Yeah I know where you are coming from Darren but absolutely
can't say it is ok because I do not believe it is ok at all. I think saying it
is ok or that it is understandable will relax people about it and people
absolutely should not be relaxed about it or feel that they can't do anything
about it and that it isn't their responsibility to try and get corrected. It is
a very bad thing and they need to always have that spectre over them where they
know it. That helps, I think, in making it so it isn't a surprise when something
inevitably screws up and no one can sit there saying, wow, I had no idea it was
that bad of a thing. People need to be working towards locking down their
environment every moment and looking for bad things and removing them every
second. It is a long slow climb uphill but if the work isn't done, it will never
happen until maybe, hopefully not, something absolutely blows and everyone has
to jump and try to figure out how to do it in one fell
swoop.
I saw the same logic of "the people really don't know
what they can do"... used for running an Enterprise Data Center back in 1999 and
this was with hundreds of NT servers and many domains and application owners
were just given admin rights over all of these boxes and it was status quo; none
of the people had a clue what kind of rights they had and figured anything bad
they were actually protected from doing because it would be stupid to let them
be able to do something bad.... Everyone said it was fine and didn't cause
issues until I came in and started looking at it and got sick of running around
working on stupid preventable stuff so started making sure every issue was
reported and floated up. While it made me and my group look bad initially
because the availability of the servers appeared to have plummetted from where
it was before, it was only that it appeared that way because we actually
reported the problems where the previous folks hid everything under the carpet
and that slowly became apparent. It slowly gave us the permission to fix stupid
things that the previous group said was impossible to get changed. It was a lot
of hard work but by the end of it, things actually did run well and stable. I
know probably better than most the politics and the outright pain and difficulty
involved because I lived through 80 and 100+ hour weeks of it in a very high
pressure Fortune 5 environment where I had plant managers and VPs of
manufacturing who had no problem screaming at me but I also realize the huge
benefits you get out of that work and I think any admins who are serious about
doing a good job will keep it up and keep trying to fight the good fight.
In the long run, they will look better for it, the company will be better off,
and their lives, if they stick around for the benefits will be easier. Folks who
don't point out the bad things when they see them and push for better solutions
aren't doing any favors for their employers, they are taking the easy route and
it is counterproductive long term.
I don't do it so much for myself and the long term benefits
for me as I never seemed to stay in the positions to benefit for longer
than 3-4 years before I ran off and dived into another mess but instead do it
because I think that is what my job description as an Admin is. To do the
absolute best job I know how to do and work towards making the best environment
I can visualize. If luck is a component of the security model or the recovery
model or the admin model, I don't consider that to be very good and I know you
Darren don't either. You are just nicer than I am in saying it.
:)
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, July 31, 2006 7:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Revoke domain administrator's right to create GPO?
<not an argument for implementing bad security>I
think we all know how bad it is to have hoards of DAs. We also know that it is
the reality in many large and small orgs. and we also know that it is sometimes
unavoidable for purely non-technical reasons. The bottom line is that many of
those DAs probably don't know how to undo something that you take away from
them, so security by obscurity, while pretty awful, sometimes
actually works.
</not an argument for implementing bad
security>
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, July 31, 2006 1:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Revoke domain administrator's right to create GPO?
Hehe. Wrong list for this kind of question. Put on a
helmet.
But... yes you can, for as long as the DAs decide to let it
be that way. They will have no issues switching it right back. You CANNOT
prevent DAs from doing anything they want in the domain or the forest. You can
try like like a duckling can try and put out the flames of a volcanoe with
the beating of his wings and you will be just as successful. There is no such
thing as Domain Administrator and Super Domain Administrator. Once you get even
administrator rights on a DC, you pretty much do what you want when you want. It
really doesn't even take that much but we will start there.
The answer you are looking for is to reduce the number of
DAs in the entire forest to 5 or less. You don't work for a large enough company
to actually qualify to use LOTS of Domain Administrators unless there are lots
of forests and only a few DAs in each. AD should be delegated or
provisioned, it shouldn't have a bunch of folks with native high level rights.
No this isn't impossible to do, some of us have done it in Fortune 5 companies
and of course also in smaller companies.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Wang
Sent: Monday, July 31, 2006 3:42 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Revoke domain administrator's right to create GPO?
I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators rights to create GPOs, then add only several of them to enterprise admin group / Group Policy Creator Owners. Is it possible?
Thanks in advance.
Andy
