In my case, no, GPOs manage the worksations' local admin groups (Domain admins and our Field Tech group). Our (outsourced) Help Desk does not have rights to do anything on workstations that require elevated perms.
Don Guyer Systems Engineer - Information Services Prudential, Fox & Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com <mailto:don.gu...@prufoxroach.com> From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Thursday, September 30, 2010 11:34 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory Lemme ask this... since there's a need to get management buy in. Is everyone in the organization running as local admin? If not, then an analogy can be drawn. Afterall, if helpdesk had to support staff who ran as admin, well, that would be more difficult, right? It's a good argument to shutdown the helpdesk golfing buddies. If everyone does run as admin, then you have a mighty challenge, sir. On Thu, Sep 30, 2010 at 10:36 AM, Don Guyer <don.gu...@prufoxroach.com> wrote: When I first arrived here, "everyone and their Grandmother" in IT were Domain Admins. After months of kicking and screaming, we were able to convince management that we need to narrow that list down. It did take quite a bit of work, but needed to be done. Don Guyer Systems Engineer - Information Services Prudential, Fox & Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com From: William Robbins [mailto:dangerw...@gmail.com] Sent: Thursday, September 30, 2010 10:24 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory I'll see your +1 and raise +11 - WJR On Thu, Sep 30, 2010 at 09:04, Jeff Steward <jstew...@gmail.com> wrote: +1 -Jeff Steward On Thu, Sep 30, 2010 at 9:47 AM, Andrew S. Baker <asbz...@gmail.com> wrote: Change = accountability + better levels of support due to less stuff mysteriously breaking. ASB (My XeeSM Profile) <http://xeesm.com/AndrewBaker> Exploiting Technology for Business Advantage... On Thu, Sep 30, 2010 at 9:40 AM, James Rankin <kz2...@googlemail.com> wrote: As usual, the boss of the helpdesk (and his golf buddies) think that change = interruptions to support. I'm going to convince them that change = accountability + the same level of support. On 30 September 2010 14:38, Maglinger, Paul <pmaglin...@scvl.com> wrote: What are they trying to accomplish? Do they believe that everyone needs domain admin rights just to change passwords or unlock accounts? I'd try to find out what they need to do and then restrict them accordingly. Help desk doesn't need rights to be able to change administrator passwords, free reign to all files, and add machines to the domain (just to name a few). From: James Rankin [mailto:kz2...@googlemail.com] Sent: Thursday, September 30, 2010 8:18 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker <asbz...@gmail.com> wrote: >>However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? You might need to enlist the assistance of... dare I say it? ... Auditors. If everyone is a domain admin, then they can all do whatsoever they want in the domain. Seriously, is your organization not subject to some you sort of regulatory compliance? Who is your CTO/CIO? ASB (My XeeSM Profile) <http://xeesm.com/AndrewBaker> Exploiting Technology for Business Advantage... On Thu, Sep 30, 2010 at 7:49 AM, James Rankin <kz2...@googlemail.com> wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin