To Hunter's point, and the gist of several of these conversations, if you minimize administrative authority through delegation, in this case, who can edit GPOs, that is poor-man's change control.
You can actually wrap plenty of process around it even in the absence of AGPM or a 3rd party product. I have always used a 3rd party product but it is still coupled with lots of process, formal change management and strictly limited access to the GPOs. At the end of the day where I work, only a DA can migrate to prod or modify any production GPOs. I heard a story a long time ago about a Fortune 5 company brought to a halt on all but one continent because of an ill-conceived GPO change and they only reason they weren't completely locked out was because they got to work later in North America and were able to minimize the issue before most of their users came to work. I recently attended a Forest Recovery workshop and early on we did the risk access element with the whole likelihood x impact equation. Guess what came out with the highest risk for a disaster in AD? Hint-- it is a TLA starting with G :-) -----Original Message----- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Monday, June 11, 2012 6:43 AM To: NT System Admin Issues Subject: RE: Reality check Only if they have AGPM installed Don... not all have it. Its definitely nice though, and helps keep GPO's controlled and audited. Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org -----Original Message----- From: Guyer, Don [mailto:dgu...@che.org] Sent: Monday, June 11, 2012 8:07 AM To: NT System Admin Issues Subject: RE: Reality check On top of that you can use Group Policy Management's Change Control feature for approving/unapproving remote tech's GPO submissions. Regards, Don Guyer Catholic Health East - Information Technology Enterprise Directory & Messaging Services 3805 West Chester Pike, Suite 100, Newtown Square, Pa 19073 email: dgu...@che.org Office: 610.550.3595 | Cell: 610.955.6528 | Fax: 610.271.9440 For immediate assistance, please open a Service Desk ticket or call the helpdesk @ 610-492-3839. -----Original Message----- From: Coleman, Hunter [mailto:hcole...@mt.gov] Sent: Friday, June 08, 2012 4:28 PM To: NT System Admin Issues Subject: RE: Reality check You can delegate off the GPO stuff as well. -----Original Message----- From: David Lum [mailto:david....@nwea.org] Sent: Friday, June 8, 2012 1:03 PM To: NT System Admin Issues Subject: RE: Reality check Already did exactly this for the Service Desk a couple years ago, the only different for the SE's would be allowing it to OU's the SD guys can't get to. I'd bet it'd take a while before they noticed...like the next time they went to mess with a GPO (which is rare, but it happens). Dave -----Original Message----- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, June 08, 2012 11:47 AM To: NT System Admin Issues Subject: Re: Reality check If that's all they need, then delegation is your friend. It's pretty dang easy to set up, too. Create accounts, put them in the new groups, use the delegation wizard to add the new groups to the relevant OUs, and you're good to go. Kurt On Fri, Jun 8, 2012 at 10:40 AM, David Lum <david....@nwea.org> wrote: > > That’s funny, I *JUST* had this discussion with someone else here. If > they could create accounts, join machines, and install software on > some systems they’d likely not know the difference.. > > > > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: Friday, June 08, 2012 10:23 AM > > > To: NT System Admin Issues > Subject: Re: Reality check > > > > In your shoes I might be tempted to present them with a fait accompli > - over the weekend strip their user accounts of DA privileges and > create new accounts for them that allows them to do what they need to do. > > Of course, you'd want to show the manager of the department references > on why you're doing it, and get his blessing. > > Kurt > > On Fri, Jun 8, 2012 at 9:29 AM, David Lum <david....@nwea.org> wrote: > > “separation of privileges or separation of duties which should be > firmly entrenched in most workplaces” > > HAHAHAHAHHAHAHHAHAHAA! Oh wait, you said “should” > > > > Dude, our users are still local admins and I’m the only one who seems > to care, not one of the 5 Service Desk guys are inclined to move us in > that direction, they only see it as extra work. Only one other SE has > a separate DA account for Domain Admin access, the rest of ‘em they’re > normal accounts are DA accounts. > > > > Hmm…that might be a vent… > > > > From: Ziots, Edward [mailto:ezi...@lifespan.org] > Sent: Friday, June 08, 2012 6:57 AM > > > To: NT System Admin Issues > > Subject: RE: Reality check > > > > Seems strange that business users would have admin access to a server, > which wouldn’t obey separation of privileges or separation of duties > which should be firmly entrenched in most workplaces ( again YMMV as > stated before). > > > > Z > > > > Edward Ziots > > CISSP, Security +, Network + > > Security Engineer > > Lifespan Organization > > ezi...@lifespan.org > > > > From: Christopher Bodnar [mailto:christopher_bod...@glic.com] > Sent: Friday, June 08, 2012 9:28 AM > > > To: NT System Admin Issues > > Subject: Re: Reality check > > > > It depends on your environment. That's almost identical to the > procedure we have here. When provisioning a new server here, part of > the process is to create a new AD group with this naming convention: > > ACME_ADMINS_SERVERNAME > > This group is then placed in the local administrators group of the server. > All business users that need admin access to servers have a separate > account for that purpose. They submit a privileged access request, and > when approved our "user admin" group adds them to the appropriate AD > group that was created for the server. In a small environment this might be > overkill. > > YMMV > > Christopher Bodnar > Enterprise Achitect I, Corporate Office of Technology:Enterprise > Architecture and Engineering Services > > Tel 610-807-6459 > 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com > > > > The Guardian Life Insurance Company of America > > www.guardianlife.com > > > > > > > From: David Lum <david....@nwea.org> > To: "NT System Admin Issues" > <ntsysadmin@lyris.sunbelt-software.com> > Date: 06-08-12 09:14 AM > Subject: Reality check > > ________________________________ > > > > > A fellow team member (not an SE, but more of an application owner type > of tech person) needs Local Admin access to a server to install and > configure a new application on it. I understand the need and agree with it. > > Instead of just throwing his account into the local admin group on > that server I did the following: > Created a LA-<servername> account (LA= Local Admin) Created a security > group called LA-<servername>_LocalAdmin, added the above to it Created > a GPO to put said security group into local admins on that server > > My thinking is > 1. This keeps him from using his daily account to be local admin > on the box 2. I don’t have an individual assignment on that > server > > In general, I view putting a user specifically into a server’s local > group as the same as putting a user (instead of a group) into the ACL > of an NTFS folder. If said employee leaves, it’s difficult/tedious to > see where they had access TO so we have no idea where their > replacement might need to be added. > > However, was that really too much work to give the guy the ability to > log in as local admin? > David Lum > Systems Engineer // NWEATM > Office 503.548.5229 // Cell (voice/text) 503.267.9764 > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ----------------------------------------- This message, and any > attachments to it, may contain information that is privileged, > confidential, and exempt from disclosure under applicable law. If the > reader of this message is not the intended recipient, you are notified > that any use, dissemination, distribution, copying, or communication > of this message is strictly prohibited. If you have received this > message in error, please notify the sender immediately by return > e-mail and delete the message and any attachments. Thank you. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin Confidentiality Notice: This e-mail, including any attachments is the property of Catholic Health East and is intended for the sole use of the intended recipient(s). It may contain information that is privileged and confidential. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please delete this message, and reply to the sender regarding the error in a separate email. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
