in this case!).
>>>
>>> Bill Mayo
>>>
>>> -Original Message-
>>> From: Christopher Bodnar [mailto:c
___
From: Sean Martin [mailto:seanmarti...@gmail.com]
Sent: Thursday, January 21, 2010 5:13 PM
To: NT System Admin Issues
Subject: Re: Reality check
First, I agree with everyone else. Software in today's world shouldn't
have that type of dependency. Unfortunately,current versions of today
firmation that I am not just difficult (at
>> least in this case!).
>>
>> Bill Mayo
>>
>> -Original Message-
>> From: Christopher Bodnar [mailto:christopher_bod...@glic.com]
>> Sent: Thursday, January 21, 2010 4:23 PM
>> To: NT System Admin Is
an do.
-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Thursday, January 21, 2010 5:12 PM
To: NT System Admin Issues
Subject: Re: Reality check
Perhaps you can take the tack that your department owns the network, and that
you won't have such an insecure setup on yo
christopher_bod...@glic.com]
> Sent: Thursday, January 21, 2010 4:23 PM
> To: NT System Admin Issues
> Subject: RE: Reality check
>
> As long as you are tied to the vendor, they will do whatever they want,
> which means not fixing the problem.
>
> Any possibility of shoppin
s to services. Guess that didn't
> happen.
>
> Thanks to all for the confirmation that I am not just difficult (at
> least in this case!).
>
> Bill Mayo
>
> -Original Message-
> From: Christopher Bodnar [mailto:christopher_bod...@glic.com]
> Sent: Thursda
ficult (at
least in this case!).
Bill Mayo
-Original Message-
From: Christopher Bodnar [mailto:christopher_bod...@glic.com]
Sent: Thursday, January 21, 2010 4:23 PM
To: NT System Admin Issues
Subject: RE: Reality check
As long as you are tied to the vendor, they will do whatever they w
You are right. But as you , I´ve fought with vendors when the client were
tied to them, and they don´t understand/don´t want to understand the
importance of not running with it logged. The most common answer I use to
hear is that "all their other clients use it like this and don´t
complain"
As long as you are tied to the vendor, they will do whatever they want,
which means not fixing the problem.
Any possibility of shopping around for another vendor?
Chris Bodnar, MCSE
Sr. Systems Engineer
Infrastructure Service Delivery
Distributed Systems Service Delivery - Intel Services
Guardi
Noo.
I can think of a dozen problems with that scenario, both operationally
and security wise, without even knowing any further details.
-sc
> -Original Message-
> From: Mayo, Bill [mailto:bem...@pittcountync.gov]
> Sent: Thursday, January 21, 2010 4:05 PM
> To: NT System Admin Issue
Hi Bill.
I graduated from ECU in 1983 and did some of my grad work at Pitt Memorial. I
have fond memories of Pitt County.
Enough of old home week - push back. Really really hard.
That's ridiculous. Services are even easy to do in the Win32 API.
It takes less than 20 lines of code in C# to sta
No, you are not alone.
Any company that vends software to run on a server, and which can't
figure out how to make it run as a service, should immediately go
bankrupt, and their software devs and management should be publicly
flogged.
Kurt
On Thu, Jan 21, 2010 at 13:04, Mayo, Bill wrote:
> I am
You are not alone. Unfortunately, it is common enough in the application
design field.
-Original Message-
From: Mayo, Bill [mailto:bem...@pittcountync.gov]
Sent: Thursday, January 21, 2010 4:05 PM
To: NT System Admin Issues
Subject: Reality check
I am terribly frustrated with an applica
44 matches
Mail list logo