Documentation is an absolute must. :) Adding to what another person offered ensure you have auditing enabled, and add that to your documentation.
I'll hope your management is able to understand. WJR - from my Crackberry. "If you find yourself in a fair fight, your tactics suck." -----Original Message----- From: James Rankin <kz2...@googlemail.com> Date: Thu, 30 Sep 2010 13:19:16 To: NT System Admin Issues<ntsysadmin@lyris.sunbelt-software.com> Reply-To: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com>Subject: Re: Restricting groups in Active Directory I am seriously going to try to get them to accept Server Operators level as a compromise. They can still kill servers all they want, but they should be able to be locked out of the finer points of VMWare, XenApp and AppSense. Time for my first head-butting session with management in this job. If they won't budge - it's going straight on the (not yet existent) risk register. Cheers, On 30 September 2010 13:05, William J. Robbins <dangerw...@gmail.com> wrote: > The short answer is yes, if they are domain admins they can do anything > they like provided they have the knowledge. Including add themselves to the > Enterprise Admins group since you said you were in a single domain, which I > interpret as no "empty root." > > You could change the ACL's, but again they can undo that with the > knowledge. > > The help desk!? Seriously? Well good luck to you in the new position, > sounds like you may need some. > > > WJR > - from my Crackberry. > > "If you find yourself in a fair fight, your tactics suck." > ------------------------------ > *From: * James Rankin <kz2...@googlemail.com> > *Date: *Thu, 30 Sep 2010 12:49:52 +0100 > *To: *NT System Admin Issues<ntsysadmin@lyris.sunbelt-software.com> > *ReplyTo: * "NT System Admin Issues" < > ntsysadmin@lyris.sunbelt-software.com> > *Subject: *Restricting groups in Active Directory > > I've just started a new job and we're building an all-new infrastructure. > One of the key things I'm looking at it is restricting access to the most > sensitive functions of some of the infrastructure, mainly in VMWare and > XenApp. I'm currently looking at doing this by using AD groups - creating > groups for each support team and adding those groups to the relevant areas > in XenApp and VirtualCenter to give them the necessary permissions. > > However, the business are adamant that every member of the support teams > (from helpdesk upwards) will be given a Domain Admin account. Am I right in > assuming this means that they could simply add themselves into the groups I > am setting up, because even if I restrict these groups via an ACL, they > could just take ownership of the group? > > Could I edit the ACL for these groups and Deny Domain Admins the Modify > Ownership privilege? Or can they override that as well somehow? Is there > some way I could handle this even if everyone gets given Domain Admin > access, or will I have to convince them to do things *properly* using > delegation of privilege? > > All input is welcomed, > > TIA, > > > > JRR > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
