Fought that battle back in 2002 after I went to MEC 02 and won it ;) We had 2 different accounts, our normal everyday use account, that was tied to our Exchange mailbox had no domain admin rights. We had a separate account that had domain admin rights with no email. It did take a couple of weeks of digging up the official MS documentation on best practices, security etc to win that battle, but I did it.
On Thu, Jul 1, 2010 at 4:07 PM, David Lum <david....@nwea.org> wrote: > We run roughly the same setup here, workstations go into completely > different OU structure than servers. Security groups are handed similarly, > some security groups are in an OU where only Systems Engineers can hit and > not Service Desk, but 90% of the groups live where SD can maintain them. > > > > Now if I could get my fellow SE’s to stop being domain admin on the > accounts they use everywhere else…they are unwilling to take on the extra > effort to set up delegation. Grrr… > > *David Lum** **// *SYSTEMS ENGINEER > NORTHWEST EVALUATION ASSOCIATION > (Desk) 971.222.1025 *// *(Cell) 503.267.9764 > > > > *From:* Sherry Abercrombie [mailto:saber...@gmail.com] > *Sent:* Thursday, July 01, 2010 12:27 PM > > *To:* NT System Admin Issues > *Subject:* Re: VMWare View, How are you handling AV? (Viper to be > specific) > > > > LOL, Computer OUs were setup according to department and we had delegated > the permissions to move computers to those department OUs to the > Helpdesk/Desktop group so that they could manage workstations. They could > not manage servers ;) So the manual intervention wasn't in my group. > > On Thu, Jul 1, 2010 at 2:14 PM, Crawford, Scott <crawfo...@evangel.edu> > wrote: > > Gotcha. A little too much manual intervention for my tastes, but yeah, > that’s valid. > > > > *From:* Sherry Abercrombie [mailto:saber...@gmail.com] > *Sent:* Thursday, July 01, 2010 1:25 PM > > > *To:* NT System Admin Issues > *Subject:* Re: VMWare View, How are you handling AV? (Viper to be > specific) > > > > A person.....workstations will stay in that OU until they are actually > placed on a users desk. > > On Thu, Jul 1, 2010 at 12:43 PM, Crawford, Scott <crawfo...@evangel.edu> > wrote: > > Nice. > > > > What does the moving? > > > > *From:* Sherry Abercrombie [mailto:saber...@gmail.com] > *Sent:* Thursday, July 01, 2010 11:52 AM > > > *To:* NT System Admin Issues > *Subject:* Re: VMWare View, How are you handling AV? (Viper to be > specific) > > > > The OU that Vipre looks at to do the automatic push has a GPO that is > totally restricted, can't be logged into from the network etc etc. Only > Vipre and WSUS can do anything to it while in that OU. Once it's been > verified that the workstation has been updated appropriately, the computer > will get moved to the actual OU that it belongs in which has the appropriate > GPO's. > > On Thu, Jul 1, 2010 at 11:38 AM, Crawford, Scott <crawfo...@evangel.edu> > wrote: > > So, do you just plan on not getting any viruses before it gets pushed to > the client? > > > > *From:* N Parr [mailto:npar...@mortonind.com] > *Sent:* Thursday, July 01, 2010 10:37 AM > > > *To:* NT System Admin Issues > *Subject:* RE: VMWare View, How are you handling AV? (Viper to be > specific) > > > > Didn't realize it would do the detect and push, I guess that would solve my > problem. Just have to keep an eye on the server and delete any old clones, > but like I mentioned even that should be a problem if the clones get > re-created with the same names. > > > ------------------------------ > > *From:* Sherry Abercrombie [mailto:saber...@gmail.com] > *Sent:* Thursday, July 01, 2010 10:34 AM > > > *To:* NT System Admin Issues > > *Subject:* Re: VMWare View, How are you handling AV? (Viper to be > specific) > > Vipre push was part of our standard server build out, we didn't make it > part of our base os images for VMWare because of guid issues as mentioned. > You can set up Vipre Enterprise to automatically detect new computers based > on the OU they are put in and automatically push to it. We did this for our > workstation builds, but not servers. > > On Thu, Jul 1, 2010 at 10:27 AM, N Parr <npar...@mortonind.com> wrote: > > Why wouldn't you treat a VM license like any other? The console would see > it as a normal computer and make it count anyway. Just trying to figure out > an easy way to mange it. Could create an agent install package and push it > out to the clone via GPO but when we update the base image for the clone > with windows updates, new applications, etc it would get wiped out. I guess > if the linked clones are getting created with the same naming structure you > wouldn't have to worry about deleting the clients from Viper Enterprise > server when because it just sees the agents by computer name and not SID or > anything. When the new clones came back up they would get the agent > installed via GPO again and then start talking to the Enterprise server like > normal. My rambling make sense? > > > ------------------------------ > > *From:* Jeff Cain [mailto:je...@sunbelt-software.com] > *Sent:* Thursday, July 01, 2010 10:15 AM > > > *To:* NT System Admin Issues > > *Subject:* RE: VMWare View, How are you handling AV? (Viper to be > specific) > > N Parr, > > > > I am assuming here that you are using VIPRE Enterprise. I would > recommend protecting each clone with VIPRE as the growth from definitions > would be minimal, this is the best way to protect your systems and any > machines they are connected to. I would also say that you should reinstall > the VIPRE agent after you clone the machine to prevent the Enterprise > Console from confusing the machines as they’ll have the same agent GUID in > the console. As far as licensing goes, I don’t believe we hold VM installs > against you. > > Thanks, > Jeff Cain > > Technical Support Analyst > Sunbelt Software > Email: supp...@sunbeltsoftware.com > Voice: 1-877-757-4094 > Fax: 1-727-562-5199 > Web: <http://www.sunbeltsoftware.com> > Physical Address: > 33 N Garden Ave > Suite 1200 > Clearwater, FL 33755 > United States > > -------------------------------------------------------- > If you do not want further email from us, please forward > this message to listmana...@sunbelt-software.com with > the word 'unsubscribe' in the subject of your email. > -------------------------------------------------------- > > *Helpful Sunbelt Software Links:* > > > > Knowledge Base <http://support.sunbeltsoftware.com/> > > Open a New Support Ticket<http://www.sunbeltsoftware.com/Support/Contact/> > > Sunbelt Software Product Support > Communities<http://www.sunbeltsoftware.com/communities/> > > > > *From:* N Parr [mailto:npar...@mortonind.com] > *Sent:* Thursday, July 01, 2010 11:06 AM > *To:* NT System Admin Issues > *Subject:* VMWare View, How are you handling AV? (Viper to be specific) > > > > So does anyone have any pointers on this? Are you just not worrying about > it since you can wipe the linked clones out at any time if they get > infected? I'm sill worried about handling outbreak protection. Don't care > if the clone gets hosed but I don't want all my clones getting infected with > something and trying to spread it around. If you install AV on the base > image and don't use persistent clones then they will have to update > signatures every time they boot from the day the base image was created. If > you use persistent clones then their deltas will grow because of signatures > being added every day. And then you've got licensing and agents on linked > clones trying to update from the enterprise server with a pc name that is > different than the base image they were created from. I don't think a lot > of AV vendors have really thought this type of situation through. > > > > > > ... > > > > > > > > > > > > > -- > Sherry Abercrombie > > "Any sufficiently advanced technology is indistinguishable from magic." > Arthur C. Clarke > > > > > > > > > > > > > > > > > -- > Sherry Abercrombie > > "Any sufficiently advanced technology is indistinguishable from magic." > Arthur C. Clarke > > > > > > > > > > > > > -- > Sherry Abercrombie > > "Any sufficiently advanced technology is indistinguishable from magic." > Arthur C. Clarke > > > > > > > > > > > > > -- > Sherry Abercrombie > > "Any sufficiently advanced technology is indistinguishable from magic." > Arthur C. Clarke > > > > > > > > > > -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
