So, what's your weekend looking like? :) On Fri, Jun 8, 2012 at 12:02 PM, David Lum <david....@nwea.org> wrote: > Already did exactly this for the Service Desk a couple years ago, the only > different for the SE's would be allowing it to OU's the SD guys can't get to. > I'd bet it'd take a while before they noticed...like the next time they went > to mess with a GPO (which is rare, but it happens). > > Dave > > -----Original Message----- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: Friday, June 08, 2012 11:47 AM > To: NT System Admin Issues > Subject: Re: Reality check > > If that's all they need, then delegation is your friend. It's pretty dang > easy to set up, too. > > Create accounts, put them in the new groups, use the delegation wizard to add > the new groups to the relevant OUs, and you're good to go. > > Kurt > > On Fri, Jun 8, 2012 at 10:40 AM, David Lum <david....@nwea.org> wrote: >> >> That’s funny, I *JUST* had this discussion with someone else here. If >> they could create accounts, join machines, and install software on >> some systems they’d likely not know the difference.. >> >> >> >> From: Kurt Buff [mailto:kurt.b...@gmail.com] >> Sent: Friday, June 08, 2012 10:23 AM >> >> >> To: NT System Admin Issues >> Subject: Re: Reality check >> >> >> >> In your shoes I might be tempted to present them with a fait accompli >> - over the weekend strip their user accounts of DA privileges and >> create new accounts for them that allows them to do what they need to do. >> >> Of course, you'd want to show the manager of the department references >> on why you're doing it, and get his blessing. >> >> Kurt >> >> On Fri, Jun 8, 2012 at 9:29 AM, David Lum <david....@nwea.org> wrote: >> >> “separation of privileges or separation of duties which should be >> firmly entrenched in most workplaces” >> >> HAHAHAHAHHAHAHHAHAHAA! Oh wait, you said “should” >> >> >> >> Dude, our users are still local admins and I’m the only one who seems >> to care, not one of the 5 Service Desk guys are inclined to move us in >> that direction, they only see it as extra work. Only one other SE has >> a separate DA account for Domain Admin access, the rest of ‘em they’re >> normal accounts are DA accounts. >> >> >> >> Hmm…that might be a vent… >> >> >> >> From: Ziots, Edward [mailto:ezi...@lifespan.org] >> Sent: Friday, June 08, 2012 6:57 AM >> >> >> To: NT System Admin Issues >> >> Subject: RE: Reality check >> >> >> >> Seems strange that business users would have admin access to a server, >> which wouldn’t obey separation of privileges or separation of duties >> which should be firmly entrenched in most workplaces ( again YMMV as >> stated before). >> >> >> >> Z >> >> >> >> Edward Ziots >> >> CISSP, Security +, Network + >> >> Security Engineer >> >> Lifespan Organization >> >> ezi...@lifespan.org >> >> >> >> From: Christopher Bodnar [mailto:christopher_bod...@glic.com] >> Sent: Friday, June 08, 2012 9:28 AM >> >> >> To: NT System Admin Issues >> >> Subject: Re: Reality check >> >> >> >> It depends on your environment. That's almost identical to the >> procedure we have here. When provisioning a new server here, part of >> the process is to create a new AD group with this naming convention: >> >> ACME_ADMINS_SERVERNAME >> >> This group is then placed in the local administrators group of the server. >> All business users that need admin access to servers have a separate >> account for that purpose. They submit a privileged access request, and >> when approved our "user admin" group adds them to the appropriate AD >> group that was created for the server. In a small environment this might be >> overkill. >> >> YMMV >> >> Christopher Bodnar >> Enterprise Achitect I, Corporate Office of Technology:Enterprise >> Architecture and Engineering Services >> >> Tel 610-807-6459 >> 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com >> >> >> >> The Guardian Life Insurance Company of America >> >> www.guardianlife.com >> >> >> >> >> >> >> From: David Lum <david....@nwea.org> >> To: "NT System Admin Issues" >> <ntsysadmin@lyris.sunbelt-software.com> >> Date: 06-08-12 09:14 AM >> Subject: Reality check >> >> ________________________________ >> >> >> >> >> A fellow team member (not an SE, but more of an application owner type of >> tech person) needs Local Admin access to a server to install and configure a >> new application on it. I understand the need and agree with it. >> >> Instead of just throwing his account into the local admin group on that >> server I did the following: >> Created a LA-<servername> account (LA= Local Admin) >> Created a security group called LA-<servername>_LocalAdmin, added the >> above to it >> Created a GPO to put said security group into local admins on that server >> >> My thinking is >> 1. This keeps him from using his daily account to be local admin on >> the box >> 2. I don’t have an individual assignment on that server >> >> In general, I view putting a user specifically into a server’s local group >> as the same as putting a user (instead of a group) into the ACL of an NTFS >> folder. If said employee leaves, it’s difficult/tedious to see where they >> had access TO so we have no idea where their replacement might need to be >> added. >> >> However, was that really too much work to give the guy the ability to log >> in as local admin? >> David Lum >> Systems Engineer // NWEATM >> Office 503.548.5229 // Cell (voice/text) 503.267.9764 >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> >> ----------------------------------------- This message, and any >> attachments to it, may contain information that is privileged, confidential, >> and exempt from disclosure under applicable law. If the reader of this >> message is not the intended recipient, you are notified that any use, >> dissemination, distribution, copying, or communication of this message is >> strictly prohibited. If you have received this message in error, please >> notify the sender immediately by return e-mail and delete the message and >> any attachments. Thank you. >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin