Yeah, I stand corrected. I'm just really surprised that they're running as non-admins on the desktop. I certainly agree with your approach though and it should be a fairly easy step to non-DA.
I'd put together some scenarios to demonstrate the danger if I were in the situation. From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Thursday, September 30, 2010 1:03 PM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory Not really. I can see that the IT staff in general would want to retain admin rights generally and limit rights to users based on what they need. IT staff at that organization need to adjust to a least permissions framework, too. If they've already pushed that framework down to the users or if the users have always operated under such a framework, then it should be a fairly easy concept to grasp and there will already be precedent for limiting administrative user rights. On Thu, Sep 30, 2010 at 12:29 PM, Crawford, Scott <crawfo...@evangel.edu<mailto:crawfo...@evangel.edu>> wrote: You're *incredibly* optimistic. Do you actually think there's a chance that a company that wants all of IT to be Domain Admins has seen the light and doesn't let users run as local admins? From: Jonathan Link [mailto:jonathan.l...@gmail.com<mailto:jonathan.l...@gmail.com>] Sent: Thursday, September 30, 2010 10:34 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory Lemme ask this... since there's a need to get management buy in. Is everyone in the organization running as local admin? If not, then an analogy can be drawn. Afterall, if helpdesk had to support staff who ran as admin, well, that would be more difficult, right? It's a good argument to shutdown the helpdesk golfing buddies. If everyone does run as admin, then you have a mighty challenge, sir. On Thu, Sep 30, 2010 at 10:36 AM, Don Guyer <don.gu...@prufoxroach.com<mailto:don.gu...@prufoxroach.com>> wrote: When I first arrived here, "everyone and their Grandmother" in IT were Domain Admins. After months of kicking and screaming, we were able to convince management that we need to narrow that list down. It did take quite a bit of work, but needed to be done. Don Guyer Systems Engineer - Information Services Prudential, Fox & Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com<mailto:don.gu...@prufoxroach.com> From: William Robbins [mailto:dangerw...@gmail.com<mailto:dangerw...@gmail.com>] Sent: Thursday, September 30, 2010 10:24 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory I'll see your +1 and raise +11 - WJR On Thu, Sep 30, 2010 at 09:04, Jeff Steward <jstew...@gmail.com<mailto:jstew...@gmail.com>> wrote: +1 -Jeff Steward On Thu, Sep 30, 2010 at 9:47 AM, Andrew S. Baker <asbz...@gmail.com<mailto:asbz...@gmail.com>> wrote: Change = accountability + better levels of support due to less stuff mysteriously breaking. ASB (My XeeSM Profile)<http://xeesm.com/AndrewBaker> Exploiting Technology for Business Advantage... On Thu, Sep 30, 2010 at 9:40 AM, James Rankin <kz2...@googlemail.com<mailto:kz2...@googlemail.com>> wrote: As usual, the boss of the helpdesk (and his golf buddies) think that change = interruptions to support. I'm going to convince them that change = accountability + the same level of support. On 30 September 2010 14:38, Maglinger, Paul <pmaglin...@scvl.com<mailto:pmaglin...@scvl.com>> wrote: What are they trying to accomplish? Do they believe that everyone needs domain admin rights just to change passwords or unlock accounts? I'd try to find out what they need to do and then restrict them accordingly. Help desk doesn't need rights to be able to change administrator passwords, free reign to all files, and add machines to the domain (just to name a few). From: James Rankin [mailto:kz2...@googlemail.com<mailto:kz2...@googlemail.com>] Sent: Thursday, September 30, 2010 8:18 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker <asbz...@gmail.com<mailto:asbz...@gmail.com>> wrote: >>However, the business are adamant that every member of the support teams >>(from helpdesk upwards) will be given a Domain Admin account. Am I right in >>assuming this means that they could simply add themselves into the groups I >>am setting up, because even if I restrict these groups via an ACL, they could >>just take ownership of the group? You might need to enlist the assistance of... dare I say it? ... Auditors. If everyone is a domain admin, then they can all do whatsoever they want in the domain. Seriously, is your organization not subject to some you sort of regulatory compliance? Who is your CTO/CIO? ASB (My XeeSM Profile)<http://xeesm.com/AndrewBaker> Exploiting Technology for Business Advantage... On Thu, Sep 30, 2010 at 7:49 AM, James Rankin <kz2...@googlemail.com<mailto:kz2...@googlemail.com>> wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin