Re: Exchange 2003 and Active Directory
You can't get DFL/FFL past 2003 if a 2003 DC is present, but otherwise Exchange 2003 is happy as a clam We have a mixed set of DCs (2003 in the overseas offices, 2008R2 in the US), and Exchange 2003 in each of the offices. Works like a champ. Kurt On Fri, Dec 7, 2012 at 6:27 AM, Michael B. Smith mich...@smithcons.com wrote: No. I can’t remember off the top of my head whether it’s ok to bump either the FFL or DFL with Exchange 2003, but just adding the DCs is not a problem. There is a DFL/FFL matrix on TechNet for Exchange versions. From: itli...@imcu.com [mailto:itli...@imcu.com] Sent: Friday, December 7, 2012 9:21 AM To: NT System Admin Issues Subject: Exchange 2003 and Active Directory I am adding Server2008R2 Domain Controllers to my domain. Do I need to do anything on my Exchange 2003 server to make sure there are no interuptions to emails? I will be moving FSMO roles to the 2008’s once I have all three in place and working with no events. Thanks David ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Exchange 2003 and Active Directory
Thanks again. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Posted At: Friday, December 7, 2012 10:24 AM Posted To: itli...@imcu.com Conversation: Exchange 2003 and Active Directory Subject: Re: Exchange 2003 and Active Directory You can't get DFL/FFL past 2003 if a 2003 DC is present, but otherwise Exchange 2003 is happy as a clam We have a mixed set of DCs (2003 in the overseas offices, 2008R2 in the US), and Exchange 2003 in each of the offices. Works like a champ. Kurt On Fri, Dec 7, 2012 at 6:27 AM, Michael B. Smith mich...@smithcons.com wrote: No. I can’t remember off the top of my head whether it’s ok to bump either the FFL or DFL with Exchange 2003, but just adding the DCs is not a problem. There is a DFL/FFL matrix on TechNet for Exchange versions. From: itli...@imcu.com [mailto:itli...@imcu.com] Sent: Friday, December 7, 2012 9:21 AM To: NT System Admin Issues Subject: Exchange 2003 and Active Directory I am adding Server2008R2 Domain Controllers to my domain. Do I need to do anything on my Exchange 2003 server to make sure there are no interuptions to emails? I will be moving FSMO roles to the 2008’s once I have all three in place and working with no events. Thanks David ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Exchange 2003 and Active Directory
See the Supportability Matrix for both Exchange 2010 and Exchange 2007 (see http://technet.microsoft.com/en-us/library/ff728623(v=exchg.141).aspx for example), Supported Active Directory Environments. -Original Message- From: itli...@imcu.com [mailto:itli...@imcu.com] Sent: Friday, December 7, 2012 1:10 PM To: NT System Admin Issues Subject: RE: Exchange 2003 and Active Directory Thanks again. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Posted At: Friday, December 7, 2012 10:24 AM Posted To: itli...@imcu.com Conversation: Exchange 2003 and Active Directory Subject: Re: Exchange 2003 and Active Directory You can't get DFL/FFL past 2003 if a 2003 DC is present, but otherwise Exchange 2003 is happy as a clam We have a mixed set of DCs (2003 in the overseas offices, 2008R2 in the US), and Exchange 2003 in each of the offices. Works like a champ. Kurt On Fri, Dec 7, 2012 at 6:27 AM, Michael B. Smith mich...@smithcons.com wrote: No. I can’t remember off the top of my head whether it’s ok to bump either the FFL or DFL with Exchange 2003, but just adding the DCs is not a problem. There is a DFL/FFL matrix on TechNet for Exchange versions. From: itli...@imcu.com [mailto:itli...@imcu.com] Sent: Friday, December 7, 2012 9:21 AM To: NT System Admin Issues Subject: Exchange 2003 and Active Directory I am adding Server2008R2 Domain Controllers to my domain. Do I need to do anything on my Exchange 2003 server to make sure there are no interuptions to emails? I will be moving FSMO roles to the 2008’s once I have all three in place and working with no events. Thanks David ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Active Directory and Group Policy inheritance
Greetings. Is it possible to block a single group policy from being inheritance, or is my only choice to block all inheritance at the OU level? I want one policy blocked (A software installation policy, so I don't think I can override it somehow) in a Sub-OU, but I want everything else through. Thanks. --Matt Ross Ephrata School District ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Active Directory and Group Policy inheritance
I don't think you can block itbut you can maybe modify the security filtering so it only applies to the users you want it to? -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Thursday, July 26, 2012 8:36 AM To: NT System Admin Issues Subject: Active Directory and Group Policy inheritance Greetings. Is it possible to block a single group policy from being inheritance, or is my only choice to block all inheritance at the OU level? I want one policy blocked (A software installation policy, so I don't think I can override it somehow) in a Sub-OU, but I want everything else through. Thanks. --Matt Ross Ephrata School District ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Active Directory and Group Policy inheritance
I would use WMI filtering. -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Thursday, July 26, 2012 11:36 AM To: NT System Admin Issues Subject: Active Directory and Group Policy inheritance Greetings. Is it possible to block a single group policy from being inheritance, or is my only choice to block all inheritance at the OU level? I want one policy blocked (A software installation policy, so I don't think I can override it somehow) in a Sub-OU, but I want everything else through. Thanks. --Matt Ross Ephrata School District ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Active Directory and Group Policy inheritance
Inheritance is an attribute of the OU, not of the GPO itself. what you need to do its to filter by WMI or security. One of those or a combination of both should give you what you are looking for. Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com From: Matthew W. Ross mr...@ephrataschools.org To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 07/26/2012 11:36 AM Subject:Active Directory and Group Policy inheritance Greetings. Is it possible to block a single group policy from being inheritance, or is my only choice to block all inheritance at the OU level? I want one policy blocked (A software installation policy, so I don't think I can override it somehow) in a Sub-OU, but I want everything else through. Thanks. --Matt Ross Ephrata School District ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage/jpeg
RE: Active Directory and Group Policy inheritance
Just make sure you don't write an inefficient filter that takes forever to process... Thanks, Brian Desmond br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 -Original Message- From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Thursday, July 26, 2012 10:50 AM To: NT System Admin Issues Subject: RE: Active Directory and Group Policy inheritance I would use WMI filtering. -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Thursday, July 26, 2012 11:36 AM To: NT System Admin Issues Subject: Active Directory and Group Policy inheritance Greetings. Is it possible to block a single group policy from being inheritance, or is my only choice to block all inheritance at the OU level? I want one policy blocked (A software installation policy, so I don't think I can override it somehow) in a Sub-OU, but I want everything else through. Thanks. --Matt Ross Ephrata School District ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Active Directory Appliance?
I don't think anything like that exists. Even with an appliance like storage server, it was still a windows box and you needed to manage it like one (patching, agents, domain membership, etc...). So even if something like this did exist , Im not sure how much it would reduce your management overhead of the device. I agree with some of the other comments. if you have a small virtualization environment at one of these locations, it would be your easiest solution. You could pre-configure a some Hyper-V servers at your corporate location and then ship them out to the remote offices. Then you could just spin up VM's remotely. YMMV Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com From: Jonathan ncm...@gmail.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 06-13-12 04:29 PM Subject:Active Directory Appliance? My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP hardware appliances, but I don't see anything for Active Directory 2003/2008. I'm only interested in this for remote offices, not for my core. The idea would be to eliminate buying a server, maintaining that server, the OS, etc, for our remote offices. Does such exist, and if so, does the collective brain trust have any experience with them? TIA, Jonathan ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage/jpeg
RE: Active Directory Appliance?
Used P4 with 2G RAM, 500M hard drive: ~100 Your favorite flavor of Linux distro: free DNS and DHCP: free with OS Image it, lock it down tight and let 'er rip. Daniel Chenault dchena...@lgnetworksinc.com [Description: Description: cid:image001.jpg@01CCF24C.F9B05160] From: Jonathan [mailto:ncm...@gmail.com] Sent: Wednesday, June 13, 2012 3:20 PM To: NT System Admin Issues Subject: Active Directory Appliance? My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP hardware appliances, but I don't see anything for Active Directory 2003/2008. I'm only interested in this for remote offices, not for my core. The idea would be to eliminate buying a server, maintaining that server, the OS, etc, for our remote offices. Does such exist, and if so, does the collective brain trust have any experience with them? TIA, Jonathan ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmininline: image001.jpg
RE: Active Directory Appliance?
Authentication survivability at the remote site for access to local resources (primarily file and print). On Jun 13, 2012 4:52 PM, Free, Bob r...@pge.com wrote: I have never come across such a beast. ** ** Question in my mind would be more like “why are you deploying DCs remotely” ** ** ** ** *From:* Jonathan [mailto:ncm...@gmail.com] *Sent:* Wednesday, June 13, 2012 1:20 PM *To:* NT System Admin Issues *Subject:* [dkim-failure] Active Directory Appliance? ** ** My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP hardware appliances, but I don't see anything for Active Directory 2003/2008. I'm only interested in this for remote offices, not for my core. The idea would be to eliminate buying a server, maintaining that server, the OS, etc, for our remote offices. Does such exist, and if so, does the collective brain trust have any experience with them? TIA, Jonathan ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Active Directory Appliance?
Not interested in anything home-brewed. On Jun 13, 2012 4:41 PM, Daniel Chenault dchena...@lgnetworksinc.com wrote: Used P4 with 2G RAM, 500M hard drive: ~100 Your favorite flavor of Linux distro: free DNS and DHCP: free with OS ** ** Image it, lock it down tight and let ‘er rip. ** ** Daniel Chenault dchena...@lgnetworksinc.com [image: Description: Description: cid:image001.jpg@01CCF24C.F9B05160] ** ** *From:* Jonathan [mailto:ncm...@gmail.com] *Sent:* Wednesday, June 13, 2012 3:20 PM *To:* NT System Admin Issues *Subject:* Active Directory Appliance? ** ** My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP hardware appliances, but I don't see anything for Active Directory 2003/2008. I'm only interested in this for remote offices, not for my core. The idea would be to eliminate buying a server, maintaining that server, the OS, etc, for our remote offices. Does such exist, and if so, does the collective brain trust have any experience with them? TIA, Jonathan ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage001.jpg
RE: Active Directory Appliance?
Your best bet then is to use a Server Core install of either 2008 or 2008 R2. It's supported, requires minimal patching/management and is ideally suited to remote management. DAMIEN SOLODOW Systems Engineer 317.447.6033 (office) 317.447.6014 (fax) HARRISON COLLEGE From: Jonathan [mailto:ncm...@gmail.com] Sent: Wednesday, June 13, 2012 5:01 PM To: NT System Admin Issues Subject: RE: Active Directory Appliance? Not interested in anything home-brewed. On Jun 13, 2012 4:41 PM, Daniel Chenault dchena...@lgnetworksinc.commailto:dchena...@lgnetworksinc.com wrote: Used P4 with 2G RAM, 500M hard drive: ~100 Your favorite flavor of Linux distro: free DNS and DHCP: free with OS Image it, lock it down tight and let 'er rip. Daniel Chenault dchena...@lgnetworksinc.commailto:dchena...@lgnetworksinc.com [Description: Description: cid:image001.jpg@01CCF24C.F9B05160] From: Jonathan [mailto:ncm...@gmail.commailto:ncm...@gmail.com] Sent: Wednesday, June 13, 2012 3:20 PM To: NT System Admin Issues Subject: Active Directory Appliance? My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP hardware appliances, but I don't see anything for Active Directory 2003/2008. I'm only interested in this for remote offices, not for my core. The idea would be to eliminate buying a server, maintaining that server, the OS, etc, for our remote offices. Does such exist, and if so, does the collective brain trust have any experience with them? TIA, Jonathan ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmininline: image001.jpg
RE: Active Directory Appliance?
Cheap/easy/fast Pick two Daniel Chenault dchena...@lgnetworksinc.com [Description: Description: cid:image001.jpg@01CCF24C.F9B05160] From: Jonathan [mailto:ncm...@gmail.com] Sent: Wednesday, June 13, 2012 4:01 PM To: NT System Admin Issues Subject: RE: Active Directory Appliance? Not interested in anything home-brewed. On Jun 13, 2012 4:41 PM, Daniel Chenault dchena...@lgnetworksinc.commailto:dchena...@lgnetworksinc.com wrote: Used P4 with 2G RAM, 500M hard drive: ~100 Your favorite flavor of Linux distro: free DNS and DHCP: free with OS Image it, lock it down tight and let 'er rip. Daniel Chenault dchena...@lgnetworksinc.commailto:dchena...@lgnetworksinc.com [Description: Description: cid:image001.jpg@01CCF24C.F9B05160] From: Jonathan [mailto:ncm...@gmail.commailto:ncm...@gmail.com] Sent: Wednesday, June 13, 2012 3:20 PM To: NT System Admin Issues Subject: Active Directory Appliance? My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP hardware appliances, but I don't see anything for Active Directory 2003/2008. I'm only interested in this for remote offices, not for my core. The idea would be to eliminate buying a server, maintaining that server, the OS, etc, for our remote offices. Does such exist, and if so, does the collective brain trust have any experience with them? TIA, Jonathan ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmininline: image001.jpg
RE: Active Directory Appliance?
Ha! True. This is why I did not place constraints on any of those 3 factors with the exception stating that I did not want something home brewed. I figured that would have implied that I didn't care about trying to do something on the cheap. On Jun 13, 2012 5:38 PM, Daniel Chenault dchena...@lgnetworksinc.com wrote: Cheap/easy/fast ** ** Pick two ** ** Daniel Chenault dchena...@lgnetworksinc.com [image: Description: Description: cid:image001.jpg@01CCF24C.F9B05160] ** ** *From:* Jonathan [mailto:ncm...@gmail.com] *Sent:* Wednesday, June 13, 2012 4:01 PM *To:* NT System Admin Issues *Subject:* RE: Active Directory Appliance? ** ** Not interested in anything home-brewed. On Jun 13, 2012 4:41 PM, Daniel Chenault dchena...@lgnetworksinc.com wrote: Used P4 with 2G RAM, 500M hard drive: ~100 Your favorite flavor of Linux distro: free DNS and DHCP: free with OS Image it, lock it down tight and let ‘er rip. Daniel Chenault dchena...@lgnetworksinc.com [image: Description: Description: cid:image001.jpg@01CCF24C.F9B05160] *From:* Jonathan [mailto:ncm...@gmail.com] *Sent:* Wednesday, June 13, 2012 3:20 PM *To:* NT System Admin Issues *Subject:* Active Directory Appliance? My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP hardware appliances, but I don't see anything for Active Directory 2003/2008. I'm only interested in this for remote offices, not for my core. The idea would be to eliminate buying a server, maintaining that server, the OS, etc, for our remote offices. Does such exist, and if so, does the collective brain trust have any experience with them? TIA, Jonathan ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage001.jpg
RE: Active Directory Appliance?
SAMBA 4 can do this on Linux/NetBSD. Dunno how you are with UNIX-variants. From: Jonathan [mailto:ncm...@gmail.com] Sent: Wednesday, June 13, 2012 5:01 PM To: NT System Admin Issues Subject: RE: Active Directory Appliance? Authentication survivability at the remote site for access to local resources (primarily file and print). On Jun 13, 2012 4:52 PM, Free, Bob r...@pge.commailto:r...@pge.com wrote: I have never come across such a beast. Question in my mind would be more like why are you deploying DCs remotely From: Jonathan [mailto:ncm...@gmail.commailto:ncm...@gmail.com] Sent: Wednesday, June 13, 2012 1:20 PM To: NT System Admin Issues Subject: [dkim-failure] Active Directory Appliance? My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP hardware appliances, but I don't see anything for Active Directory 2003/2008. I'm only interested in this for remote offices, not for my core. The idea would be to eliminate buying a server, maintaining that server, the OS, etc, for our remote offices. Does such exist, and if so, does the collective brain trust have any experience with them? TIA, Jonathan ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Active Directory Appliance?
Nope, hardly that many users. We're talking less than 100 users for most of our remote sites. Deploying RWDCs to each site is a practice here that long pre-dates me, and even our department (for a number of years, each site was fairly autonomous, with no formal internal infrastructure team). Changing over to RODCs is something worth considering, though, along with 2008R2 Core. I may bring it up at the next staff meeting. Thanks, Jonathan On Jun 13, 2012 5:59 PM, Free, Bob r...@pge.com wrote: Not knowing your specific requirements, especially WRT to user population, for file/print, at first blush I’d think cached credentials with more of a focus on resilient connectivity would be the best solution. ** ** I’m a firm believer that RWDCs only go in DataCenters with the attendant physical security. If you deploy to the branch, that is the realm of the RODC but it carries its own inherent complexities. ** ** Maybe your idea of a remote office is many hundreds or thousands of users and I’m all wet. ** ** *From:* Jonathan [mailto:ncm...@gmail.com] *Sent:* Wednesday, June 13, 2012 2:01 PM *To:* NT System Admin Issues *Subject:* [dkim-failure] RE: Active Directory Appliance? ** ** Authentication survivability at the remote site for access to local resources (primarily file and print). On Jun 13, 2012 4:52 PM, Free, Bob r...@pge.com wrote: I have never come across such a beast. Question in my mind would be more like “why are you deploying DCs remotely” *From:* Jonathan [mailto:ncm...@gmail.com] *Sent:* Wednesday, June 13, 2012 1:20 PM *To:* NT System Admin Issues *Subject:* [dkim-failure] Active Directory Appliance? My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP hardware appliances, but I don't see anything for Active Directory 2003/2008. I'm only interested in this for remote offices, not for my core. The idea would be to eliminate buying a server, maintaining that server, the OS, etc, for our remote offices. Does such exist, and if so, does the collective brain trust have any experience with them? TIA, Jonathan ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Active Directory Appliance?
I didn't see him demanding any of those. -sc On Jun 13, 2012 5:38 PM, Daniel Chenault dchena...@lgnetworksinc.com wrote: Cheap/easy/fast Pick two Daniel Chenault dchena...@lgnetworksinc.com From: Jonathan [mailto:ncm...@gmail.com] Sent: Wednesday, June 13, 2012 4:01 PM To: NT System Admin Issues Subject: RE: Active Directory Appliance? Not interested in anything home-brewed. On Jun 13, 2012 4:41 PM, Daniel Chenault dchena...@lgnetworksinc.com wrote: Used P4 with 2G RAM, 500M hard drive: ~100 Your favorite flavor of Linux distro: free DNS and DHCP: free with OS Image it, lock it down tight and let 'er rip. Daniel Chenault dchena...@lgnetworksinc.com From: Jonathan [mailto:ncm...@gmail.com] Sent: Wednesday, June 13, 2012 3:20 PM To: NT System Admin Issues Subject: Active Directory Appliance? My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP hardware appliances, but I don't see anything for Active Directory 2003/2008. I'm only interested in this for remote offices, not for my core. The idea would be to eliminate buying a server, maintaining that server, the OS, etc, for our remote offices. Does such exist, and if so, does the collective brain trust have any experience with them? TIA, Jonathan ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage001.jpg
RE: Active Directory Appliance?
I understand that and it's your ballpark so you move the infield fence where ever you like. :) It is a good workable solution though; rock-solid and once setup and locked down is practically hands-free. Those of you who have known me a long time: did you ever think you'd see me touting Linux? :) From: Jonathan [ncm...@gmail.com] Sent: Wednesday, June 13, 2012 4:45 PM To: NT System Admin Issues Subject: RE: Active Directory Appliance? Ha! True. This is why I did not place constraints on any of those 3 factors with the exception stating that I did not want something home brewed. I figured that would have implied that I didn't care about trying to do something on the cheap. On Jun 13, 2012 5:38 PM, Daniel Chenault dchena...@lgnetworksinc.commailto:dchena...@lgnetworksinc.com wrote: Cheap/easy/fast Pick two Daniel Chenault dchena...@lgnetworksinc.commailto:dchena...@lgnetworksinc.com [Description: Description: cid:image001.jpg@01CCF24C.F9B05160] From: Jonathan [mailto:ncm...@gmail.commailto:ncm...@gmail.com] Sent: Wednesday, June 13, 2012 4:01 PM To: NT System Admin Issues Subject: RE: Active Directory Appliance? Not interested in anything home-brewed. On Jun 13, 2012 4:41 PM, Daniel Chenault dchena...@lgnetworksinc.commailto:dchena...@lgnetworksinc.com wrote: Used P4 with 2G RAM, 500M hard drive: ~100 Your favorite flavor of Linux distro: free DNS and DHCP: free with OS Image it, lock it down tight and let ‘er rip. Daniel Chenault dchena...@lgnetworksinc.commailto:dchena...@lgnetworksinc.com [Description: Description: cid:image001.jpg@01CCF24C.F9B05160] From: Jonathan [mailto:ncm...@gmail.commailto:ncm...@gmail.com] Sent: Wednesday, June 13, 2012 3:20 PM To: NT System Admin Issues Subject: Active Directory Appliance? My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP hardware appliances, but I don't see anything for Active Directory 2003/2008. I'm only interested in this for remote offices, not for my core. The idea would be to eliminate buying a server, maintaining that server, the OS, etc, for our remote offices. Does such exist, and if so, does the collective brain trust have any experience with them? TIA, Jonathan ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmininline: image001.jpg
RE: Active Directory Appliance?
Meh.. standard engineering mantra. Those three always come into play eventually. From: Steven M. Caesare [scaes...@caesare.com] Sent: Wednesday, June 13, 2012 6:42 PM To: NT System Admin Issues Subject: RE: Active Directory Appliance? I didn’t see him demanding any of those. -sc On Jun 13, 2012 5:38 PM, Daniel Chenault dchena...@lgnetworksinc.commailto:dchena...@lgnetworksinc.com wrote: Cheap/easy/fast Pick two Daniel Chenault dchena...@lgnetworksinc.commailto:dchena...@lgnetworksinc.com [Description: Description: cid:image001.jpg@01CCF24C.F9B05160] From: Jonathan [mailto:ncm...@gmail.commailto:ncm...@gmail.com] Sent: Wednesday, June 13, 2012 4:01 PM To: NT System Admin Issues Subject: RE: Active Directory Appliance? Not interested in anything home-brewed. On Jun 13, 2012 4:41 PM, Daniel Chenault dchena...@lgnetworksinc.commailto:dchena...@lgnetworksinc.com wrote: Used P4 with 2G RAM, 500M hard drive: ~100 Your favorite flavor of Linux distro: free DNS and DHCP: free with OS Image it, lock it down tight and let ‘er rip. Daniel Chenault dchena...@lgnetworksinc.commailto:dchena...@lgnetworksinc.com [Description: Description: cid:image001.jpg@01CCF24C.F9B05160] From: Jonathan [mailto:ncm...@gmail.commailto:ncm...@gmail.com] Sent: Wednesday, June 13, 2012 3:20 PM To: NT System Admin Issues Subject: Active Directory Appliance? My Google-fu seems to be failing me. I know that infoblox has DNS and DHCP hardware appliances, but I don't see anything for Active Directory 2003/2008. I'm only interested in this for remote offices, not for my core. The idea would be to eliminate buying a server, maintaining that server, the OS, etc, for our remote offices. Does such exist, and if so, does the collective brain trust have any experience with them? TIA, Jonathan ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmininline: image001.jpg
Re: Required Active Directory Administrator/6+months Contract/Lake Success,NY
Not wants, the word is requires. And they are not toys, they are business tools that help us keep up with the latest Citrix technologies. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: Steven Peck sep...@gmail.commailto:sep...@gmail.com Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Sat, 10 Mar 2012 03:29:32 -0800 To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: Re: Required Active Directory Administrator/6+months Contract/Lake Success,NY High demand or high maintenance? I hear your boss wants the latest in hardware toys! On Fri, Mar 9, 2012 at 5:19 PM, Webster webs...@carlwebster.commailto:webs...@carlwebster.com wrote: U, but I'm in high demand also? :) Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com http://www.carlwebster.com/ On 3/9/12 7:03 PM, Ben Scott mailvor...@gmail.commailto:mailvor...@gmail.com wrote: On Fri, Mar 9, 2012 at 5:01 PM, Michael B. Smith mich...@smithcons.commailto:mich...@smithcons.com wrote: As far as I can tell, nothing ever slowed down... Each of the last 3 years have been record breaking for me. The really good people are always in high demand. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Required Active Directory Administrator/6+months Contract/Lake Success,NY
Naturally, I bet you are testing like hell on that iPad 3 :-) On 10 March 2012 11:39, Webster webs...@carlwebster.com wrote: Not wants, the word is requires. And they are not toys, they are business tools that help us keep up with the latest Citrix technologies. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com http://www.carlwebster.com/ From: Steven Peck sep...@gmail.com Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.com Date: Sat, 10 Mar 2012 03:29:32 -0800 To: NT Issues ntsysadmin@lyris.sunbelt-software.com Subject: Re: Required Active Directory Administrator/6+months Contract/Lake Success,NY High demand or high maintenance? I hear your boss wants the latest in hardware toys! On Fri, Mar 9, 2012 at 5:19 PM, Webster webs...@carlwebster.com wrote: U, but I'm in high demand also? :) Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com http://www.carlwebster.com/ On 3/9/12 7:03 PM, Ben Scott mailvor...@gmail.com wrote: On Fri, Mar 9, 2012 at 5:01 PM, Michael B. Smith mich...@smithcons.com wrote: As far as I can tell, nothing ever slowed down... Each of the last 3 years have been record breaking for me. The really good people are always in high demand. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ** IMPORTANT INFORMATION/DISCLAIMER * This document should be read only by those persons to whom it is addressed. If you have received this message it was obviously addressed to you and therefore you can read it, even it we didn't mean to send it to you. However, if the contents of this email make no sense whatsoever then you probably were not the intended recipient, or, alternatively, you are a mindless cretin; either way, you should immediately kill yourself and destroy your computer (not necessarily in that order). Once you have taken this action, please contact us.. no, sorry, you can't use your computer, because you just destroyed it, and possibly also committed suicide afterwards, but I am starting to digress.. * * The originator of this email is not liable for the transmission of the information contained in this communication. Or are they? Either way it's a pretty dull legal query and frankly one I'm not going to dwell on. But should you have nothing better to do, please feel free to ruminate on it, and please pass on any concrete conclusions should you find them. However, if you pass them on via email, be sure to include a disclaimer regarding liability for transmission. * * In the event that the originator did not send this email to you, then please return it to us and attach a scanned-in picture of your mother's brother's wife wearing nothing but a kangaroo suit, and we will immediately refund you exactly half of what you paid for the can of Whiskas you bought when you went to Pets** ** At Home yesterday. * * We take no responsibility for non-receipt of this email because we are running Exchange 5.5 and everyone knows how glitchy that can be. In the event that you do get this message then please note that we take no responsibility for that either. Nor will we accept any liability, tacit or implied, for any damage you may or may not incur as a result of receiving, or not, as the case may be, from time to time, notwithstanding all liabilities implied or otherwise, ummm, hell, where was I...umm, no matter what happens, it is NOT, and NEVER WILL BE, OUR FAULT! * * The comments and opinions expressed herein are my own and NOT those of my employer, who, if he knew I was sending emails and surfing the seamier side of the Internet, would cut off my manhood and feed it to me for afternoon tea. * ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Fw: Required Active Directory Administrator/6+months Contract/Lake Success,NY
There is no iPad 3. On Saturday, March 10, 2012, James Rankin kz2...@googlemail.com wrote: Naturally, I bet you are testing like hell on that iPad 3 :-) On 10 March 2012 11:39, Webster webs...@carlwebster.com wrote: Not wants, the word is requires. And they are not toys, they are business tools that help us keep up with the latest Citrix technologies. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com From: Steven Peck sep...@gmail.com Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.com Date: Sat, 10 Mar 2012 03:29:32 -0800 To: NT Issues ntsysadmin@lyris.sunbelt-software.com Subject: Re: Required Active Directory Administrator/6+months Contract/Lake Success,NY High demand or high maintenance? I hear your boss wants the latest in hardware toys! On Fri, Mar 9, 2012 at 5:19 PM, Webster webs...@carlwebster.com wrote: U, but I'm in high demand also? :) Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com http://www.carlwebster.com/ On 3/9/12 7:03 PM, Ben Scott mailvor...@gmail.com wrote: On Fri, Mar 9, 2012 at 5:01 PM, Michael B. Smith mich...@smithcons.com wrote: As far as I can tell, nothing ever slowed down... Each of the last 3 years have been record breaking for me. The really good people are always in high demand. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. * IMPORTANT INFORMATION/DISCLAIMER * This document should be read only by those persons to whom it is addressed. If you have received this message it was obviously addressed to you and therefore you can read it, even it we didn't mean to send it to you. However, if the contents of this email make no sense whatsoever then you probably were not the intended recipient, or, alternatively, you are a mindless cretin; either way, you should immediately kill yourself and destroy your computer (not necessarily in that order). Once you have taken this action, please contact us.. no, sorry, you can't use your computer, because you just destroyed it, and possibly also committed suicide afterwards, but I am starting to digress.. The originator of this email is not liable for the transmission of the information contained in this communication. Or are they? Either way it's a pretty dull legal query and frankly one I'm not going to dwell on. But should you have nothing better to do, please feel free to ruminate on it, and please pass on any concrete conclusions should you find them. However, if you pass them on via email, be sure to include a disclaimer regarding liability for transmission. In the event that the originator did not send this email to you, then please return it to us and attach a scanned-in picture of your mother's brother's wife wearing nothing but a kangaroo suit, and we will immediately refund you exactly half of what you paid for the can of Whiskas you bought when you went to Pets At Home yesterday. We take no responsibility for non-receipt of this email because we are running Exchange 5.5 and everyone knows how glitchy that can be. In the event that you do get this message then please note that we take no responsibility for that either. Nor will we accept any liability, tacit or implied, for any damage you may or may not incur as a result of receiving, or not, as the case may be, from time to time, notwithstanding all liabilities implied or otherwise, ummm, hell, where was I...umm, no matter what happens, it is NOT, and NEVER WILL BE, OUR FAULT! The comments and opinions expressed herein are my own and NOT those of my employer, who, if he knew I was sending emails and surfing the seamier side of the Internet, would cut off my manhood and feed it to me for afternoon tea. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Fw: Required Active Directory Administrator/6+months Contract/Lake Success,NY
Pedant. New ipad OK? :-) ---Blackberried -Original Message- From: Jonathan Link jonathan.l...@gmail.com Date: Sat, 10 Mar 2012 17:37:22 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com Reply-To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.comSubject: Re: Fw: Required Active Directory Administrator/6+months Contract/Lake Success,NY There is no iPad 3. On Saturday, March 10, 2012, James Rankin kz2...@googlemail.com wrote: Naturally, I bet you are testing like hell on that iPad 3 :-) On 10 March 2012 11:39, Webster webs...@carlwebster.com wrote: Not wants, the word is requires. And they are not toys, they are business tools that help us keep up with the latest Citrix technologies. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com From: Steven Peck sep...@gmail.com Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.com Date: Sat, 10 Mar 2012 03:29:32 -0800 To: NT Issues ntsysadmin@lyris.sunbelt-software.com Subject: Re: Required Active Directory Administrator/6+months Contract/Lake Success,NY High demand or high maintenance? I hear your boss wants the latest in hardware toys! On Fri, Mar 9, 2012 at 5:19 PM, Webster webs...@carlwebster.com wrote: U, but I'm in high demand also? :) Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com http://www.carlwebster.com/ On 3/9/12 7:03 PM, Ben Scott mailvor...@gmail.com wrote: On Fri, Mar 9, 2012 at 5:01 PM, Michael B. Smith mich...@smithcons.com wrote: As far as I can tell, nothing ever slowed down... Each of the last 3 years have been record breaking for me. The really good people are always in high demand. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. * IMPORTANT INFORMATION/DISCLAIMER * This document should be read only by those persons to whom it is addressed. If you have received this message it was obviously addressed to you and therefore you can read it, even it we didn't mean to send it to you. However, if the contents of this email make no sense whatsoever then you probably were not the intended recipient, or, alternatively, you are a mindless cretin; either way, you should immediately kill yourself and destroy your computer (not necessarily in that order). Once you have taken this action, please contact us.. no, sorry, you can't use your computer, because you just destroyed it, and possibly also committed suicide afterwards, but I am starting to digress.. The originator of this email is not liable for the transmission of the information contained in this communication. Or are they? Either way it's a pretty dull legal query and frankly one I'm not going to dwell on. But should you have nothing better to do, please feel free to ruminate on it, and please pass on any concrete conclusions should you find them. However, if you pass them on via email, be sure to include a disclaimer regarding liability for transmission. In the event that the originator did not send this email to you, then please return it to us and attach a scanned-in picture of your mother's brother's wife wearing nothing but a kangaroo suit, and we will immediately refund you exactly half of what you paid for the can of Whiskas you bought when you went to Pets At Home yesterday. We take no responsibility for non-receipt of this email because we are running Exchange 5.5 and everyone knows how glitchy that can be. In the event that you do get this message then please note that we take no responsibility for that either. Nor will we accept any liability, tacit or implied, for any damage you may or may not incur as a result of receiving, or not, as the case may be, from time to time, notwithstanding all liabilities implied or otherwise, ummm, hell, where was I...umm, no matter what happens, it is NOT, and NEVER WILL BE, OUR FAULT! The comments and opinions expressed herein are my own and NOT those of my employer, who, if he knew I was sending emails and surfing the seamier side of the Internet, would cut off my manhood and feed it to me for afternoon tea. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint
Re: Fw: Required Active Directory Administrator/6+months Contract/Lake Success,NY
There is no 'new ipad' either. It's just the iPad. :D Now we're happy. On Sat, Mar 10, 2012 at 2:44 PM, Rankin, James R kz2...@googlemail.comwrote: ** Pedant. New ipad OK? :-) ---Blackberried -- *From: * Jonathan Link jonathan.l...@gmail.com *Date: *Sat, 10 Mar 2012 17:37:22 -0500 *To: *NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com *ReplyTo: * NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com *Subject: *Re: Fw: Required Active Directory Administrator/6+months Contract/Lake Success,NY There is no iPad 3. On Saturday, March 10, 2012, James Rankin kz2...@googlemail.com wrote: Naturally, I bet you are testing like hell on that iPad 3 :-) On 10 March 2012 11:39, Webster webs...@carlwebster.com wrote: Not wants, the word is requires. And they are not toys, they are business tools that help us keep up with the latest Citrix technologies. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com From: Steven Peck sep...@gmail.com Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.com Date: Sat, 10 Mar 2012 03:29:32 -0800 To: NT Issues ntsysadmin@lyris.sunbelt-software.com Subject: Re: Required Active Directory Administrator/6+months Contract/Lake Success,NY High demand or high maintenance? I hear your boss wants the latest in hardware toys! On Fri, Mar 9, 2012 at 5:19 PM, Webster webs...@carlwebster.com wrote: U, but I'm in high demand also? :) Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com http://www.carlwebster.com/ On 3/9/12 7:03 PM, Ben Scott mailvor...@gmail.com wrote: On Fri, Mar 9, 2012 at 5:01 PM, Michael B. Smith mich...@smithcons.com wrote: As far as I can tell, nothing ever slowed down... Each of the last 3 years have been record breaking for me. The really good people are always in high demand. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. * IMPORTANT INFORMATION/DISCLAIMER * This document should be read only by those persons to whom it is addressed. If you have received this message it was obviously addressed to you and therefore you can read it, even it we didn't mean to send it to you. However, if the contents of this email make no sense whatsoever then you probably were not the intended recipient, or, alternatively, you are a mindless cretin; either way, you should immediately kill yourself and destroy your computer (not necessarily in that order). Once you have taken this action, please contact us.. no, sorry, you can't use your computer, because you just destroyed it, and possibly also committed suicide afterwards, but I am starting to digress.. The originator of this email is not liable for the transmission of the information contained in this communication. Or are they? Either way it's a pretty dull legal query and frankly one I'm not going to dwell on. But should you have nothing better to do, please feel free to ruminate on it, and please pass on any concrete conclusions should you find them. However, if you pass them on via email, be sure to include a disclaimer regarding liability for transmission. In the event that the originator did not send this email to you, then please return it to us and attach a scanned-in picture of your mother's brother's wife wearing nothing but a kangaroo suit, and we will immediately refund you exactly half of what you paid for the can of Whiskas you bought when you went to Pets At Home yesterday. We take no responsibility for non-receipt of this email because we are running Exchange 5.5 and everyone knows how glitchy that can be. In the event that you do get this message then please note that we take no responsibility for that either. Nor will we accept any liability, tacit or implied, for any damage you may or may not incur as a result of receiving, or not, as the case may be, from time to time, notwithstanding all liabilities implied or otherwise, ummm, hell, where was I...umm, no matter what happens, it is NOT, and NEVER WILL BE, OUR FAULT! The comments and opinions expressed herein are my own and NOT those of my employer, who, if he knew I was sending emails and surfing the seamier side of the Internet, would cut off my manhood and feed it to me for afternoon tea. ~ Finally, powerful endpoint security that ISN'T a resource hog
Fw: Required Active Directory Administrator/6+months Contract/Lake Success,NY
FYI - looks like business is picking up... - Forwarded Message - From: Shubham shub...@okayainfo.com To: drkuhl...@yahoo.com drkuhl...@yahoo.com Sent: Friday, March 9, 2012 12:09 PM Subject: Required Active Directory Administrator/6+months Contract/Lake Success,NY Hi Don Kuhlman Hope you are doing well!! We currently have an exciting opportunity with a great client; you’ll find details of the position below. Even if you’re not a fit for this particular position, we welcome a current copy of your resume and look forward to working together on future positions Title: Active Directory Administrator Duration:6+ Months (Contract) Location: Lake Success,NY Face To Face Interview Required Details: · Client is looking for a Active Directory Administrator to do Administration of Windows servers. The person will be responsible for migrating AD Servers. Data Center with an emphasis on: Active Directory migration, formalizing a Patching process, getting servers up to standards · Responsible for managing the Active Directory environment which will include all regular maintenance, upgrades, Group Policy management and troubleshooting Key skills are strong active directory and have supported around 3,000 to 5,000 users Thanks Regards, Shubham OKAYA Inc. Where Commitment Is A Passion 99 Mark Tree Road, Suite 304 Centereach, NY 11720 Phone : 631-267-4883 x 259 Fax : 631-389-2446 Email : shub...@okayainfo.com URL : http://www.okayainfo.com _ Disclaimer:We respect your Online Privacy. This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. If you are not interested in receiving our e-mails then please reply with a REMOVE in the subject line at rem...@okayainfo.com and mention all the e-mail addresses to be removed with any e-mail addresses, which might be diverting the e-mails to you. We are sorry for the inconvenience. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Required Active Directory Administrator/6+months Contract/Lake Success,NY
As far as I can tell, nothing ever slowed down... Each of the last 3 years have been record breaking for me. What about the last year for you Web? From: Don Kuhlman [mailto:drkuhl...@yahoo.com] Sent: Friday, March 09, 2012 2:06 PM To: NT System Admin Issues Subject: Fw: Required Active Directory Administrator/6+months Contract/Lake Success,NY FYI - looks like business is picking up... - Forwarded Message - From: Shubham shub...@okayainfo.commailto:shub...@okayainfo.com To: drkuhl...@yahoo.commailto:drkuhl...@yahoo.com drkuhl...@yahoo.commailto:drkuhl...@yahoo.com Sent: Friday, March 9, 2012 12:09 PM Subject: Required Active Directory Administrator/6+months Contract/Lake Success,NY Hi Don Kuhlman Hope you are doing well!! We currently have an exciting opportunity with a great client; you’ll find details of the position below. Even if you’re not a fit for this particular position, we welcome a current copy of your resume and look forward to working together on future positions Title: Active Directory Administrator Duration: 6+ Months (Contract) Location: Lake Success,NY Face To Face Interview Required Details: · Client is looking for a Active Directory Administrator to do Administration of Windows servers. The person will be responsible for migrating AD Servers. Data Center with an emphasis on: Active Directory migration, formalizing a Patching process, getting servers up to standards · Responsible for managing the Active Directory environment which will include all regular maintenance, upgrades, Group Policy management and troubleshooting Key skills are strong active directory and have supported around 3,000 to 5,000 users Thanks Regards, Shubham OKAYA Inc. Where Commitment Is A Passion 99 Mark Tree Road, Suite 304 Centereach, NY 11720 Phone : 631-267-4883 x 259 Fax : 631-389-2446 Email : shub...@okayainfo.commailto:shub...@okayainfo.com URL : http://www.okayainfo.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Required Active Directory Administrator/6+months Contract/Lake Success,NY
On Fri, Mar 9, 2012 at 5:01 PM, Michael B. Smith mich...@smithcons.com wrote: As far as I can tell, nothing ever slowed down... Each of the last 3 years have been record breaking for me. The really good people are always in high demand. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Required Active Directory Administrator/6+months Contract/Lake Success,NY
AMEN! This year is a killer for me. :) If I worked with XenDesktop or NetScaler I could get even more work! Why, I am not doing much between 1 to 5 A.M. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: Michael Smith mich...@smithcons.commailto:mich...@smithcons.com Subject: RE: Required Active Directory Administrator/6+months Contract/Lake Success,NY As far as I can tell, nothing ever slowed down... Each of the last 3 years have been record breaking for me. What about the last year for you Web? From: Don Kuhlman [mailto:drkuhl...@yahoo.com] Subject: Fw: Required Active Directory Administrator/6+months Contract/Lake Success,NY FYI - looks like business is picking up... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Required Active Directory Administrator/6+months Contract/Lake Success,NY
*blush* -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Friday, March 09, 2012 7:03 PM To: NT System Admin Issues Subject: Re: Required Active Directory Administrator/6+months Contract/Lake Success,NY On Fri, Mar 9, 2012 at 5:01 PM, Michael B. Smith mich...@smithcons.com wrote: As far as I can tell, nothing ever slowed down... Each of the last 3 years have been record breaking for me. The really good people are always in high demand. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Required Active Directory Administrator/6+months Contract/Lake Success,NY
U, but I'm in high demand also? :) Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com http://www.carlwebster.com/ On 3/9/12 7:03 PM, Ben Scott mailvor...@gmail.com wrote: On Fri, Mar 9, 2012 at 5:01 PM, Michael B. Smith mich...@smithcons.com wrote: As far as I can tell, nothing ever slowed down... Each of the last 3 years have been record breaking for me. The really good people are always in high demand. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Question on Self Service Password change for Active Directory
On Wed, Dec 7, 2011 at 3:44 PM, Brian Desmond br...@briandesmond.com wrote: Going to be signing off the list at the end of the day tomorrow, I hope to have it back up on a hotmail address or gmail soon enough Gmail provides a nice indexing mechanism +1. I've got years of ntsysadmin and other list traffic archived. I find it works well as a knowledge base. I search for a task and find answers. And unlike the Internet at large, I know many of the posters well enough to judge if I should trust them or not. (Some of the people posting in Internet forums shouldn't be allowed to use a computer, let alone tell others how to fix one.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Question on Self Service Password change for Active Directory
Netwrix does have a free version for up to 50 users for self-server password mgmt. Another one that is good that actually helps to avoid the issue is their Password Expiration Notifier which sends emails when a password is going to expire (configurable). On Thu, Dec 8, 2011 at 9:39 AM, Ben Scott mailvor...@gmail.com wrote: On Wed, Dec 7, 2011 at 3:44 PM, Brian Desmond br...@briandesmond.com wrote: Going to be signing off the list at the end of the day tomorrow, I hope to have it back up on a hotmail address or gmail soon enough Gmail provides a nice indexing mechanism +1. I've got years of ntsysadmin and other list traffic archived. I find it works well as a knowledge base. I search for a task and find answers. And unlike the Internet at large, I know many of the posters well enough to judge if I should trust them or not. (Some of the people posting in Internet forums shouldn't be allowed to use a computer, let alone tell others how to fix one.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Question on Self Service Password change for Active Directory
Thanks gents, getting this to my management. Going to be signing off the list at the end of the day tomorrow, I hope to have it back up on a hotmail address or gmail soon enough, since the new job kinda discourages the mass emailing going forward. Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization email:ezi...@lifespan.org phone:401-639-3505 From: Joseph L. Casale [mailto:jcas...@activenetwerx.com] Sent: Tuesday, December 06, 2011 8:16 PM To: NT System Admin Issues Subject: RE: Question on Self Service Password change for Active Directory Hitachi-ID Password Manager, I know it fairly well and its solid. From: Steve Ens [mailto:stevey...@gmail.com] Sent: Tuesday, December 06, 2011 5:59 PM To: NT System Admin Issues Subject: Re: Question on Self Service Password change for Active Directory How about spec ops? Good product and fairly inexpensive Sent from my FriPad On 2011-12-06, at 4:59 PM, David Lum david@nwea.org wrote: “function fine, and was easy enough to use” And inexpensive. And easy for me to set up. Anything that does that at a client that has no local onsite IT six days out of seven is a win in my book, I get zero “Joe user forgot his password, please help” calls. This client has police (not shockingly, some are short tempered when it comes to IT stuff like not being able to recover quickly from forgetting their password) and part-time firefighters so it’s not an infrequent occurrence (happens in batches, actually). Keeping guys with guns, Tasers and axes happy is a good thing J I deployed it about 4 years ago so it’s likely identical to what you saw. It has also been 100% trouble free – haven’t touched it since the initial deployment, and I get notices every time they use it so I know they still do use it. A complete win for what I wanted from it at least. Dave From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, December 06, 2011 1:31 PM To: NT System Admin Issues Subject: Re: Question on Self Service Password change for Active Directory Definitely IIS. We weren't that impressed by it about 5-6 years ago when we set it up, but it might have improved since then. By not impressed I mean basically that it just didn't offer much - it seemed to function fine, and was easy enough to use, but I didn't see the value in it. Of course, we only get perhaps 1 or 2 password reset requests per month from our roughly 250 staff in three countries. Kurt On Tue, Dec 6, 2011 at 12:50, David Lum david@nwea.org wrote: Namescape – makers of rDirectory. www.namescape.com Works well at my 55-user client for resetting and not needing me. Simple to set up and use, just sits on IIS (or Apache, I forget at the moment). Dave From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, December 06, 2011 12:18 PM To: NT System Admin Issues Subject: Question on Self Service Password change for Active Directory I remember a while ago, that someone ( might have been Mr Lum) that discussed a third party product for an interface for password change/reset to cut down on calls to help desk ( was based on factors of authentication or answered known questions) I think it was Rdirectory or something close, Anyone have the 411 on it, or a link, my manager is asking about it. Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org phone:401-639-3505 image001.jpg ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read
Re: Question on Self Service Password change for Active Directory
If (though unlikely) you are a Citrix XenApp environment with Platinum licenses, you get Citrix Single Sign-On free. It works and has lots of features, just a bit tricky to set up sometimes. If you're not Platinum, though, it is restrictively expensive to implement and you'd be better off with something else. On 7 December 2011 14:38, Ziots, Edward ezi...@lifespan.org wrote: Thanks gents, getting this to my management. ** ** Going to be signing off the list at the end of the day tomorrow, I hope to have it back up on a hotmail address or gmail soon enough, since the new job kinda discourages the mass emailing going forward. ** ** Z ** ** Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization email:ezi...@lifespan.org phone:401-639-3505 [image: CISSP_logo] ** ** *From:* Joseph L. Casale [mailto:jcas...@activenetwerx.com] *Sent:* Tuesday, December 06, 2011 8:16 PM *To:* NT System Admin Issues *Subject:* RE: Question on Self Service Password change for Active Directory ** ** Hitachi-ID Password Manager, I know it fairly well and its solid. ** ** *From:* Steve Ens [mailto:stevey...@gmail.com stevey...@gmail.com] *Sent:* Tuesday, December 06, 2011 5:59 PM *To:* NT System Admin Issues *Subject:* Re: Question on Self Service Password change for Active Directory ** ** How about spec ops? Good product and fairly inexpensive Sent from my FriPad On 2011-12-06, at 4:59 PM, David Lum david@nwea.org wrote: “function fine, and was easy enough to use” And inexpensive. And easy for me to set up. Anything that does that at a client that has no local onsite IT six days out of seven is a win in my book, I get zero “Joe user forgot his password, please help” calls. This client has police (not shockingly, some are short tempered when it comes to IT stuff like not being able to recover quickly from forgetting their password) and part-time firefighters so it’s not an infrequent occurrence (happens in batches, actually). Keeping guys with guns, Tasers and axes happy is a good thing J I deployed it about 4 years ago so it’s likely identical to what you saw. It has also been 100% trouble free – haven’t touched it since the initial deployment, and I get notices every time they use it so I know they still do use it. A complete win for what I wanted from it at least. Dave *From:* Kurt Buff [mailto:kurt.b...@gmail.com] *Sent:* Tuesday, December 06, 2011 1:31 PM *To:* NT System Admin Issues *Subject:* Re: Question on Self Service Password change for Active Directory Definitely IIS. We weren't that impressed by it about 5-6 years ago when we set it up, but it might have improved since then. By not impressed I mean basically that it just didn't offer much - it seemed to function fine, and was easy enough to use, but I didn't see the value in it. Of course, we only get perhaps 1 or 2 password reset requests per month from our roughly 250 staff in three countries. Kurt On Tue, Dec 6, 2011 at 12:50, David Lum david@nwea.org wrote: Namescape – makers of rDirectory. www.namescape.com Works well at my 55-user client for resetting and not needing me. Simple to set up and use, just sits on IIS (or Apache, I forget at the moment).** ** Dave *From:* Ziots, Edward [mailto:ezi...@lifespan.org] *Sent:* Tuesday, December 06, 2011 12:18 PM *To:* NT System Admin Issues *Subject:* Question on Self Service Password change for Active Directory I remember a while ago, that someone ( might have been Mr Lum) that discussed a third party product for an interface for password change/reset to cut down on calls to help desk ( was based on factors of authentication or answered known questions) I think it was Rdirectory or something close, Anyone have the 411 on it, or a link, my manager is asking about it. Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization email:ezi...@lifespan.org phone:401-639-3505 image001.jpg ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally
RE: Question on Self Service Password change for Active Directory
Gmail provides a nice indexing mechanism Thanks, Brian Desmond br...@briandesmond.com w – 312.625.1438 | c – 312.731.3132 From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Wednesday, December 07, 2011 8:38 AM To: NT System Admin Issues Subject: RE: Question on Self Service Password change for Active Directory Thanks gents, getting this to my management. Going to be signing off the list at the end of the day tomorrow, I hope to have it back up on a hotmail address or gmail soon enough, since the new job kinda discourages the mass emailing going forward. Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization email:ezi...@lifespan.org phone:401-639-3505 [CISSP_logo] From: Joseph L. Casale [mailto:jcas...@activenetwerx.com]mailto:[mailto:jcas...@activenetwerx.com] Sent: Tuesday, December 06, 2011 8:16 PM To: NT System Admin Issues Subject: RE: Question on Self Service Password change for Active Directory Hitachi-ID Password Manager, I know it fairly well and its solid. From: Steve Ens [mailto:stevey...@gmail.com] Sent: Tuesday, December 06, 2011 5:59 PM To: NT System Admin Issues Subject: Re: Question on Self Service Password change for Active Directory How about spec ops? Good product and fairly inexpensive Sent from my FriPad On 2011-12-06, at 4:59 PM, David Lum david@nwea.orgmailto:david@nwea.org wrote: “function fine, and was easy enough to use” And inexpensive. And easy for me to set up. Anything that does that at a client that has no local onsite IT six days out of seven is a win in my book, I get zero “Joe user forgot his password, please help” calls. This client has police (not shockingly, some are short tempered when it comes to IT stuff like not being able to recover quickly from forgetting their password) and part-time firefighters so it’s not an infrequent occurrence (happens in batches, actually). Keeping guys with guns, Tasers and axes happy is a good thing ☺ I deployed it about 4 years ago so it’s likely identical to what you saw. It has also been 100% trouble free – haven’t touched it since the initial deployment, and I get notices every time they use it so I know they still do use it. A complete win for what I wanted from it at least. Dave From: Kurt Buff [mailto:kurt.b...@gmail.com]mailto:[mailto:kurt.b...@gmail.com] Sent: Tuesday, December 06, 2011 1:31 PM To: NT System Admin Issues Subject: Re: Question on Self Service Password change for Active Directory Definitely IIS. We weren't that impressed by it about 5-6 years ago when we set it up, but it might have improved since then. By not impressed I mean basically that it just didn't offer much - it seemed to function fine, and was easy enough to use, but I didn't see the value in it. Of course, we only get perhaps 1 or 2 password reset requests per month from our roughly 250 staff in three countries. Kurt On Tue, Dec 6, 2011 at 12:50, David Lum david@nwea.orgmailto:david@nwea.org wrote: Namescape – makers of rDirectory. www.namescape.comhttp://www.namescape.com Works well at my 55-user client for resetting and not needing me. Simple to set up and use, just sits on IIS (or Apache, I forget at the moment). Dave From: Ziots, Edward [mailto:ezi...@lifespan.orgmailto:ezi...@lifespan.org] Sent: Tuesday, December 06, 2011 12:18 PM To: NT System Admin Issues Subject: Question on Self Service Password change for Active Directory I remember a while ago, that someone ( might have been Mr Lum) that discussed a third party product for an interface for password change/reset to cut down on calls to help desk ( was based on factors of authentication or answered known questions) I think it was Rdirectory or something close, Anyone have the 411 on it, or a link, my manager is asking about it. Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization email:ezi...@lifespan.orgmailto:email%3aezi...@lifespan.org phone:401-639-3505tel:401-639-3505 image001.jpg ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email
Question on Self Service Password change for Active Directory
I remember a while ago, that someone ( might have been Mr Lum) that discussed a third party product for an interface for password change/reset to cut down on calls to help desk ( was based on factors of authentication or answered known questions) I think it was Rdirectory or something close, Anyone have the 411 on it, or a link, my manager is asking about it. Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization email:ezi...@lifespan.org phone:401-639-3505 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage003.jpg
RE: Question on Self Service Password change for Active Directory
Namescape - makers of rDirectory. www.namescape.comhttp://www.namescape.com Works well at my 55-user client for resetting and not needing me. Simple to set up and use, just sits on IIS (or Apache, I forget at the moment). Dave From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, December 06, 2011 12:18 PM To: NT System Admin Issues Subject: Question on Self Service Password change for Active Directory I remember a while ago, that someone ( might have been Mr Lum) that discussed a third party product for an interface for password change/reset to cut down on calls to help desk ( was based on factors of authentication or answered known questions) I think it was Rdirectory or something close, Anyone have the 411 on it, or a link, my manager is asking about it. Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization email:ezi...@lifespan.org phone:401-639-3505 [cid:image001.jpg@01CCB415.B14258D0] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmininline: image001.jpg
Re: Question on Self Service Password change for Active Directory
Definitely IIS. We weren't that impressed by it about 5-6 years ago when we set it up, but it might have improved since then. By not impressed I mean basically that it just didn't offer much - it seemed to function fine, and was easy enough to use, but I didn't see the value in it. Of course, we only get perhaps 1 or 2 password reset requests per month from our roughly 250 staff in three countries. Kurt On Tue, Dec 6, 2011 at 12:50, David Lum david@nwea.org wrote: Namescape – makers of rDirectory. ** ** www.namescape.com ** ** Works well at my 55-user client for resetting and not needing me. Simple to set up and use, just sits on IIS (or Apache, I forget at the moment).** ** ** ** Dave ** ** *From:* Ziots, Edward [mailto:ezi...@lifespan.org] *Sent:* Tuesday, December 06, 2011 12:18 PM *To:* NT System Admin Issues *Subject:* Question on Self Service Password change for Active Directory** ** ** ** I remember a while ago, that someone ( might have been Mr Lum) that discussed a third party product for an interface for password change/reset to cut down on calls to help desk ( was based on factors of authentication or answered known questions) ** ** I think it was Rdirectory or something close, ** ** Anyone have the 411 on it, or a link, my manager is asking about it. ** ** Z ** ** Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization email:ezi...@lifespan.org phone:401-639-3505 [image: CISSP_logo] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage001.jpg
RE: Question on Self Service Password change for Active Directory
Another one to look at is ADSelfService Plus from ManageEngine. Sean Rector, MCSE From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 06, 2011 3:51 PM To: NT System Admin Issues Subject: RE: Question on Self Service Password change for Active Directory Namescape - makers of rDirectory. www.namescape.com Works well at my 55-user client for resetting and not needing me. Simple to set up and use, just sits on IIS (or Apache, I forget at the moment). Dave From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, December 06, 2011 12:18 PM To: NT System Admin Issues Subject: Question on Self Service Password change for Active Directory I remember a while ago, that someone ( might have been Mr Lum) that discussed a third party product for an interface for password change/reset to cut down on calls to help desk ( was based on factors of authentication or answered known questions) I think it was Rdirectory or something close, Anyone have the 411 on it, or a link, my manager is asking about it. Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization email:ezi...@lifespan.org phone:401-639-3505 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin Information Technology Manager Virginia Opera Association E-Mail: sean.rec...@vaopera.org Phone:(757) 213-4548 (direct line) {+} Tickets and Subscriptions On Sale Now! Aida | Hansel And Gretel | Orph?e | The Mikado Visit us online at www.VaOpera.org or call 1-866-OPERA-VA Experience the Beauty, Power Passion of Virginia Opera. This e-mail and any attached files are confidential and intended solely for the intended recipient(s). Unless otherwise specified, persons unnamed as recipients may not read, distribute, copy or alter this e-mail. Any views or opinions expressed in this e-mail belong to the author and may not necessarily represent those of Virginia Opera. Although precautions have been taken to ensure no viruses are present, Virginia Opera cannot accept responsibility for any loss or damage that may arise from the use of this e-mail or attachments. {*} ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage001.jpg
RE: Question on Self Service Password change for Active Directory
NetWrix also has a solution (and they might have a free version as well). Ithicos Solutions (www.ithicos.comhttp://www.ithicos.com) also has Directory Password. http://www.ithicos.com/active-directory-tools/self-service-password-reset/directory-password.aspx Disclaimer: Ithicos is owned by another Exchange MVP and he's a good friend of mine. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Sean Rector [mailto:sean.rec...@vaopera.org] Sent: Tuesday, December 06, 2011 5:13 PM To: NT System Admin Issues Subject: RE: Question on Self Service Password change for Active Directory Another one to look at is ADSelfService Plus from ManageEngine. Sean Rector, MCSE From: David Lum [mailto:david@nwea.org]mailto:[mailto:david@nwea.org] Sent: Tuesday, December 06, 2011 3:51 PM To: NT System Admin Issues Subject: RE: Question on Self Service Password change for Active Directory Namescape - makers of rDirectory. www.namescape.comhttp://www.namescape.com Works well at my 55-user client for resetting and not needing me. Simple to set up and use, just sits on IIS (or Apache, I forget at the moment). Dave From: Ziots, Edward [mailto:ezi...@lifespan.org]mailto:[mailto:ezi...@lifespan.org] Sent: Tuesday, December 06, 2011 12:18 PM To: NT System Admin Issues Subject: Question on Self Service Password change for Active Directory I remember a while ago, that someone ( might have been Mr Lum) that discussed a third party product for an interface for password change/reset to cut down on calls to help desk ( was based on factors of authentication or answered known questions) I think it was Rdirectory or something close, Anyone have the 411 on it, or a link, my manager is asking about it. Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization email:ezi...@lifespan.org phone:401-639-3505 [CISSP_logo] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin Information Technology Manager Virginia Opera Association E-Mail: sean.rec...@vaopera.orgmailto:sean.rec...@vaopera.org Phone:(757) 213-4548 (direct line) {+} Tickets and Subscriptions On Sale Now! Aida | Hansel And Gretel | Orphée | The Mikado Visit us online at www.VaOpera.orghttp://www.vaopera.org/ or call 1-866-OPERA-VA Experience the Beauty, Power Passion of Virginia Opera. This e-mail and any attached files are confidential and intended solely for the intended recipient(s). Unless otherwise specified, persons unnamed as recipients may not read, distribute, copy or alter this e-mail. Any views or opinions expressed in this e-mail belong to the author and may not necessarily represent those of Virginia Opera. Although precautions have been taken to ensure no viruses are present, Virginia Opera cannot accept responsibility for any loss or damage that may arise from the use of this e-mail or attachments. {*} ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmininline: image001.jpg
RE: Question on Self Service Password change for Active Directory
“function fine, and was easy enough to use” And inexpensive. And easy for me to set up. Anything that does that at a client that has no local onsite IT six days out of seven is a win in my book, I get zero “Joe user forgot his password, please help” calls. This client has police (not shockingly, some are short tempered when it comes to IT stuff like not being able to recover quickly from forgetting their password) and part-time firefighters so it’s not an infrequent occurrence (happens in batches, actually). Keeping guys with guns, Tasers and axes happy is a good thing ☺ I deployed it about 4 years ago so it’s likely identical to what you saw. It has also been 100% trouble free – haven’t touched it since the initial deployment, and I get notices every time they use it so I know they still do use it. A complete win for what I wanted from it at least. Dave From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, December 06, 2011 1:31 PM To: NT System Admin Issues Subject: Re: Question on Self Service Password change for Active Directory Definitely IIS. We weren't that impressed by it about 5-6 years ago when we set it up, but it might have improved since then. By not impressed I mean basically that it just didn't offer much - it seemed to function fine, and was easy enough to use, but I didn't see the value in it. Of course, we only get perhaps 1 or 2 password reset requests per month from our roughly 250 staff in three countries. Kurt On Tue, Dec 6, 2011 at 12:50, David Lum david@nwea.orgmailto:david@nwea.org wrote: Namescape – makers of rDirectory. www.namescape.comhttp://www.namescape.com Works well at my 55-user client for resetting and not needing me. Simple to set up and use, just sits on IIS (or Apache, I forget at the moment). Dave From: Ziots, Edward [mailto:ezi...@lifespan.orgmailto:ezi...@lifespan.org] Sent: Tuesday, December 06, 2011 12:18 PM To: NT System Admin Issues Subject: Question on Self Service Password change for Active Directory I remember a while ago, that someone ( might have been Mr Lum) that discussed a third party product for an interface for password change/reset to cut down on calls to help desk ( was based on factors of authentication or answered known questions) I think it was Rdirectory or something close, Anyone have the 411 on it, or a link, my manager is asking about it. Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization email:ezi...@lifespan.orgmailto:email%3aezi...@lifespan.org phone:401-639-3505tel:401-639-3505 [cid:image001.jpg@01CCB426.7ADC5A00] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin inline: image001.jpg
Re: Question on Self Service Password change for Active Directory
Seems reasonable. Different use case for us, and it's withered on the vine. I don't believe anyone here has used it in about three years. Part of our expectation for the product was that it would help us provision users. Unfortunately, several of our most important systems don't auth against AD, so it didn't scale. Kurt On Tue, Dec 6, 2011 at 14:59, David Lum david@nwea.org wrote: “function fine, and was easy enough to use” And inexpensive. And easy for me to set up. Anything that does that at a client that has no local onsite IT six days out of seven is a win in my book, I get zero “Joe user forgot his password, please help” calls. This client has police (not shockingly, some are short tempered when it comes to IT stuff like not being able to recover quickly from forgetting their password) and part-time firefighters so it’s not an infrequent occurrence (happens in batches, actually). ** ** Keeping guys with guns, Tasers and axes happy is a good thing J ** ** I deployed it about 4 years ago so it’s likely identical to what you saw. It has also been 100% trouble free – haven’t touched it since the initial deployment, and I get notices every time they use it so I know they still do use it. A complete win for what I wanted from it at least. ** ** Dave ** ** ** ** *From:* Kurt Buff [mailto:kurt.b...@gmail.com] *Sent:* Tuesday, December 06, 2011 1:31 PM *To:* NT System Admin Issues *Subject:* Re: Question on Self Service Password change for Active Directory ** ** Definitely IIS. We weren't that impressed by it about 5-6 years ago when we set it up, but it might have improved since then. By not impressed I mean basically that it just didn't offer much - it seemed to function fine, and was easy enough to use, but I didn't see the value in it. Of course, we only get perhaps 1 or 2 password reset requests per month from our roughly 250 staff in three countries. Kurt On Tue, Dec 6, 2011 at 12:50, David Lum david@nwea.org wrote: Namescape – makers of rDirectory. www.namescape.com Works well at my 55-user client for resetting and not needing me. Simple to set up and use, just sits on IIS (or Apache, I forget at the moment).** ** Dave *From:* Ziots, Edward [mailto:ezi...@lifespan.org] *Sent:* Tuesday, December 06, 2011 12:18 PM *To:* NT System Admin Issues *Subject:* Question on Self Service Password change for Active Directory** ** I remember a while ago, that someone ( might have been Mr Lum) that discussed a third party product for an interface for password change/reset to cut down on calls to help desk ( was based on factors of authentication or answered known questions) I think it was Rdirectory or something close, Anyone have the 411 on it, or a link, my manager is asking about it. Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization email:ezi...@lifespan.org phone:401-639-3505 [image: CISSP_logo] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ** ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage001.jpg
Re: Question on Self Service Password change for Active Directory
i would think Keeping guys with guns, Tasers and axes happy is a good thing that is they are a little short of patience it would be a great thing. Jon On Tue, Dec 6, 2011 at 5:59 PM, David Lum david@nwea.org wrote: “function fine, and was easy enough to use” And inexpensive. And easy for me to set up. Anything that does that at a client that has no local onsite IT six days out of seven is a win in my book, I get zero “Joe user forgot his password, please help” calls. This client has police (not shockingly, some are short tempered when it comes to IT stuff like not being able to recover quickly from forgetting their password) and part-time firefighters so it’s not an infrequent occurrence (happens in batches, actually). ** ** Keeping guys with guns, Tasers and axes happy is a good thing J ** ** I deployed it about 4 years ago so it’s likely identical to what you saw. It has also been 100% trouble free – haven’t touched it since the initial deployment, and I get notices every time they use it so I know they still do use it. A complete win for what I wanted from it at least. ** ** Dave ** ** ** ** *From:* Kurt Buff [mailto:kurt.b...@gmail.com] *Sent:* Tuesday, December 06, 2011 1:31 PM *To:* NT System Admin Issues *Subject:* Re: Question on Self Service Password change for Active Directory ** ** Definitely IIS. We weren't that impressed by it about 5-6 years ago when we set it up, but it might have improved since then. By not impressed I mean basically that it just didn't offer much - it seemed to function fine, and was easy enough to use, but I didn't see the value in it. Of course, we only get perhaps 1 or 2 password reset requests per month from our roughly 250 staff in three countries. Kurt On Tue, Dec 6, 2011 at 12:50, David Lum david@nwea.org wrote: Namescape – makers of rDirectory. www.namescape.com Works well at my 55-user client for resetting and not needing me. Simple to set up and use, just sits on IIS (or Apache, I forget at the moment).** ** Dave *From:* Ziots, Edward [mailto:ezi...@lifespan.org] *Sent:* Tuesday, December 06, 2011 12:18 PM *To:* NT System Admin Issues *Subject:* Question on Self Service Password change for Active Directory** ** I remember a while ago, that someone ( might have been Mr Lum) that discussed a third party product for an interface for password change/reset to cut down on calls to help desk ( was based on factors of authentication or answered known questions) I think it was Rdirectory or something close, Anyone have the 411 on it, or a link, my manager is asking about it. Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization email:ezi...@lifespan.org phone:401-639-3505 [image: CISSP_logo] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ** ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage001.jpg
RE: Question on Self Service Password change for Active Directory
I also know Jim and his solution came to mind when I read this thread. Everybody and their brother sells one of these things - look at some of them, figure out what requirements you have, and get a few trials/demos. Thanks, Brian Desmond br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Tuesday, December 06, 2011 4:42 PM To: NT System Admin Issues Subject: RE: Question on Self Service Password change for Active Directory NetWrix also has a solution (and they might have a free version as well). Ithicos Solutions (www.ithicos.comhttp://www.ithicos.com) also has Directory Password. http://www.ithicos.com/active-directory-tools/self-service-password-reset/directory-password.aspx Disclaimer: Ithicos is owned by another Exchange MVP and he's a good friend of mine. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Sean Rector [mailto:sean.rec...@vaopera.org]mailto:[mailto:sean.rec...@vaopera.org] Sent: Tuesday, December 06, 2011 5:13 PM To: NT System Admin Issues Subject: RE: Question on Self Service Password change for Active Directory Another one to look at is ADSelfService Plus from ManageEngine. Sean Rector, MCSE From: David Lum [mailto:david@nwea.org]mailto:[mailto:david@nwea.org] Sent: Tuesday, December 06, 2011 3:51 PM To: NT System Admin Issues Subject: RE: Question on Self Service Password change for Active Directory Namescape - makers of rDirectory. www.namescape.comhttp://www.namescape.com Works well at my 55-user client for resetting and not needing me. Simple to set up and use, just sits on IIS (or Apache, I forget at the moment). Dave From: Ziots, Edward [mailto:ezi...@lifespan.org]mailto:[mailto:ezi...@lifespan.org] Sent: Tuesday, December 06, 2011 12:18 PM To: NT System Admin Issues Subject: Question on Self Service Password change for Active Directory I remember a while ago, that someone ( might have been Mr Lum) that discussed a third party product for an interface for password change/reset to cut down on calls to help desk ( was based on factors of authentication or answered known questions) I think it was Rdirectory or something close, Anyone have the 411 on it, or a link, my manager is asking about it. Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization email:ezi...@lifespan.org phone:401-639-3505 [CISSP_logo] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin Information Technology Manager Virginia Opera Association E-Mail: sean.rec...@vaopera.orgmailto:sean.rec...@vaopera.org Phone:(757) 213-4548 (direct line) {+} Tickets and Subscriptions On Sale Now! Aida | Hansel And Gretel | Orphée | The Mikado Visit us online at www.VaOpera.orghttp://www.vaopera.org/ or call 1-866-OPERA-VA Experience the Beauty, Power Passion of Virginia Opera. This e-mail and any attached files are confidential and intended solely for the intended recipient(s). Unless otherwise specified, persons unnamed as recipients may not read, distribute, copy or alter this e-mail. Any views or opinions expressed in this e-mail belong to the author and may not necessarily represent those of Virginia Opera. Although precautions have been taken to ensure no viruses are present, Virginia Opera cannot accept responsibility for any loss or damage that may arise from the use of this e-mail or attachments. {*} ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com
Re: Question on Self Service Password change for Active Directory
How about spec ops? Good product and fairly inexpensive Sent from my FriPad On 2011-12-06, at 4:59 PM, David Lum david@nwea.org wrote: “function fine, and was easy enough to use” And inexpensive. And easy for me to set up. Anything that does that at a client that has no local onsite IT six days out of seven is a win in my book, I get zero “Joe user forgot his password, please help” calls. This client has police (not shockingly, some are short tempered when it comes to IT stuff like not being able to recover quickly from forgetting their password) and part-time firefighters so it’s not an infrequent occurrence (happens in batches, actually). Keeping guys with guns, Tasers and axes happy is a good thing J I deployed it about 4 years ago so it’s likely identical to what you saw. It has also been 100% trouble free – haven’t touched it since the initial deployment, and I get notices every time they use it so I know they still do use it. A complete win for what I wanted from it at least. Dave From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, December 06, 2011 1:31 PM To: NT System Admin Issues Subject: Re: Question on Self Service Password change for Active Directory Definitely IIS. We weren't that impressed by it about 5-6 years ago when we set it up, but it might have improved since then. By not impressed I mean basically that it just didn't offer much - it seemed to function fine, and was easy enough to use, but I didn't see the value in it. Of course, we only get perhaps 1 or 2 password reset requests per month from our roughly 250 staff in three countries. Kurt On Tue, Dec 6, 2011 at 12:50, David Lum david@nwea.org wrote: Namescape – makers of rDirectory. www.namescape.com Works well at my 55-user client for resetting and not needing me. Simple to set up and use, just sits on IIS (or Apache, I forget at the moment). Dave From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, December 06, 2011 12:18 PM To: NT System Admin Issues Subject: Question on Self Service Password change for Active Directory I remember a while ago, that someone ( might have been Mr Lum) that discussed a third party product for an interface for password change/reset to cut down on calls to help desk ( was based on factors of authentication or answered known questions) I think it was Rdirectory or something close, Anyone have the 411 on it, or a link, my manager is asking about it. Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization email:ezi...@lifespan.org phone:401-639-3505 image001.jpg ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Question on Self Service Password change for Active Directory
Hitachi-ID Password Manager, I know it fairly well and its solid. From: Steve Ens [mailto:stevey...@gmail.com] Sent: Tuesday, December 06, 2011 5:59 PM To: NT System Admin Issues Subject: Re: Question on Self Service Password change for Active Directory How about spec ops? Good product and fairly inexpensive Sent from my FriPad On 2011-12-06, at 4:59 PM, David Lum david@nwea.orgmailto:david@nwea.org wrote: “function fine, and was easy enough to use” And inexpensive. And easy for me to set up. Anything that does that at a client that has no local onsite IT six days out of seven is a win in my book, I get zero “Joe user forgot his password, please help” calls. This client has police (not shockingly, some are short tempered when it comes to IT stuff like not being able to recover quickly from forgetting their password) and part-time firefighters so it’s not an infrequent occurrence (happens in batches, actually). Keeping guys with guns, Tasers and axes happy is a good thing ☺ I deployed it about 4 years ago so it’s likely identical to what you saw. It has also been 100% trouble free – haven’t touched it since the initial deployment, and I get notices every time they use it so I know they still do use it. A complete win for what I wanted from it at least. Dave From: Kurt Buff [mailto:kurt.b...@gmail.com]mailto:[mailto:kurt.b...@gmail.com] Sent: Tuesday, December 06, 2011 1:31 PM To: NT System Admin Issues Subject: Re: Question on Self Service Password change for Active Directory Definitely IIS. We weren't that impressed by it about 5-6 years ago when we set it up, but it might have improved since then. By not impressed I mean basically that it just didn't offer much - it seemed to function fine, and was easy enough to use, but I didn't see the value in it. Of course, we only get perhaps 1 or 2 password reset requests per month from our roughly 250 staff in three countries. Kurt On Tue, Dec 6, 2011 at 12:50, David Lum david@nwea.orgmailto:david@nwea.org wrote: Namescape – makers of rDirectory. www.namescape.comhttp://www.namescape.com Works well at my 55-user client for resetting and not needing me. Simple to set up and use, just sits on IIS (or Apache, I forget at the moment). Dave From: Ziots, Edward [mailto:ezi...@lifespan.orgmailto:ezi...@lifespan.org] Sent: Tuesday, December 06, 2011 12:18 PM To: NT System Admin Issues Subject: Question on Self Service Password change for Active Directory I remember a while ago, that someone ( might have been Mr Lum) that discussed a third party product for an interface for password change/reset to cut down on calls to help desk ( was based on factors of authentication or answered known questions) I think it was Rdirectory or something close, Anyone have the 411 on it, or a link, my manager is asking about it. Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization email:ezi...@lifespan.orgmailto:email%3aezi...@lifespan.org phone:401-639-3505tel:401-639-3505 image001.jpg ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE
RE: Question on Self Service Password change for Active Directory
http://www.thycotic.com/products_passwordresetserver_overview.html From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, December 06, 2011 3:18 PM To: NT System Admin Issues Subject: Question on Self Service Password change for Active Directory I remember a while ago, that someone ( might have been Mr Lum) that discussed a third party product for an interface for password change/reset to cut down on calls to help desk ( was based on factors of authentication or answered known questions) I think it was Rdirectory or something close, Anyone have the 411 on it, or a link, my manager is asking about it. Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization email:ezi...@lifespan.org phone:401-639-3505 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage001.jpg
Re: RE: Tool to clone/move/copy/backup Active Directory
Me too - all the fun of finding a way to get those DCs that doubled up as file servers into a more sensible structure On 20 June 2011 20:48, Guyer, Don don.gu...@fiserv.com wrote: That’s a throwback! I remember using that. ** ** *Don Guyer* Windows Systems Engineer RIM Operations Engineering Distributed – A Team, Tier 2 Enterprise Technology Group *Fiserv* don.gu...@fiserv.com Office: 1-800-523-7282 x 1673 Fax: 610-233-0404 www.fiserv.com ** ** *From:* Rene de Haas [mailto:rene.deh...@gmail.com] *Sent:* Monday, June 20, 2011 3:43 PM *To:* NT System Admin Issues *Subject:* Re: RE: Tool to clone/move/copy/backup Active Directory ** ** Yes, I remember now. The tool was called upromote. Used it a long time ago on NT4. Op 20 jun. 2011 16:34 schreef Brian Desmond br...@briandesmond.com het volgende: Or even better, stand up a new forest and import the data you need for testing. The strategy of cloning into a VM and hopefully isolating it permanently has a way of not always going well. The umove guys used to be the solution for converting PDCs and BDCs to member servers. Guess they found a new gig. First time I've seen their name in relation to AD. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Sunday, June 19, 2011 3:04 PM To: NT System Admin Issues Subject: Re: Tool to clone/move/copy/backup Active Directory Or add a DC. Physically or virtually remove it cleanup the removal in your production. In test lab seize fsmo roles. On Sunday, June 19, 2011, Joseph L. Casale jcas...@activenetwerx.com wrote: Use one of many uncountable free imaging wares to take an image and restore it into a vm? From: sha...@hackulous.co.uk [mailto:sha...@hackulous.co.uk] Sent: Sunday, June 19, 2011 7:02 AM To: NT System Admin Issues Subject: Tool to clone/move/copy/backup Active Directory I'm in process of making replica of my production servers to lab so I can test upgrading some applications. I've come across tool called UMove http://utools.com/UMove http://utools.com/UMove. which seems to make it easy to copy Active Directory to a virtual machine. Is anyone using this tool or tested it? Thanks, Shazad ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ** IMPORTANT INFORMATION/DISCLAIMER * This document should be read only by those persons to whom it is addressed. If you have received this message it was obviously addressed to you and therefore you can read it, even it we didn't mean to send it to you. However, if the contents
RE: Tool to clone/move/copy/backup Active Directory
Or even better, stand up a new forest and import the data you need for testing. The strategy of cloning into a VM and hopefully isolating it permanently has a way of not always going well. The umove guys used to be the solution for converting PDCs and BDCs to member servers. Guess they found a new gig. First time I've seen their name in relation to AD. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Sunday, June 19, 2011 3:04 PM To: NT System Admin Issues Subject: Re: Tool to clone/move/copy/backup Active Directory Or add a DC. Physically or virtually remove it cleanup the removal in your production. In test lab seize fsmo roles. On Sunday, June 19, 2011, Joseph L. Casale jcas...@activenetwerx.com wrote: Use one of many uncountable free imaging wares to take an image and restore it into a vm? From: sha...@hackulous.co.uk [mailto:sha...@hackulous.co.uk] Sent: Sunday, June 19, 2011 7:02 AM To: NT System Admin Issues Subject: Tool to clone/move/copy/backup Active Directory I'm in process of making replica of my production servers to lab so I can test upgrading some applications. I've come across tool called UMove http://utools.com/UMove http://utools.com/UMove. which seems to make it easy to copy Active Directory to a virtual machine. Is anyone using this tool or tested it? Thanks, Shazad ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Tool to clone/move/copy/backup Active Directory
*The umove guys used to be the solution for converting PDCs and BDCs to member servers. Guess they found a new gig. First time I've seen their name in relation to AD. * I was thinking the same thing... *ASB *(Professional Bio http://about.me/Andrew.S.Baker/bio) Harnessing the Advantages of Technology for the SMB market... On Mon, Jun 20, 2011 at 10:33 AM, Brian Desmond br...@briandesmond.comwrote: Or even better, stand up a new forest and import the data you need for testing. The strategy of cloning into a VM and hopefully isolating it permanently has a way of not always going well. The umove guys used to be the solution for converting PDCs and BDCs to member servers. Guess they found a new gig. First time I've seen their name in relation to AD. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Sunday, June 19, 2011 3:04 PM To: NT System Admin Issues Subject: Re: Tool to clone/move/copy/backup Active Directory Or add a DC. Physically or virtually remove it cleanup the removal in your production. In test lab seize fsmo roles. On Sunday, June 19, 2011, Joseph L. Casale jcas...@activenetwerx.com wrote: Use one of many uncountable free imaging wares to take an image and restore it into a vm? From: sha...@hackulous.co.uk [mailto:sha...@hackulous.co.uk] Sent: Sunday, June 19, 2011 7:02 AM To: NT System Admin Issues Subject: Tool to clone/move/copy/backup Active Directory I'm in process of making replica of my production servers to lab so I can test upgrading some applications. I've come across tool called UMove http://utools.com/UMove http://utools.com/UMove. which seems to make it easy to copy Active Directory to a virtual machine. Is anyone using this tool or tested it? Thanks, Shazad ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: RE: Tool to clone/move/copy/backup Active Directory
Yes, I remember now. The tool was called upromote. Used it a long time ago on NT4. Op 20 jun. 2011 16:34 schreef Brian Desmond br...@briandesmond.com het volgende: Or even better, stand up a new forest and import the data you need for testing. The strategy of cloning into a VM and hopefully isolating it permanently has a way of not always going well. The umove guys used to be the solution for converting PDCs and BDCs to member servers. Guess they found a new gig. First time I've seen their name in relation to AD. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Sunday, June 19, 2011 3:04 PM To: NT System Admin Issues Subject: Re: Tool to clone/move/copy/backup Active Directory Or add a DC. Physically or virtually remove it cleanup the removal in your production. In test lab seize fsmo roles. On Sunday, June 19, 2011, Joseph L. Casale jcas...@activenetwerx.com wrote: Use one of many uncountable free imaging wares to take an image and restore it into a vm? From: sha...@hackulous.co.uk [mailto:sha...@hackulous.co.uk] Sent: Sunday, June 19, 2011 7:02 AM To: NT System Admin Issues Subject: Tool to clone/move/copy/backup Active Directory I'm in process of making replica of my production servers to lab so I can test upgrading some applications. I've come across tool called UMove http://utools.com/UMove http://utools.com/UMove. which seems to make it easy to copy Active Directory to a virtual machine. Is anyone using this tool or tested it? Thanks, Shazad ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: RE: Tool to clone/move/copy/backup Active Directory
That's a throwback! I remember using that. Don Guyer Windows Systems Engineer RIM Operations Engineering Distributed - A Team, Tier 2 Enterprise Technology Group Fiserv don.gu...@fiserv.com Office: 1-800-523-7282 x 1673 Fax: 610-233-0404 www.fiserv.com http://www.fiserv.com/ From: Rene de Haas [mailto:rene.deh...@gmail.com] Sent: Monday, June 20, 2011 3:43 PM To: NT System Admin Issues Subject: Re: RE: Tool to clone/move/copy/backup Active Directory Yes, I remember now. The tool was called upromote. Used it a long time ago on NT4. Op 20 jun. 2011 16:34 schreef Brian Desmond br...@briandesmond.com het volgende: Or even better, stand up a new forest and import the data you need for testing. The strategy of cloning into a VM and hopefully isolating it permanently has a way of not always going well. The umove guys used to be the solution for converting PDCs and BDCs to member servers. Guess they found a new gig. First time I've seen their name in relation to AD. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Sunday, June 19, 2011 3:04 PM To: NT System Admin Issues Subject: Re: Tool to clone/move/copy/backup Active Directory Or add a DC. Physically or virtually remove it cleanup the removal in your production. In test lab seize fsmo roles. On Sunday, June 19, 2011, Joseph L. Casale jcas...@activenetwerx.com wrote: Use one of many uncountable free imaging wares to take an image and restore it into a vm? From: sha...@hackulous.co.uk [mailto:sha...@hackulous.co.uk] Sent: Sunday, June 19, 2011 7:02 AM To: NT System Admin Issues Subject: Tool to clone/move/copy/backup Active Directory I'm in process of making replica of my production servers to lab so I can test upgrading some applications. I've come across tool called UMove http://utools.com/UMove http://utools.com/UMove. which seems to make it easy to copy Active Directory to a virtual machine. Is anyone using this tool or tested it? Thanks, Shazad ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Tool to clone/move/copy/backup Active Directory
I'm in process of making replica of my production servers to lab so I can test upgrading some applications. I've come across tool called UMove [1]http://utools.com/UMove which seems to make it easy to copy Active Directory to a virtual machine. Is anyone using this tool or tested it? Thanks, Shazad References 1. http://utools.com/UMove. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Tool to clone/move/copy/backup Active Directory
Use one of many uncountable free imaging wares to take an image and restore it into a vm? From: sha...@hackulous.co.uk [mailto:sha...@hackulous.co.uk] Sent: Sunday, June 19, 2011 7:02 AM To: NT System Admin Issues Subject: Tool to clone/move/copy/backup Active Directory I'm in process of making replica of my production servers to lab so I can test upgrading some applications. I've come across tool called UMove http://utools.com/UMovehttp://utools.com/UMove. which seems to make it easy to copy Active Directory to a virtual machine. Is anyone using this tool or tested it? Thanks, Shazad ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Tool to clone/move/copy/backup Active Directory
Or add a DC. Physically or virtually remove it cleanup the removal in your production. In test lab seize fsmo roles. On Sunday, June 19, 2011, Joseph L. Casale jcas...@activenetwerx.com wrote: Use one of many uncountable free imaging wares to take an image and restore it into a vm? From: sha...@hackulous.co.uk [mailto:sha...@hackulous.co.uk] Sent: Sunday, June 19, 2011 7:02 AM To: NT System Admin Issues Subject: Tool to clone/move/copy/backup Active Directory I'm in process of making replica of my production servers to lab so I can test upgrading some applications. I've come across tool called UMove http://utools.com/UMove http://utools.com/UMove. which seems to make it easy to copy Active Directory to a virtual machine. Is anyone using this tool or tested it? Thanks, Shazad ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Changing [most] login names in Active Directory
We are not an Exchange shop. (We are currently a Domino/Notes shop. I've learned the hard way how painful name changes are there!) We had two locations which began independently merge. The current business model calls for complete standardization across all locations. One location had account names FirstNameFirstInitialOfLastName (ie, richardm), and one location was FirstInitialOfFirstNameLastName (ie, rmcclary). Those of us in the trenches would prefer to have the policies apply to new accounts only. So, the reason for posting this was, first, hoping some folks would point out some of the issues I may have missed in my original posting in order avoid a user denied services because an old account name existed somewhere. We are also wanting to have as complete a list as possible in order to determine the resources required to make these changes company-wide. Thanks! -- richard Andrew S. Baker asbz...@gmail.com 04/20/2011 10:44 PM Please respond to NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com To NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Press this button if the To is a fax number. Enter in the fax number like 123-456-7890. cc Subject Re: Changing [most] login names in Active Directory Richard, what is the business driver for the secondary parts of this request? The name change is fine, but what is the benefit of changing all the other parts? Are you using Exchange? Are the aesthetics going to be changed there as well? -ASB: http://about.me/Andrew.S.Baker Sent from my Motorola Droid On Apr 20, 2011 2:17 PM, richardmccl...@aspca.org wrote: Greetings! Our company (around 500 or so people) is considering changing the login names for possibly all our users. For example, I may be changed from logging in as richardm to richardm01, etc. Being changed from one login name to another is just one field in Active Directory Users and Computers (ADUC). However... 1. For housekeeping purposes, we would like to have the name of the home directory for each user to match the new login name. This gets complicated as, if the folder is its own share (ie, .\richardm$), then the folder would first need to be un-shared. Then it could be re-named and re-shared. Then it's back to ADUC to change the path for the share and perhaps the roaming profile (if it is not inside the user's home directory). 2. We know of at least two applications (help desk system and telephone user client) which authenticate using AD. So, the administration client for whatever applications we can remember would need to be used to make the name changes, one-at-a-time. So, I've been told to ask the forum: 1. Has anyone else done a mass login-name-rename, company wide? We have done it on an individual basis, but not company-wide. 2. For local profiles... should we consider changing those as well (for housekeeping purposes)? I believe that would involve renaming the folder in Documents and Setting and also adding the path in ADUC. (That field is most likely blank for users currently with no roaming profile). Once the profile folder is re-names, would permissions change as well (and then need to be changed)? Thing is here, if we do not do this correctly, then the user logs in and no longer has their desktop icons, their My Documents folder, and most user settings are back to the default. Administrators would then need to have that person log out, then copy the contents of the old profile folder into the new profile folder and adjust the permissions. Example, they rename my .\richardm\ profile folder gets renamed .\richardm01. In my experience, there's a worse than even chance that when I log in, I'll not have my docs and settings. An administrator will look at the file system and see that, besides the .\richardm01 folder, there is a new .\richardm01.001 folder. 3. If so, were issues other than those mentioned? Thank you... -- Richard D. McClary Jr Infrastructure Architect, Information Technology Group ASPCA® ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana
Re: Changing [most] login names in Active Directory
Applying the policy to new accounts or to existing accounts is easy enough. My question pertains more to the idea of including home directories and other back-end portions of the infrastructure that don't have a visible user impact. *ASB *(Professional Bio http://about.me/Andrew.S.Baker/bio) *Harnessing the Advantages of Technology for the SMB market... * On Fri, Apr 22, 2011 at 11:09 AM, richardmccl...@aspca.org wrote: We are not an Exchange shop. (We are currently a Domino/Notes shop. I've learned the hard way how painful name changes are there!) We had two locations which began independently merge. The current business model calls for complete standardization across all locations. One location had account names FirstNameFirstInitialOfLastName (ie, richardm), and one location was FirstInitialOfFirstNameLastName (ie, rmcclary). Those of us in the trenches would prefer to have the policies apply to new accounts only. So, the reason for posting this was, first, hoping some folks would point out some of the issues I may have missed in my original posting in order avoid a user denied services because an old account name existed somewhere. We are also wanting to have as complete a list as possible in order to determine the resources required to make these changes company-wide. Thanks! -- richard *Andrew S. Baker asbz...@gmail.com* 04/20/2011 10:44 PM Please respond to NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com To NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Press this button if the To is a fax number. Enter in the fax number like 123-456-7890. cc Subject Re: Changing [most] login names in Active Directory Richard, what is the business driver for the secondary parts of this request? The name change is fine, but what is the benefit of changing all the other parts? Are you using Exchange? Are the aesthetics going to be changed there as well? -ASB: *http://about.me/Andrew.S.Baker* http://about.me/Andrew.S.Baker Sent from my Motorola Droid On Apr 20, 2011 2:17 PM, *richardmccl...@aspca.org*richardmccl...@aspca.org wrote: Greetings! Our company (around 500 or so people) is considering changing the login names for possibly all our users. For example, I may be changed from logging in as richardm to richardm01, etc. Being changed from one login name to another is just one field in Active Directory Users and Computers (ADUC). However... 1. For housekeeping purposes, we would like to have the name of the home directory for each user to match the new login name. This gets complicated as, if the folder is its own share (ie, .\richardm$), then the folder would first need to be un-shared. Then it could be re-named and re-shared. Then it's back to ADUC to change the path for the share and perhaps the roaming profile (if it is not inside the user's home directory). 2. We know of at least two applications (help desk system and telephone user client) which authenticate using AD. So, the administration client for whatever applications we can remember would need to be used to make the name changes, one-at-a-time. So, I've been told to ask the forum: 1. Has anyone else done a mass login-name-rename, company wide? We have done it on an individual basis, but not company-wide. 2. For local profiles... should we consider changing those as well (for housekeeping purposes)? I believe that would involve renaming the folder in Documents and Setting and also adding the path in ADUC. (That field is most likely blank for users currently with no roaming profile). Once the profile folder is re-names, would permissions change as well (and then need to be changed)? Thing is here, if we do not do this correctly, then the user logs in and no longer has their desktop icons, their My Documents folder, and most user settings are back to the default. Administrators would then need to have that person log out, then copy the contents of the old profile folder into the new profile folder and adjust the permissions. Example, they rename my .\richardm\ profile folder gets renamed .\richardm01. In my experience, there's a worse than even chance that when I log in, I'll not have my docs and settings. An administrator will look at the file system and see that, besides the .\richardm01 folder, there is a new .\richardm01.001 folder. 3. If so, were issues other than those mentioned? Thank you... -- Richard D. McClary Jr Infrastructure Architect, Information Technology Group ASPCA® ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Changing [most] login names in Active Directory
Greetings! Our company (around 500 or so people) is considering changing the login names for possibly all our users. For example, I may be changed from logging in as richardm to richardm01, etc. Being changed from one login name to another is just one field in Active Directory Users and Computers (ADUC). However... 1. For housekeeping purposes, we would like to have the name of the home directory for each user to match the new login name. This gets complicated as, if the folder is its own share (ie, .\richardm$), then the folder would first need to be un-shared. Then it could be re-named and re-shared. Then it's back to ADUC to change the path for the share and perhaps the roaming profile (if it is not inside the user's home directory). 2. We know of at least two applications (help desk system and telephone user client) which authenticate using AD. So, the administration client for whatever applications we can remember would need to be used to make the name changes, one-at-a-time. So, I've been told to ask the forum: 1. Has anyone else done a mass login-name-rename, company wide? We have done it on an individual basis, but not company-wide. 2. For local profiles... should we consider changing those as well (for housekeeping purposes)? I believe that would involve renaming the folder in Documents and Setting and also adding the path in ADUC. (That field is most likely blank for users currently with no roaming profile). Once the profile folder is re-names, would permissions change as well (and then need to be changed)? Thing is here, if we do not do this correctly, then the user logs in and no longer has their desktop icons, their My Documents folder, and most user settings are back to the default. Administrators would then need to have that person log out, then copy the contents of the old profile folder into the new profile folder and adjust the permissions. Example, they rename my .\richardm\ profile folder gets renamed .\richardm01. In my experience, there's a worse than even chance that when I log in, I'll not have my docs and settings. An administrator will look at the file system and see that, besides the .\richardm01 folder, there is a new .\richardm01.001 folder. 3. If so, were issues other than those mentioned? Thank you... -- Richard D. McClary Jr Infrastructure Architect, Information Technology Group ASPCA® ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Changing [most] login names in Active Directory
I would start out testing a script to do this for one user at a time. After you perfect that, it should scale easily. Changing settings in ADUC is easily done using AdMod. Sharing can be handled with Net Share. User Reg.exe for the registry. Tie em all together in a bat file and use the For command to enumerate through all users. Of course you can also use vbscript, powershell or any other language you're comfortable with. For profile paths, I would change them server side, but ignore them on the local side. They will take care of themselves as you replace machines in the future. If you do want to change local, you'll need to edit the path in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList to avoid the folder names with .001. From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] Sent: Wednesday, April 20, 2011 1:17 PM To: NT System Admin Issues Subject: Changing [most] login names in Active Directory Greetings! Our company (around 500 or so people) is considering changing the login names for possibly all our users. For example, I may be changed from logging in as richardm to richardm01, etc. Being changed from one login name to another is just one field in Active Directory Users and Computers (ADUC). However... 1. For housekeeping purposes, we would like to have the name of the home directory for each user to match the new login name. This gets complicated as, if the folder is its own share (ie, .\richardm$), then the folder would first need to be un-shared. Then it could be re-named and re-shared. Then it's back to ADUC to change the path for the share and perhaps the roaming profile (if it is not inside the user's home directory). 2. We know of at least two applications (help desk system and telephone user client) which authenticate using AD. So, the administration client for whatever applications we can remember would need to be used to make the name changes, one-at-a-time. So, I've been told to ask the forum: 1. Has anyone else done a mass login-name-rename, company wide? We have done it on an individual basis, but not company-wide. 2. For local profiles... should we consider changing those as well (for housekeeping purposes)? I believe that would involve renaming the folder in Documents and Setting and also adding the path in ADUC. (That field is most likely blank for users currently with no roaming profile). Once the profile folder is re-names, would permissions change as well (and then need to be changed)? Thing is here, if we do not do this correctly, then the user logs in and no longer has their desktop icons, their My Documents folder, and most user settings are back to the default. Administrators would then need to have that person log out, then copy the contents of the old profile folder into the new profile folder and adjust the permissions. Example, they rename my .\richardm\ profile folder gets renamed .\richardm01. In my experience, there's a worse than even chance that when I log in, I'll not have my docs and settings. An administrator will look at the file system and see that, besides the .\richardm01 folder, there is a new .\richardm01.001 folder. 3. If so, were issues other than those mentioned? Thank you... -- Richard D. McClary Jr Infrastructure Architect, Information Technology Group ASPCA(r) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Changing [most] login names in Active Directory
Richard, what is the business driver for the secondary parts of this request? The name change is fine, but what is the benefit of changing all the other parts? Are you using Exchange? Are the aesthetics going to be changed there as well? -ASB: http://about.me/Andrew.S.Baker Sent from my Motorola Droid On Apr 20, 2011 2:17 PM, richardmccl...@aspca.org wrote: Greetings! Our company (around 500 or so people) is considering changing the login names for possibly all our users. For example, I may be changed from logging in as richardm to richardm01, etc. Being changed from one login name to another is just one field in Active Directory Users and Computers (ADUC). However... 1. For housekeeping purposes, we would like to have the name of the home directory for each user to match the new login name. This gets complicated as, if the folder is its own share (ie, .\richardm$), then the folder would first need to be un-shared. Then it could be re-named and re-shared. Then it's back to ADUC to change the path for the share and perhaps the roaming profile (if it is not inside the user's home directory). 2. We know of at least two applications (help desk system and telephone user client) which authenticate using AD. So, the administration client for whatever applications we can remember would need to be used to make the name changes, one-at-a-time. So, I've been told to ask the forum: 1. Has anyone else done a mass login-name-rename, company wide? We have done it on an individual basis, but not company-wide. 2. For local profiles... should we consider changing those as well (for housekeeping purposes)? I believe that would involve renaming the folder in Documents and Setting and also adding the path in ADUC. (That field is most likely blank for users currently with no roaming profile). Once the profile folder is re-names, would permissions change as well (and then need to be changed)? Thing is here, if we do not do this correctly, then the user logs in and no longer has their desktop icons, their My Documents folder, and most user settings are back to the default. Administrators would then need to have that person log out, then copy the contents of the old profile folder into the new profile folder and adjust the permissions. Example, they rename my .\richardm\ profile folder gets renamed .\richardm01. In my experience, there's a worse than even chance that when I log in, I'll not have my docs and settings. An administrator will look at the file system and see that, besides the .\richardm01 folder, there is a new .\richardm01.001 folder. 3. If so, were issues other than those mentioned? Thank you... -- Richard D. McClary Jr Infrastructure Architect, Information Technology Group ASPCA® ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Restricting groups in Active Directory
Wowthis thread went off on one. Not to try and resurrect it or anythingbut I recall that you mentioned some strange permissions on DCs that could be inherited by the Server Operators group. Do you have any further details on these - purely out of interest. I know a few admins who've used the group for certain things and I might mention it to them when I see them next. Cheers, On 30 September 2010 23:16, Brian Desmond br...@briandesmond.com wrote: *Alright guys. I really am flattered that you all respect me so much in this space, but, we need to remember that everyone is entitled to their own opinion regardless of whether or not we agree with them. William and I chatted offline and we’re good, so I think at this point we need to just kill this thread.* * * *To circle back to the technical details of the OP’s long lost question, whatever you deny can be worked around by someone in the Domain Admins group if they so desire. You need to have a serious discussion with your management chain and if they’re not going to listen and I were in your shoes I’d suggest they hire a third party consultant to review your design and their requirements and determine how to best merge them.* * * *Thanks,* *Brian Desmond* *br...@briandesmond.com* * * *c – 312.731.3132* * * *From:* John Cook [mailto:john.c...@pfsf.org] *Sent:* Thursday, September 30, 2010 5:12 PM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory Are you guys blasting Shookie again? John W. Cook Systems Administrator Partnership for Strong Families -- *From*: William Robbins dangerw...@gmail.com *To*: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com *Sent*: Thu Sep 30 17:59:00 2010 *Subject*: Re: Restricting groups in Active Directory Micrometers. - WJR On Thu, Sep 30, 2010 at 16:58, Mathew Shember mathew.shem...@synopsys.com wrote: Isn't that what tweezers are for? -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Thursday, September 30, 2010 2:56 PM To: NT System Admin Issues Subject: RE: Restricting groups in Active Directory are the measurement increments on your tape measure small enough? Kim Longenbaugh k...@colonialsavings.com 9/30/2010 2:44 PM Do you have a tape measure or would you like to borrow one? From: Mathew Shember [mailto:mathew.shem...@synopsys.com] Sent: Thursday, September 30, 2010 4:43 PM To: NT System Admin Issues Subject: RE: Restricting groups in Active Directory Alright I will ask. What exactly are your credentials? Thanks, Mathew From: William J. Robbins [mailto:dangerw...@gmail.com] Sent: Thursday, September 30, 2010 2:39 PM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory Look I didn't start picking his statement apart without asking who he was or what his experience is. He did it to me. No one seems interested to know my credentials so I'm not about to start some technical d!ck measuring contest. Fact is I've seen his resume and I've been doing this longer. I'm glad he had the opportunity to work at HP and all the benefits an MS partnered company incurs, like MVP status, and publishing books. I know lots of HP folks who've done the same. Just because I'm not working as a consultant to run in put a directory in and fly off...doesn't mean I don't have experience. Now if you'll excuse me there is a Guinness with my name on it calling me. WJR - from my Crackberry. If you find yourself in a fair fight, your tactics suck. From: Webster carlwebs...@gmail.com Date: Thu, 30 Sep 2010 16:29:21 -0500 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com ReplyTo: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: RE: Restricting groups in Active Directory Did you actually just ask Brian Desmond that? To continue the thought, how many conferences have you spoken at? How many books have you written or been asked to provide content for? How long has Microsoft recognized you for you AD expertise? As an MCT, Microsoft hasn't recommended or taught the empty root forest design in a long time. Just my $0.02US worth Webster From: William Robbins [mailto:dangerw...@gmail.com] Subject: Re: Restricting groups in Active Directory I see. And how many directories have you designed for Fortune 500 companies? I'm protecting them from people that think it's no big deal to continue to design a directory as if it were still 1996...but that's just me and my 10 years of experience designing directories for enterprise environments talking. You go right ahead doing it your way, I'll do it mine. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http
Re: Restricting groups in Active Directory
good choice Now if you'll excuse me there is a Guinness with my name on it calling me. WJR - from my Crackberry. If you find yourself in a fair fight, your tactics suck. -- From: Webster carlwebs...@gmail.com Date: Thu, 30 Sep 2010 16:29:21 -0500 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com ReplyTo: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: RE: Restricting groups in Active Directory Did you actually just ask Brian Desmond that? To continue the thought, how many conferences have you spoken at? How many books have you written or been asked to provide content for? How long has Microsoft recognized you for you AD expertise? As an MCT, Microsoft hasn’t recommended or taught the empty root forest design in a long time. Just my $0.02US worth Webster From: William Robbins [mailto:dangerw...@gmail.com] Subject: Re: Restricting groups in Active Directory I see. And how many directories have you designed for Fortune 500 companies? I'm protecting them from people that think it's no big deal to continue to design a directory as if it were still 1996...but that's just me and my 10 years of experience designing directories for enterprise environments talking. You go right ahead doing it your way, I'll do it mine. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Restricting groups in Active Directory
Offhand I don't remember, but, if you go in GPMC and open up the Default Domain DC policies, you can browse down to computer\windows settings\security settings\user rights assignment and do browse through there assuming you haven't twiddled with the defaults. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: James Rankin [mailto:kz2...@googlemail.com] Sent: Friday, October 01, 2010 1:22 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory Wowthis thread went off on one. Not to try and resurrect it or anythingbut I recall that you mentioned some strange permissions on DCs that could be inherited by the Server Operators group. Do you have any further details on these - purely out of interest. I know a few admins who've used the group for certain things and I might mention it to them when I see them next. Cheers, On 30 September 2010 23:16, Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com wrote: Alright guys. I really am flattered that you all respect me so much in this space, but, we need to remember that everyone is entitled to their own opinion regardless of whether or not we agree with them. William and I chatted offline and we're good, so I think at this point we need to just kill this thread. To circle back to the technical details of the OP's long lost question, whatever you deny can be worked around by someone in the Domain Admins group if they so desire. You need to have a serious discussion with your management chain and if they're not going to listen and I were in your shoes I'd suggest they hire a third party consultant to review your design and their requirements and determine how to best merge them. Thanks, Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com c - 312.731.3132 From: John Cook [mailto:john.c...@pfsf.orgmailto:john.c...@pfsf.org] Sent: Thursday, September 30, 2010 5:12 PM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory Are you guys blasting Shookie again? John W. Cook Systems Administrator Partnership for Strong Families From: William Robbins dangerw...@gmail.commailto:dangerw...@gmail.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Sent: Thu Sep 30 17:59:00 2010 Subject: Re: Restricting groups in Active Directory Micrometers. - WJR On Thu, Sep 30, 2010 at 16:58, Mathew Shember mathew.shem...@synopsys.commailto:mathew.shem...@synopsys.com wrote: Isn't that what tweezers are for? -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.govmailto:jhea...@dfg.ca.gov] Sent: Thursday, September 30, 2010 2:56 PM To: NT System Admin Issues Subject: RE: Restricting groups in Active Directory are the measurement increments on your tape measure small enough? Kim Longenbaugh k...@colonialsavings.commailto:k...@colonialsavings.com 9/30/2010 2:44 PM Do you have a tape measure or would you like to borrow one? From: Mathew Shember [mailto:mathew.shem...@synopsys.commailto:mathew.shem...@synopsys.com] Sent: Thursday, September 30, 2010 4:43 PM To: NT System Admin Issues Subject: RE: Restricting groups in Active Directory Alright I will ask. What exactly are your credentials? Thanks, Mathew From: William J. Robbins [mailto:dangerw...@gmail.commailto:dangerw...@gmail.com] Sent: Thursday, September 30, 2010 2:39 PM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory Look I didn't start picking his statement apart without asking who he was or what his experience is. He did it to me. No one seems interested to know my credentials so I'm not about to start some technical d!ck measuring contest. Fact is I've seen his resume and I've been doing this longer. I'm glad he had the opportunity to work at HP and all the benefits an MS partnered company incurs, like MVP status, and publishing books. I know lots of HP folks who've done the same. Just because I'm not working as a consultant to run in put a directory in and fly off...doesn't mean I don't have experience. Now if you'll excuse me there is a Guinness with my name on it calling me. WJR - from my Crackberry. If you find yourself in a fair fight, your tactics suck. From: Webster carlwebs...@gmail.commailto:carlwebs...@gmail.com Date: Thu, 30 Sep 2010 16:29:21 -0500 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com ReplyTo: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: RE: Restricting groups in Active Directory Did you actually just ask Brian Desmond that? To continue the thought, how many conferences have you spoken at? How many books have you written or been asked to provide content for? How long has Microsoft recognized you for you AD expertise
Restricting groups in Active Directory
I've just started a new job and we're building an all-new infrastructure. One of the key things I'm looking at it is restricting access to the most sensitive functions of some of the infrastructure, mainly in VMWare and XenApp. I'm currently looking at doing this by using AD groups - creating groups for each support team and adding those groups to the relevant areas in XenApp and VirtualCenter to give them the necessary permissions. However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? Could I edit the ACL for these groups and Deny Domain Admins the Modify Ownership privilege? Or can they override that as well somehow? Is there some way I could handle this even if everyone gets given Domain Admin access, or will I have to convince them to do things *properly* using delegation of privilege? All input is welcomed, TIA, JRR -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Restricting groups in Active Directory
This is Windows 2008 R2 single domain, for the record On 30 September 2010 12:49, James Rankin kz2...@googlemail.com wrote: I've just started a new job and we're building an all-new infrastructure. One of the key things I'm looking at it is restricting access to the most sensitive functions of some of the infrastructure, mainly in VMWare and XenApp. I'm currently looking at doing this by using AD groups - creating groups for each support team and adding those groups to the relevant areas in XenApp and VirtualCenter to give them the necessary permissions. However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? Could I edit the ACL for these groups and Deny Domain Admins the Modify Ownership privilege? Or can they override that as well somehow? Is there some way I could handle this even if everyone gets given Domain Admin access, or will I have to convince them to do things *properly* using delegation of privilege? All input is welcomed, TIA, JRR -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Restricting groups in Active Directory
If the vCenter server is domain joined, the simple answer is... You're screwed. From both ways. -Anders On Thu, Sep 30, 2010 at 1:49 PM, James Rankin kz2...@googlemail.com wrote: I've just started a new job and we're building an all-new infrastructure. One of the key things I'm looking at it is restricting access to the most sensitive functions of some of the infrastructure, mainly in VMWare and XenApp. I'm currently looking at doing this by using AD groups - creating groups for each support team and adding those groups to the relevant areas in XenApp and VirtualCenter to give them the necessary permissions. However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? Could I edit the ACL for these groups and Deny Domain Admins the Modify Ownership privilege? Or can they override that as well somehow? Is there some way I could handle this even if everyone gets given Domain Admin access, or will I have to convince them to do things *properly* using delegation of privilege? All input is welcomed, TIA, JRR -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Restricting groups in Active Directory
The short answer is yes, if they are domain admins they can do anything they like provided they have the knowledge. Including add themselves to the Enterprise Admins group since you said you were in a single domain, which I interpret as no empty root. You could change the ACL's, but again they can undo that with the knowledge. The help desk!? Seriously? Well good luck to you in the new position, sounds like you may need some. WJR - from my Crackberry. If you find yourself in a fair fight, your tactics suck. -Original Message- From: James Rankin kz2...@googlemail.com Date: Thu, 30 Sep 2010 12:49:52 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com Reply-To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.comSubject: Restricting groups in Active Directory I've just started a new job and we're building an all-new infrastructure. One of the key things I'm looking at it is restricting access to the most sensitive functions of some of the infrastructure, mainly in VMWare and XenApp. I'm currently looking at doing this by using AD groups - creating groups for each support team and adding those groups to the relevant areas in XenApp and VirtualCenter to give them the necessary permissions. However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? Could I edit the ACL for these groups and Deny Domain Admins the Modify Ownership privilege? Or can they override that as well somehow? Is there some way I could handle this even if everyone gets given Domain Admin access, or will I have to convince them to do things *properly* using delegation of privilege? All input is welcomed, TIA, JRR -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Restricting groups in Active Directory
In scenarios like this, your fallback is auditing, reporting and reprecussions. It's why they count how many missiles you fire when you're flying around in a fighter jet ;o) If you don't have that, they'll do what they want. a From: William J. Robbins [mailto:dangerw...@gmail.com] Sent: 30 September 2010 13:05 To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory The short answer is yes, if they are domain admins they can do anything they like provided they have the knowledge. Including add themselves to the Enterprise Admins group since you said you were in a single domain, which I interpret as no empty root. You could change the ACL's, but again they can undo that with the knowledge. The help desk!? Seriously? Well good luck to you in the new position, sounds like you may need some. WJR - from my Crackberry. If you find yourself in a fair fight, your tactics suck. From: James Rankin kz2...@googlemail.com Date: Thu, 30 Sep 2010 12:49:52 +0100 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com ReplyTo: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: Restricting groups in Active Directory I've just started a new job and we're building an all-new infrastructure. One of the key things I'm looking at it is restricting access to the most sensitive functions of some of the infrastructure, mainly in VMWare and XenApp. I'm currently looking at doing this by using AD groups - creating groups for each support team and adding those groups to the relevant areas in XenApp and VirtualCenter to give them the necessary permissions. However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? Could I edit the ACL for these groups and Deny Domain Admins the Modify Ownership privilege? Or can they override that as well somehow? Is there some way I could handle this even if everyone gets given Domain Admin access, or will I have to convince them to do things *properly* using delegation of privilege? All input is welcomed, TIA, JRR -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Restricting groups in Active Directory
I am seriously going to try to get them to accept Server Operators level as a compromise. They can still kill servers all they want, but they should be able to be locked out of the finer points of VMWare, XenApp and AppSense. Time for my first head-butting session with management in this job. If they won't budge - it's going straight on the (not yet existent) risk register. Cheers, On 30 September 2010 13:05, William J. Robbins dangerw...@gmail.com wrote: The short answer is yes, if they are domain admins they can do anything they like provided they have the knowledge. Including add themselves to the Enterprise Admins group since you said you were in a single domain, which I interpret as no empty root. You could change the ACL's, but again they can undo that with the knowledge. The help desk!? Seriously? Well good luck to you in the new position, sounds like you may need some. WJR - from my Crackberry. If you find yourself in a fair fight, your tactics suck. -- *From: * James Rankin kz2...@googlemail.com *Date: *Thu, 30 Sep 2010 12:49:52 +0100 *To: *NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com *ReplyTo: * NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com *Subject: *Restricting groups in Active Directory I've just started a new job and we're building an all-new infrastructure. One of the key things I'm looking at it is restricting access to the most sensitive functions of some of the infrastructure, mainly in VMWare and XenApp. I'm currently looking at doing this by using AD groups - creating groups for each support team and adding those groups to the relevant areas in XenApp and VirtualCenter to give them the necessary permissions. However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? Could I edit the ACL for these groups and Deny Domain Admins the Modify Ownership privilege? Or can they override that as well somehow? Is there some way I could handle this even if everyone gets given Domain Admin access, or will I have to convince them to do things *properly* using delegation of privilege? All input is welcomed, TIA, JRR -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Restricting groups in Active Directory
Documentation is an absolute must. :) Adding to what another person offered ensure you have auditing enabled, and add that to your documentation. I'll hope your management is able to understand. WJR - from my Crackberry. If you find yourself in a fair fight, your tactics suck. -Original Message- From: James Rankin kz2...@googlemail.com Date: Thu, 30 Sep 2010 13:19:16 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com Reply-To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.comSubject: Re: Restricting groups in Active Directory I am seriously going to try to get them to accept Server Operators level as a compromise. They can still kill servers all they want, but they should be able to be locked out of the finer points of VMWare, XenApp and AppSense. Time for my first head-butting session with management in this job. If they won't budge - it's going straight on the (not yet existent) risk register. Cheers, On 30 September 2010 13:05, William J. Robbins dangerw...@gmail.com wrote: The short answer is yes, if they are domain admins they can do anything they like provided they have the knowledge. Including add themselves to the Enterprise Admins group since you said you were in a single domain, which I interpret as no empty root. You could change the ACL's, but again they can undo that with the knowledge. The help desk!? Seriously? Well good luck to you in the new position, sounds like you may need some. WJR - from my Crackberry. If you find yourself in a fair fight, your tactics suck. -- *From: * James Rankin kz2...@googlemail.com *Date: *Thu, 30 Sep 2010 12:49:52 +0100 *To: *NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com *ReplyTo: * NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com *Subject: *Restricting groups in Active Directory I've just started a new job and we're building an all-new infrastructure. One of the key things I'm looking at it is restricting access to the most sensitive functions of some of the infrastructure, mainly in VMWare and XenApp. I'm currently looking at doing this by using AD groups - creating groups for each support team and adding those groups to the relevant areas in XenApp and VirtualCenter to give them the necessary permissions. However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? Could I edit the ACL for these groups and Deny Domain Admins the Modify Ownership privilege? Or can they override that as well somehow? Is there some way I could handle this even if everyone gets given Domain Admin access, or will I have to convince them to do things *properly* using delegation of privilege? All input is welcomed, TIA, JRR -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Restricting groups in Active Directory
***However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group?* You might need to enlist the assistance of... dare I say it? ... Auditors. If everyone is a domain admin, then they can all do whatsoever they want in the domain. Seriously, is your organization not subject to some you sort of regulatory compliance? Who is your CTO/CIO? *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 7:49 AM, James Rankin kz2...@googlemail.com wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Restricting groups in Active Directory
I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker asbz...@gmail.com wrote: ***However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group?* You might need to enlist the assistance of... dare I say it? ... Auditors. If everyone is a domain admin, then they can all do whatsoever they want in the domain. Seriously, is your organization not subject to some you sort of regulatory compliance? Who is your CTO/CIO? *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 7:49 AM, James Rankin kz2...@googlemail.comwrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Restricting groups in Active Directory
I just finished a two-year project at one of my clients (not full-time for me; but they had someone working on it full-time). We went from 64 accounts in Domain Admins down to 4. There was much wailing and gnashing of teeth - but now, whenEVER something changes in AD - we have a way to find out who did it. Plausible deniability is gone. Shockingly (NOT), things are much more stable now. Fewer cooks in the kitchen is a very good thing. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: James Rankin [mailto:kz2...@googlemail.com] Sent: Thursday, September 30, 2010 9:18 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker asbz...@gmail.commailto:asbz...@gmail.com wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? You might need to enlist the assistance of... dare I say it? ... Auditors. If everyone is a domain admin, then they can all do whatsoever they want in the domain. Seriously, is your organization not subject to some you sort of regulatory compliance? Who is your CTO/CIO? ASB (My XeeSM Profile)http://XeeSM.com/AndrewBaker Exploiting Technology for Business Advantage... On Thu, Sep 30, 2010 at 7:49 AM, James Rankin kz2...@googlemail.commailto:kz2...@googlemail.com wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Restricting groups in Active Directory
Ask why they need to be domain admins and not just have the necessary permissions delegated. My Service Desk guys were domain admins from the day they started (in some cases years) and they insisted they needed to be domain admins to do x,y and z. Oddly, I was able to delegate the necessary functions and they haven't been domain admins for many months now. The Win2K servers was sticky since it doesn't have a Remote Desktop User group, but restricted groups helped me out there - they local admins on Win2K Servers boxes but not domain admins. You can make them local admins of server w/out them being domain admins, and using GPO's you'll be able to track who is admin on what instead of going to each machine one by one. No clue if this would help what you're fighting though Dave From: James Rankin [mailto:kz2...@googlemail.com] Sent: Thursday, September 30, 2010 6:18 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker asbz...@gmail.commailto:asbz...@gmail.com wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? You might need to enlist the assistance of... dare I say it? ... Auditors. If everyone is a domain admin, then they can all do whatsoever they want in the domain. Seriously, is your organization not subject to some you sort of regulatory compliance? Who is your CTO/CIO? ASB (My XeeSM Profile)http://XeeSM.com/AndrewBaker Exploiting Technology for Business Advantage... On Thu, Sep 30, 2010 at 7:49 AM, James Rankin kz2...@googlemail.commailto:kz2...@googlemail.com wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Restricting groups in Active Directory
Oh, I'm a fully paid-up member of the choir on this one, and I have seen all the benefits first hand. I just get the feeling these guys are going to be more of a PITA than any I've worked with before. On 30 September 2010 14:22, Michael B. Smith mich...@smithcons.com wrote: I just finished a two-year project at one of my clients (not full-time for me; but they had someone working on it full-time). We went from 64 accounts in Domain Admins down to 4. There was much wailing and gnashing of teeth – but now, whenEVER something changes in AD – we have a way to find out who did it. Plausible deniability is gone. Shockingly (NOT), things are much more stable now. Fewer cooks in the kitchen is a very good thing. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com *From:* James Rankin [mailto:kz2...@googlemail.com] *Sent:* Thursday, September 30, 2010 9:18 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker asbz...@gmail.com wrote: ***However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group?* You might need to enlist the assistance of... dare I say it? ... Auditors. If everyone is a domain admin, then they can all do whatsoever they want in the domain. Seriously, is your organization not subject to some you sort of regulatory compliance? Who is your CTO/CIO? *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 7:49 AM, James Rankin kz2...@googlemail.com wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Restricting groups in Active Directory
I'm fearful that IS management will be of no help to you, since they haven't been able to prevent the situation from occuring to this point. Really, this is 2010. Do we even need to *have* this discussion about admin levels and appropriate level of rights? My guess is that you better start thinking about how much political clout you're going to expend on this. I'd say it is one of the most important battles you can fight for, but the ultimate decision is up to you. :) *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 9:18 AM, James Rankin kz2...@googlemail.com wrote: I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker asbz...@gmail.com wrote: ***However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group?* You might need to enlist the assistance of... dare I say it? ... Auditors. If everyone is a domain admin, then they can all do whatsoever they want in the domain. Seriously, is your organization not subject to some you sort of regulatory compliance? Who is your CTO/CIO? *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 7:49 AM, James Rankin kz2...@googlemail.comwrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Restricting groups in Active Directory
What are they trying to accomplish? Do they believe that everyone needs domain admin rights just to change passwords or unlock accounts? I'd try to find out what they need to do and then restrict them accordingly. Help desk doesn't need rights to be able to change administrator passwords, free reign to all files, and add machines to the domain (just to name a few). From: James Rankin [mailto:kz2...@googlemail.com] Sent: Thursday, September 30, 2010 8:18 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker asbz...@gmail.com wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? You might need to enlist the assistance of... dare I say it? ... Auditors. If everyone is a domain admin, then they can all do whatsoever they want in the domain. Seriously, is your organization not subject to some you sort of regulatory compliance? Who is your CTO/CIO? ASB (My XeeSM Profile) http://XeeSM.com/AndrewBaker Exploiting Technology for Business Advantage... On Thu, Sep 30, 2010 at 7:49 AM, James Rankin kz2...@googlemail.com wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Restricting groups in Active Directory
I wasn't having a discussion about appropriate levels of rights - I'm well aware of those. I was just wondering if there was any way to lock a group out from the depradations of Domain Admins by using some cunning permissions voodoo. Clearly there's not, so it's off to thrash the details out. I'm not going to waste my time designing a new support structure that is just going to get broken, so I won't back down on this. Thanks for everyone's input, On 30 September 2010 14:32, Andrew S. Baker asbz...@gmail.com wrote: I'm fearful that IS management will be of no help to you, since they haven't been able to prevent the situation from occuring to this point. Really, this is 2010. Do we even need to *have* this discussion about admin levels and appropriate level of rights? My guess is that you better start thinking about how much political clout you're going to expend on this. I'd say it is one of the most important battles you can fight for, but the ultimate decision is up to you. :) *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 9:18 AM, James Rankin kz2...@googlemail.comwrote: I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker asbz...@gmail.com wrote: ***However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group?* You might need to enlist the assistance of... dare I say it? ... Auditors. If everyone is a domain admin, then they can all do whatsoever they want in the domain. Seriously, is your organization not subject to some you sort of regulatory compliance? Who is your CTO/CIO? *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 7:49 AM, James Rankin kz2...@googlemail.comwrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Restricting groups in Active Directory
As usual, the boss of the helpdesk (and his golf buddies) think that change = interruptions to support. I'm going to convince them that change = accountability + the same level of support. On 30 September 2010 14:38, Maglinger, Paul pmaglin...@scvl.com wrote: What are they trying to accomplish? Do they believe that everyone needs domain admin rights just to change passwords or unlock accounts? I’d try to find out what they need to do and then restrict them accordingly. Help desk doesn’t need rights to be able to change administrator passwords, free reign to all files, and add machines to the domain (just to name a few). *From:* James Rankin [mailto:kz2...@googlemail.com] *Sent:* Thursday, September 30, 2010 8:18 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker asbz...@gmail.com wrote: ***However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group?* You might need to enlist the assistance of... dare I say it? ... Auditors. If everyone is a domain admin, then they can all do whatsoever they want in the domain. Seriously, is your organization not subject to some you sort of regulatory compliance? Who is your CTO/CIO? *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 7:49 AM, James Rankin kz2...@googlemail.com wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Restricting groups in Active Directory
Change = accountability + better levels of support due to less stuff mysteriously breaking. *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 9:40 AM, James Rankin kz2...@googlemail.com wrote: As usual, the boss of the helpdesk (and his golf buddies) think that change = interruptions to support. I'm going to convince them that change = accountability + the same level of support. On 30 September 2010 14:38, Maglinger, Paul pmaglin...@scvl.com wrote: What are they trying to accomplish? Do they believe that everyone needs domain admin rights just to change passwords or unlock accounts? I’d try to find out what they need to do and then restrict them accordingly. Help desk doesn’t need rights to be able to change administrator passwords, free reign to all files, and add machines to the domain (just to name a few). *From:* James Rankin [mailto:kz2...@googlemail.com] *Sent:* Thursday, September 30, 2010 8:18 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker asbz...@gmail.com wrote: ***However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group?* You might need to enlist the assistance of... dare I say it? ... Auditors. If everyone is a domain admin, then they can all do whatsoever they want in the domain. Seriously, is your organization not subject to some you sort of regulatory compliance? Who is your CTO/CIO? *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 7:49 AM, James Rankin kz2...@googlemail.com wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Restricting groups in Active Directory
Except for DCs ... but hopefully that can be managed with a secondary account for a couple of staff only! ;o) +1000 for having under 5 DAs in any domain! Ridiculous power trip on every occasion with even non-operations managers wanting to be in there as a sign of seniority! a From: David Lum [mailto:david@nwea.org] Sent: 30 September 2010 14:23 To: NT System Admin Issues Subject: RE: Restricting groups in Active Directory Ask why they need to be domain admins and not just have the necessary permissions delegated. My Service Desk guys were domain admins from the day they started (in some cases years) and they insisted they needed to be domain admins to do x,y and z. Oddly, I was able to delegate the necessary functions and they haven't been domain admins for many months now. The Win2K servers was sticky since it doesn't have a Remote Desktop User group, but restricted groups helped me out there - they local admins on Win2K Servers boxes but not domain admins. You can make them local admins of server w/out them being domain admins, and using GPO's you'll be able to track who is admin on what instead of going to each machine one by one. No clue if this would help what you're fighting though Dave WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Restricting groups in Active Directory
+1 -Jeff Steward On Thu, Sep 30, 2010 at 9:47 AM, Andrew S. Baker asbz...@gmail.com wrote: Change = accountability + better levels of support due to less stuff mysteriously breaking. *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 9:40 AM, James Rankin kz2...@googlemail.comwrote: As usual, the boss of the helpdesk (and his golf buddies) think that change = interruptions to support. I'm going to convince them that change = accountability + the same level of support. On 30 September 2010 14:38, Maglinger, Paul pmaglin...@scvl.com wrote: What are they trying to accomplish? Do they believe that everyone needs domain admin rights just to change passwords or unlock accounts? I’d try to find out what they need to do and then restrict them accordingly. Help desk doesn’t need rights to be able to change administrator passwords, free reign to all files, and add machines to the domain (just to name a few). *From:* James Rankin [mailto:kz2...@googlemail.com] *Sent:* Thursday, September 30, 2010 8:18 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker asbz...@gmail.com wrote: ***However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group?* You might need to enlist the assistance of... dare I say it? ... Auditors. If everyone is a domain admin, then they can all do whatsoever they want in the domain. Seriously, is your organization not subject to some you sort of regulatory compliance? Who is your CTO/CIO? *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 7:49 AM, James Rankin kz2...@googlemail.com wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com
RE: Restricting groups in Active Directory
Amen. I have a DA account myself just so even I'm not a DA per se. I wish I could get it across to the SE team that they should follow suit, but nobody pushing them and I don't have enough clout. As usual, the boss of the helpdesk (and his golf buddies) think that change = interruptions to support Oh good GOD!! I swear this is how 90% of my org is - including the IS management! We postponed outsourcing Exchange (we've even signed the contract and paid money) to JANUARY because of this very thinking!! Dude, it's a WEEKEND CUTOVER with professionals on either side of the fence. ...this is also why SE's are reluctant to fix their own Domain Admin roles, or even roll out a 2008 DC, or 2008 server OS for that matter. Oh wait, that's just because it's change and they aren't driven to learn a new server OS. While it's true that many times change is responsible for downtime, I'll trade a short amount of scheduled downtime with pros already at the ready over the potential of security risks or there might be downtime...or not. Dave From: Alan Davies [mailto:adav...@cls-services.com] Sent: Thursday, September 30, 2010 7:03 AM To: NT System Admin Issues Subject: RE: Restricting groups in Active Directory Except for DCs ... but hopefully that can be managed with a secondary account for a couple of staff only! ;o) +1000 for having under 5 DAs in any domain! Ridiculous power trip on every occasion with even non-operations managers wanting to be in there as a sign of seniority! a From: David Lum [mailto:david@nwea.org] Sent: 30 September 2010 14:23 To: NT System Admin Issues Subject: RE: Restricting groups in Active Directory Ask why they need to be domain admins and not just have the necessary permissions delegated. My Service Desk guys were domain admins from the day they started (in some cases years) and they insisted they needed to be domain admins to do x,y and z. Oddly, I was able to delegate the necessary functions and they haven't been domain admins for many months now. The Win2K servers was sticky since it doesn't have a Remote Desktop User group, but restricted groups helped me out there - they local admins on Win2K Servers boxes but not domain admins. You can make them local admins of server w/out them being domain admins, and using GPO's you'll be able to track who is admin on what instead of going to each machine one by one. No clue if this would help what you're fighting though Dave WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Restricting groups in Active Directory
I'll see your +1 and raise +11 - WJR On Thu, Sep 30, 2010 at 09:04, Jeff Steward jstew...@gmail.com wrote: +1 -Jeff Steward On Thu, Sep 30, 2010 at 9:47 AM, Andrew S. Baker asbz...@gmail.comwrote: Change = accountability + better levels of support due to less stuff mysteriously breaking. *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 9:40 AM, James Rankin kz2...@googlemail.comwrote: As usual, the boss of the helpdesk (and his golf buddies) think that change = interruptions to support. I'm going to convince them that change = accountability + the same level of support. On 30 September 2010 14:38, Maglinger, Paul pmaglin...@scvl.comwrote: What are they trying to accomplish? Do they believe that everyone needs domain admin rights just to change passwords or unlock accounts? I’d try to find out what they need to do and then restrict them accordingly. Help desk doesn’t need rights to be able to change administrator passwords, free reign to all files, and add machines to the domain (just to name a few). *From:* James Rankin [mailto:kz2...@googlemail.com] *Sent:* Thursday, September 30, 2010 8:18 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker asbz...@gmail.com wrote: ***However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group?* You might need to enlist the assistance of... dare I say it? ... Auditors. If everyone is a domain admin, then they can all do whatsoever they want in the domain. Seriously, is your organization not subject to some you sort of regulatory compliance? Who is your CTO/CIO? *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 7:49 AM, James Rankin kz2...@googlemail.com wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http
RE: Restricting groups in Active Directory
When I first arrived here, everyone and their Grandmother in IT were Domain Admins. After months of kicking and screaming, we were able to convince management that we need to narrow that list down. It did take quite a bit of work, but needed to be done. Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com mailto:don.gu...@prufoxroach.com From: William Robbins [mailto:dangerw...@gmail.com] Sent: Thursday, September 30, 2010 10:24 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory I'll see your +1 and raise +11 - WJR On Thu, Sep 30, 2010 at 09:04, Jeff Steward jstew...@gmail.com wrote: +1 -Jeff Steward On Thu, Sep 30, 2010 at 9:47 AM, Andrew S. Baker asbz...@gmail.com wrote: Change = accountability + better levels of support due to less stuff mysteriously breaking. ASB (My XeeSM Profile) http://XeeSM.com/AndrewBaker Exploiting Technology for Business Advantage... On Thu, Sep 30, 2010 at 9:40 AM, James Rankin kz2...@googlemail.com wrote: As usual, the boss of the helpdesk (and his golf buddies) think that change = interruptions to support. I'm going to convince them that change = accountability + the same level of support. On 30 September 2010 14:38, Maglinger, Paul pmaglin...@scvl.com wrote: What are they trying to accomplish? Do they believe that everyone needs domain admin rights just to change passwords or unlock accounts? I'd try to find out what they need to do and then restrict them accordingly. Help desk doesn't need rights to be able to change administrator passwords, free reign to all files, and add machines to the domain (just to name a few). From: James Rankin [mailto:kz2...@googlemail.com] Sent: Thursday, September 30, 2010 8:18 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker asbz...@gmail.com wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? You might need to enlist the assistance of... dare I say it? ... Auditors. If everyone is a domain admin, then they can all do whatsoever they want in the domain. Seriously, is your organization not subject to some you sort of regulatory compliance? Who is your CTO/CIO? ASB (My XeeSM Profile) http://XeeSM.com/AndrewBaker Exploiting Technology for Business Advantage... On Thu, Sep 30, 2010 at 7:49 AM, James Rankin kz2...@googlemail.com wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Restricting groups in Active Directory
Lemme ask this... since there's a need to get management buy in. Is everyone in the organization running as local admin? If not, then an analogy can be drawn. Afterall, if helpdesk had to support staff who ran as admin, well, that would be more difficult, right? It's a good argument to shutdown the helpdesk golfing buddies. If everyone does run as admin, then you have a mighty challenge, sir. On Thu, Sep 30, 2010 at 10:36 AM, Don Guyer don.gu...@prufoxroach.comwrote: When I first arrived here, “everyone and their Grandmother” in IT were Domain Admins. After months of kicking and screaming, we were able to convince management that we need to narrow that list down. It did take quite a bit of work, but needed to be done. Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com *From:* William Robbins [mailto:dangerw...@gmail.com] *Sent:* Thursday, September 30, 2010 10:24 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory I'll see your +1 and raise +11 - WJR On Thu, Sep 30, 2010 at 09:04, Jeff Steward jstew...@gmail.com wrote: +1 -Jeff Steward On Thu, Sep 30, 2010 at 9:47 AM, Andrew S. Baker asbz...@gmail.com wrote: Change = accountability + better levels of support due to less stuff mysteriously breaking. *ASB *(My XeeSM Profile) http://xeesm.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 9:40 AM, James Rankin kz2...@googlemail.com wrote: As usual, the boss of the helpdesk (and his golf buddies) think that change = interruptions to support. I'm going to convince them that change = accountability + the same level of support. On 30 September 2010 14:38, Maglinger, Paul pmaglin...@scvl.com wrote: What are they trying to accomplish? Do they believe that everyone needs domain admin rights just to change passwords or unlock accounts? I’d try to find out what they need to do and then restrict them accordingly. Help desk doesn’t need rights to be able to change administrator passwords, free reign to all files, and add machines to the domain (just to name a few). *From:* James Rankin [mailto:kz2...@googlemail.com] *Sent:* Thursday, September 30, 2010 8:18 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker asbz...@gmail.com wrote: ***However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group?* You might need to enlist the assistance of... dare I say it? ... Auditors. If everyone is a domain admin, then they can all do whatsoever they want in the domain. Seriously, is your organization not subject to some you sort of regulatory compliance? Who is your CTO/CIO? *ASB *(My XeeSM Profile) http://xeesm.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 7:49 AM, James Rankin kz2...@googlemail.com wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send
RE: Restricting groups in Active Directory
In my case, no, GPOs manage the worksations' local admin groups (Domain admins and our Field Tech group). Our (outsourced) Help Desk does not have rights to do anything on workstations that require elevated perms. Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com mailto:don.gu...@prufoxroach.com From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Thursday, September 30, 2010 11:34 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory Lemme ask this... since there's a need to get management buy in. Is everyone in the organization running as local admin? If not, then an analogy can be drawn. Afterall, if helpdesk had to support staff who ran as admin, well, that would be more difficult, right? It's a good argument to shutdown the helpdesk golfing buddies. If everyone does run as admin, then you have a mighty challenge, sir. On Thu, Sep 30, 2010 at 10:36 AM, Don Guyer don.gu...@prufoxroach.com wrote: When I first arrived here, everyone and their Grandmother in IT were Domain Admins. After months of kicking and screaming, we were able to convince management that we need to narrow that list down. It did take quite a bit of work, but needed to be done. Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com From: William Robbins [mailto:dangerw...@gmail.com] Sent: Thursday, September 30, 2010 10:24 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory I'll see your +1 and raise +11 - WJR On Thu, Sep 30, 2010 at 09:04, Jeff Steward jstew...@gmail.com wrote: +1 -Jeff Steward On Thu, Sep 30, 2010 at 9:47 AM, Andrew S. Baker asbz...@gmail.com wrote: Change = accountability + better levels of support due to less stuff mysteriously breaking. ASB (My XeeSM Profile) http://xeesm.com/AndrewBaker Exploiting Technology for Business Advantage... On Thu, Sep 30, 2010 at 9:40 AM, James Rankin kz2...@googlemail.com wrote: As usual, the boss of the helpdesk (and his golf buddies) think that change = interruptions to support. I'm going to convince them that change = accountability + the same level of support. On 30 September 2010 14:38, Maglinger, Paul pmaglin...@scvl.com wrote: What are they trying to accomplish? Do they believe that everyone needs domain admin rights just to change passwords or unlock accounts? I'd try to find out what they need to do and then restrict them accordingly. Help desk doesn't need rights to be able to change administrator passwords, free reign to all files, and add machines to the domain (just to name a few). From: James Rankin [mailto:kz2...@googlemail.com] Sent: Thursday, September 30, 2010 8:18 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker asbz...@gmail.com wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? You might need to enlist the assistance of... dare I say it? ... Auditors. If everyone is a domain admin, then they can all do whatsoever they want in the domain. Seriously, is your organization not subject to some you sort of regulatory compliance? Who is your CTO/CIO? ASB (My XeeSM Profile) http://xeesm.com/AndrewBaker Exploiting Technology for Business Advantage
RE: Restricting groups in Active Directory
You're *incredibly* optimistic. Do you actually think there's a chance that a company that wants all of IT to be Domain Admins has seen the light and doesn't let users run as local admins? From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Thursday, September 30, 2010 10:34 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory Lemme ask this... since there's a need to get management buy in. Is everyone in the organization running as local admin? If not, then an analogy can be drawn. Afterall, if helpdesk had to support staff who ran as admin, well, that would be more difficult, right? It's a good argument to shutdown the helpdesk golfing buddies. If everyone does run as admin, then you have a mighty challenge, sir. On Thu, Sep 30, 2010 at 10:36 AM, Don Guyer don.gu...@prufoxroach.commailto:don.gu...@prufoxroach.com wrote: When I first arrived here, everyone and their Grandmother in IT were Domain Admins. After months of kicking and screaming, we were able to convince management that we need to narrow that list down. It did take quite a bit of work, but needed to be done. Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.commailto:don.gu...@prufoxroach.com From: William Robbins [mailto:dangerw...@gmail.commailto:dangerw...@gmail.com] Sent: Thursday, September 30, 2010 10:24 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory I'll see your +1 and raise +11 - WJR On Thu, Sep 30, 2010 at 09:04, Jeff Steward jstew...@gmail.commailto:jstew...@gmail.com wrote: +1 -Jeff Steward On Thu, Sep 30, 2010 at 9:47 AM, Andrew S. Baker asbz...@gmail.commailto:asbz...@gmail.com wrote: Change = accountability + better levels of support due to less stuff mysteriously breaking. ASB (My XeeSM Profile)http://xeesm.com/AndrewBaker Exploiting Technology for Business Advantage... On Thu, Sep 30, 2010 at 9:40 AM, James Rankin kz2...@googlemail.commailto:kz2...@googlemail.com wrote: As usual, the boss of the helpdesk (and his golf buddies) think that change = interruptions to support. I'm going to convince them that change = accountability + the same level of support. On 30 September 2010 14:38, Maglinger, Paul pmaglin...@scvl.commailto:pmaglin...@scvl.com wrote: What are they trying to accomplish? Do they believe that everyone needs domain admin rights just to change passwords or unlock accounts? I'd try to find out what they need to do and then restrict them accordingly. Help desk doesn't need rights to be able to change administrator passwords, free reign to all files, and add machines to the domain (just to name a few). From: James Rankin [mailto:kz2...@googlemail.commailto:kz2...@googlemail.com] Sent: Thursday, September 30, 2010 8:18 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker asbz...@gmail.commailto:asbz...@gmail.com wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? You might need to enlist the assistance of... dare I say it? ... Auditors. If everyone is a domain admin, then they can all do whatsoever they want in the domain. Seriously, is your organization not subject to some you sort of regulatory compliance? Who is your CTO/CIO? ASB (My XeeSM Profile)http://xeesm.com/AndrewBaker Exploiting Technology for Business Advantage... On Thu, Sep 30, 2010 at 7:49 AM, James Rankin kz2...@googlemail.commailto:kz2...@googlemail.com wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana
RE: Restricting groups in Active Directory
Even if they were a domain admin in a child they could add themselves to the EAs group in a root domain if they really wanted to. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: William J. Robbins [mailto:dangerw...@gmail.com] Sent: Thursday, September 30, 2010 7:05 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory The short answer is yes, if they are domain admins they can do anything they like provided they have the knowledge. Including add themselves to the Enterprise Admins group since you said you were in a single domain, which I interpret as no empty root. You could change the ACL's, but again they can undo that with the knowledge. The help desk!? Seriously? Well good luck to you in the new position, sounds like you may need some. WJR - from my Crackberry. If you find yourself in a fair fight, your tactics suck. From: James Rankin kz2...@googlemail.com Date: Thu, 30 Sep 2010 12:49:52 +0100 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com ReplyTo: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: Restricting groups in Active Directory I've just started a new job and we're building an all-new infrastructure. One of the key things I'm looking at it is restricting access to the most sensitive functions of some of the infrastructure, mainly in VMWare and XenApp. I'm currently looking at doing this by using AD groups - creating groups for each support team and adding those groups to the relevant areas in XenApp and VirtualCenter to give them the necessary permissions. However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? Could I edit the ACL for these groups and Deny Domain Admins the Modify Ownership privilege? Or can they override that as well somehow? Is there some way I could handle this even if everyone gets given Domain Admin access, or will I have to convince them to do things *properly* using delegation of privilege? All input is welcomed, TIA, JRR -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Restricting groups in Active Directory
Please don't try and use the Server Operators group. It doesn't actually grant hardly anything on your member servers but it will hand out all sorts of strange permissions you never expected to your DCs. It's there for legacy (NT4) compatibility. You shouldn't be populating any of the * Operators groups. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: James Rankin [mailto:kz2...@googlemail.com] Sent: Thursday, September 30, 2010 7:19 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory I am seriously going to try to get them to accept Server Operators level as a compromise. They can still kill servers all they want, but they should be able to be locked out of the finer points of VMWare, XenApp and AppSense. Time for my first head-butting session with management in this job. If they won't budge - it's going straight on the (not yet existent) risk register. Cheers, On 30 September 2010 13:05, William J. Robbins dangerw...@gmail.commailto:dangerw...@gmail.com wrote: The short answer is yes, if they are domain admins they can do anything they like provided they have the knowledge. Including add themselves to the Enterprise Admins group since you said you were in a single domain, which I interpret as no empty root. You could change the ACL's, but again they can undo that with the knowledge. The help desk!? Seriously? Well good luck to you in the new position, sounds like you may need some. WJR - from my Crackberry. If you find yourself in a fair fight, your tactics suck. From: James Rankin kz2...@googlemail.commailto:kz2...@googlemail.com Date: Thu, 30 Sep 2010 12:49:52 +0100 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com ReplyTo: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: Restricting groups in Active Directory I've just started a new job and we're building an all-new infrastructure. One of the key things I'm looking at it is restricting access to the most sensitive functions of some of the infrastructure, mainly in VMWare and XenApp. I'm currently looking at doing this by using AD groups - creating groups for each support team and adding those groups to the relevant areas in XenApp and VirtualCenter to give them the necessary permissions. However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? Could I edit the ACL for these groups and Deny Domain Admins the Modify Ownership privilege? Or can they override that as well somehow? Is there some way I could handle this even if everyone gets given Domain Admin access, or will I have to convince them to do things *properly* using delegation of privilege? All input is welcomed, TIA, JRR -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe
Re: Restricting groups in Active Directory
I can easily use a Server Admins group - just involves a little extra work granting some user rights, that's all On the other query, users don't run as admins. They're Citrix-based so that hurdle hasn't arisen - or already been navigated. On 30 September 2010 18:25, Brian Desmond br...@briandesmond.com wrote: *Please don’t try and use the Server Operators group. It doesn’t actually grant hardly anything on your member servers but it will hand out all sorts of strange permissions you never expected to your DCs. It’s there for legacy (NT4) compatibility. You shouldn’t be populating any of the * Operators groups. * * * *Thanks,* *Brian Desmond* *br...@briandesmond.com* * * *c – 312.731.3132* * * *From:* James Rankin [mailto:kz2...@googlemail.com] *Sent:* Thursday, September 30, 2010 7:19 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory I am seriously going to try to get them to accept Server Operators level as a compromise. They can still kill servers all they want, but they should be able to be locked out of the finer points of VMWare, XenApp and AppSense. Time for my first head-butting session with management in this job. If they won't budge - it's going straight on the (not yet existent) risk register. Cheers, On 30 September 2010 13:05, William J. Robbins dangerw...@gmail.com wrote: The short answer is yes, if they are domain admins they can do anything they like provided they have the knowledge. Including add themselves to the Enterprise Admins group since you said you were in a single domain, which I interpret as no empty root. You could change the ACL's, but again they can undo that with the knowledge. The help desk!? Seriously? Well good luck to you in the new position, sounds like you may need some. WJR - from my Crackberry. If you find yourself in a fair fight, your tactics suck. -- *From: *James Rankin kz2...@googlemail.com *Date: *Thu, 30 Sep 2010 12:49:52 +0100 *To: *NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com *ReplyTo: *NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com *Subject: *Restricting groups in Active Directory I've just started a new job and we're building an all-new infrastructure. One of the key things I'm looking at it is restricting access to the most sensitive functions of some of the infrastructure, mainly in VMWare and XenApp. I'm currently looking at doing this by using AD groups - creating groups for each support team and adding those groups to the relevant areas in XenApp and VirtualCenter to give them the necessary permissions. However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? Could I edit the ACL for these groups and Deny Domain Admins the Modify Ownership privilege? Or can they override that as well somehow? Is there some way I could handle this even if everyone gets given Domain Admin access, or will I have to convince them to do things *properly* using delegation of privilege? All input is welcomed, TIA, JRR -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage
Re: Restricting groups in Active Directory
If it's already been navigated, then it should be a short corollary to if they don't need domain admin rights, they don't get them. On Thu, Sep 30, 2010 at 1:49 PM, James Rankin kz2...@googlemail.com wrote: I can easily use a Server Admins group - just involves a little extra work granting some user rights, that's all On the other query, users don't run as admins. They're Citrix-based so that hurdle hasn't arisen - or already been navigated. On 30 September 2010 18:25, Brian Desmond br...@briandesmond.com wrote: *Please don’t try and use the Server Operators group. It doesn’t actually grant hardly anything on your member servers but it will hand out all sorts of strange permissions you never expected to your DCs. It’s there for legacy (NT4) compatibility. You shouldn’t be populating any of the * Operators groups. * * * *Thanks,* *Brian Desmond* *br...@briandesmond.com* * * *c – 312.731.3132* * * *From:* James Rankin [mailto:kz2...@googlemail.com] *Sent:* Thursday, September 30, 2010 7:19 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory I am seriously going to try to get them to accept Server Operators level as a compromise. They can still kill servers all they want, but they should be able to be locked out of the finer points of VMWare, XenApp and AppSense. Time for my first head-butting session with management in this job. If they won't budge - it's going straight on the (not yet existent) risk register. Cheers, On 30 September 2010 13:05, William J. Robbins dangerw...@gmail.com wrote: The short answer is yes, if they are domain admins they can do anything they like provided they have the knowledge. Including add themselves to the Enterprise Admins group since you said you were in a single domain, which I interpret as no empty root. You could change the ACL's, but again they can undo that with the knowledge. The help desk!? Seriously? Well good luck to you in the new position, sounds like you may need some. WJR - from my Crackberry. If you find yourself in a fair fight, your tactics suck. -- *From: *James Rankin kz2...@googlemail.com *Date: *Thu, 30 Sep 2010 12:49:52 +0100 *To: *NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com *ReplyTo: *NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com *Subject: *Restricting groups in Active Directory I've just started a new job and we're building an all-new infrastructure. One of the key things I'm looking at it is restricting access to the most sensitive functions of some of the infrastructure, mainly in VMWare and XenApp. I'm currently looking at doing this by using AD groups - creating groups for each support team and adding those groups to the relevant areas in XenApp and VirtualCenter to give them the necessary permissions. However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? Could I edit the ACL for these groups and Deny Domain Admins the Modify Ownership privilege? Or can they override that as well somehow? Is there some way I could handle this even if everyone gets given Domain Admin access, or will I have to convince them to do things *properly* using delegation of privilege? All input is welcomed, TIA, JRR -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana
Re: Restricting groups in Active Directory
I'm sure it'll be a bit trickier convincing the special people in IT. :-) My initial sounding-out of the powers-that-be didn't go too badly, so fingers crossed tomorrow might see some positive developments. On 30 September 2010 18:57, Jonathan Link jonathan.l...@gmail.com wrote: If it's already been navigated, then it should be a short corollary to if they don't need domain admin rights, they don't get them. On Thu, Sep 30, 2010 at 1:49 PM, James Rankin kz2...@googlemail.comwrote: I can easily use a Server Admins group - just involves a little extra work granting some user rights, that's all On the other query, users don't run as admins. They're Citrix-based so that hurdle hasn't arisen - or already been navigated. On 30 September 2010 18:25, Brian Desmond br...@briandesmond.com wrote: *Please don’t try and use the Server Operators group. It doesn’t actually grant hardly anything on your member servers but it will hand out all sorts of strange permissions you never expected to your DCs. It’s there for legacy (NT4) compatibility. You shouldn’t be populating any of the * Operators groups. * * * *Thanks,* *Brian Desmond* *br...@briandesmond.com* * * *c – 312.731.3132* * * *From:* James Rankin [mailto:kz2...@googlemail.com] *Sent:* Thursday, September 30, 2010 7:19 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory I am seriously going to try to get them to accept Server Operators level as a compromise. They can still kill servers all they want, but they should be able to be locked out of the finer points of VMWare, XenApp and AppSense. Time for my first head-butting session with management in this job. If they won't budge - it's going straight on the (not yet existent) risk register. Cheers, On 30 September 2010 13:05, William J. Robbins dangerw...@gmail.com wrote: The short answer is yes, if they are domain admins they can do anything they like provided they have the knowledge. Including add themselves to the Enterprise Admins group since you said you were in a single domain, which I interpret as no empty root. You could change the ACL's, but again they can undo that with the knowledge. The help desk!? Seriously? Well good luck to you in the new position, sounds like you may need some. WJR - from my Crackberry. If you find yourself in a fair fight, your tactics suck. -- *From: *James Rankin kz2...@googlemail.com *Date: *Thu, 30 Sep 2010 12:49:52 +0100 *To: *NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com *ReplyTo: *NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com *Subject: *Restricting groups in Active Directory I've just started a new job and we're building an all-new infrastructure. One of the key things I'm looking at it is restricting access to the most sensitive functions of some of the infrastructure, mainly in VMWare and XenApp. I'm currently looking at doing this by using AD groups - creating groups for each support team and adding those groups to the relevant areas in XenApp and VirtualCenter to give them the necessary permissions. However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? Could I edit the ACL for these groups and Deny Domain Admins the Modify Ownership privilege? Or can they override that as well somehow? Is there some way I could handle this even if everyone gets given Domain Admin access, or will I have to convince them to do things *properly* using delegation of privilege? All input is welcomed, TIA, JRR -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could
Re: Restricting groups in Active Directory
Not really. I can see that the IT staff in general would want to retain admin rights generally and limit rights to users based on what they need. IT staff at that organization need to adjust to a least permissions framework, too. If they've already pushed that framework down to the users or if the users have always operated under such a framework, then it should be a fairly easy concept to grasp and there will already be precedent for limiting administrative user rights. On Thu, Sep 30, 2010 at 12:29 PM, Crawford, Scott crawfo...@evangel.eduwrote: You’re **incredibly** optimistic. Do you actually think there’s a chance that a company that wants all of IT to be Domain Admins has seen the light and doesn’t let users run as local admins? *From:* Jonathan Link [mailto:jonathan.l...@gmail.com] *Sent:* Thursday, September 30, 2010 10:34 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory Lemme ask this... since there's a need to get management buy in. Is everyone in the organization running as local admin? If not, then an analogy can be drawn. Afterall, if helpdesk had to support staff who ran as admin, well, that would be more difficult, right? It's a good argument to shutdown the helpdesk golfing buddies. If everyone does run as admin, then you have a mighty challenge, sir. On Thu, Sep 30, 2010 at 10:36 AM, Don Guyer don.gu...@prufoxroach.com wrote: When I first arrived here, “everyone and their Grandmother” in IT were Domain Admins. After months of kicking and screaming, we were able to convince management that we need to narrow that list down. It did take quite a bit of work, but needed to be done. Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com *From:* William Robbins [mailto:dangerw...@gmail.com] *Sent:* Thursday, September 30, 2010 10:24 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory I'll see your +1 and raise +11 - WJR On Thu, Sep 30, 2010 at 09:04, Jeff Steward jstew...@gmail.com wrote: +1 -Jeff Steward On Thu, Sep 30, 2010 at 9:47 AM, Andrew S. Baker asbz...@gmail.com wrote: Change = accountability + better levels of support due to less stuff mysteriously breaking. *ASB *(My XeeSM Profile) http://xeesm.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 9:40 AM, James Rankin kz2...@googlemail.com wrote: As usual, the boss of the helpdesk (and his golf buddies) think that change = interruptions to support. I'm going to convince them that change = accountability + the same level of support. On 30 September 2010 14:38, Maglinger, Paul pmaglin...@scvl.com wrote: What are they trying to accomplish? Do they believe that everyone needs domain admin rights just to change passwords or unlock accounts? I’d try to find out what they need to do and then restrict them accordingly. Help desk doesn’t need rights to be able to change administrator passwords, free reign to all files, and add machines to the domain (just to name a few). *From:* James Rankin [mailto:kz2...@googlemail.com] *Sent:* Thursday, September 30, 2010 8:18 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker asbz...@gmail.com wrote: ***However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group?* You might need to enlist the assistance of... dare I say it? ... Auditors. If everyone is a domain admin, then they can all do whatsoever they want in the domain. Seriously, is your organization not subject to some you sort of regulatory compliance? Who is your CTO/CIO? *ASB *(My XeeSM Profile) http://xeesm.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 7:49 AM, James Rankin kz2...@googlemail.com wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add
Re: Restricting groups in Active Directory
Ok, so the special people in IT get accounts, you crank-up auditing and wait to yank them back. And, you are planning to create separate accounts, right? On Thu, Sep 30, 2010 at 2:01 PM, James Rankin kz2...@googlemail.com wrote: I'm sure it'll be a bit trickier convincing the special people in IT. :-) My initial sounding-out of the powers-that-be didn't go too badly, so fingers crossed tomorrow might see some positive developments. On 30 September 2010 18:57, Jonathan Link jonathan.l...@gmail.com wrote: If it's already been navigated, then it should be a short corollary to if they don't need domain admin rights, they don't get them. On Thu, Sep 30, 2010 at 1:49 PM, James Rankin kz2...@googlemail.comwrote: I can easily use a Server Admins group - just involves a little extra work granting some user rights, that's all On the other query, users don't run as admins. They're Citrix-based so that hurdle hasn't arisen - or already been navigated. On 30 September 2010 18:25, Brian Desmond br...@briandesmond.comwrote: *Please don’t try and use the Server Operators group. It doesn’t actually grant hardly anything on your member servers but it will hand out all sorts of strange permissions you never expected to your DCs. It’s there for legacy (NT4) compatibility. You shouldn’t be populating any of the * Operators groups. * * * *Thanks,* *Brian Desmond* *br...@briandesmond.com* * * *c – 312.731.3132* * * *From:* James Rankin [mailto:kz2...@googlemail.com] *Sent:* Thursday, September 30, 2010 7:19 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory I am seriously going to try to get them to accept Server Operators level as a compromise. They can still kill servers all they want, but they should be able to be locked out of the finer points of VMWare, XenApp and AppSense. Time for my first head-butting session with management in this job. If they won't budge - it's going straight on the (not yet existent) risk register. Cheers, On 30 September 2010 13:05, William J. Robbins dangerw...@gmail.com wrote: The short answer is yes, if they are domain admins they can do anything they like provided they have the knowledge. Including add themselves to the Enterprise Admins group since you said you were in a single domain, which I interpret as no empty root. You could change the ACL's, but again they can undo that with the knowledge. The help desk!? Seriously? Well good luck to you in the new position, sounds like you may need some. WJR - from my Crackberry. If you find yourself in a fair fight, your tactics suck. -- *From: *James Rankin kz2...@googlemail.com *Date: *Thu, 30 Sep 2010 12:49:52 +0100 *To: *NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com *ReplyTo: *NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com *Subject: *Restricting groups in Active Directory I've just started a new job and we're building an all-new infrastructure. One of the key things I'm looking at it is restricting access to the most sensitive functions of some of the infrastructure, mainly in VMWare and XenApp. I'm currently looking at doing this by using AD groups - creating groups for each support team and adding those groups to the relevant areas in XenApp and VirtualCenter to give them the necessary permissions. However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? Could I edit the ACL for these groups and Deny Domain Admins the Modify Ownership privilege? Or can they override that as well somehow? Is there some way I could handle this even if everyone gets given Domain Admin access, or will I have to convince them to do things *properly* using delegation of privilege? All input is welcomed, TIA, JRR -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body
RE: Restricting groups in Active Directory
Yeah, I stand corrected. I'm just really surprised that they're running as non-admins on the desktop. I certainly agree with your approach though and it should be a fairly easy step to non-DA. I'd put together some scenarios to demonstrate the danger if I were in the situation. From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Thursday, September 30, 2010 1:03 PM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory Not really. I can see that the IT staff in general would want to retain admin rights generally and limit rights to users based on what they need. IT staff at that organization need to adjust to a least permissions framework, too. If they've already pushed that framework down to the users or if the users have always operated under such a framework, then it should be a fairly easy concept to grasp and there will already be precedent for limiting administrative user rights. On Thu, Sep 30, 2010 at 12:29 PM, Crawford, Scott crawfo...@evangel.edumailto:crawfo...@evangel.edu wrote: You're *incredibly* optimistic. Do you actually think there's a chance that a company that wants all of IT to be Domain Admins has seen the light and doesn't let users run as local admins? From: Jonathan Link [mailto:jonathan.l...@gmail.commailto:jonathan.l...@gmail.com] Sent: Thursday, September 30, 2010 10:34 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory Lemme ask this... since there's a need to get management buy in. Is everyone in the organization running as local admin? If not, then an analogy can be drawn. Afterall, if helpdesk had to support staff who ran as admin, well, that would be more difficult, right? It's a good argument to shutdown the helpdesk golfing buddies. If everyone does run as admin, then you have a mighty challenge, sir. On Thu, Sep 30, 2010 at 10:36 AM, Don Guyer don.gu...@prufoxroach.commailto:don.gu...@prufoxroach.com wrote: When I first arrived here, everyone and their Grandmother in IT were Domain Admins. After months of kicking and screaming, we were able to convince management that we need to narrow that list down. It did take quite a bit of work, but needed to be done. Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.commailto:don.gu...@prufoxroach.com From: William Robbins [mailto:dangerw...@gmail.commailto:dangerw...@gmail.com] Sent: Thursday, September 30, 2010 10:24 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory I'll see your +1 and raise +11 - WJR On Thu, Sep 30, 2010 at 09:04, Jeff Steward jstew...@gmail.commailto:jstew...@gmail.com wrote: +1 -Jeff Steward On Thu, Sep 30, 2010 at 9:47 AM, Andrew S. Baker asbz...@gmail.commailto:asbz...@gmail.com wrote: Change = accountability + better levels of support due to less stuff mysteriously breaking. ASB (My XeeSM Profile)http://xeesm.com/AndrewBaker Exploiting Technology for Business Advantage... On Thu, Sep 30, 2010 at 9:40 AM, James Rankin kz2...@googlemail.commailto:kz2...@googlemail.com wrote: As usual, the boss of the helpdesk (and his golf buddies) think that change = interruptions to support. I'm going to convince them that change = accountability + the same level of support. On 30 September 2010 14:38, Maglinger, Paul pmaglin...@scvl.commailto:pmaglin...@scvl.com wrote: What are they trying to accomplish? Do they believe that everyone needs domain admin rights just to change passwords or unlock accounts? I'd try to find out what they need to do and then restrict them accordingly. Help desk doesn't need rights to be able to change administrator passwords, free reign to all files, and add machines to the domain (just to name a few). From: James Rankin [mailto:kz2...@googlemail.commailto:kz2...@googlemail.com] Sent: Thursday, September 30, 2010 8:18 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker asbz...@gmail.commailto:asbz...@gmail.com wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? You might need to enlist
Re: Restricting groups in Active Directory
The problem comes because we are consolidating thirteen separate entities with their own IT staff into a single structure. I'm encountering a lot of the resistance you used to get when performing outsourcing operations. Lots of political intrigue. I'm sure we've all experienced it from time to time. Should make for an interesting few months...there's always someone who kicks up a stink. On 30 September 2010 19:02, Jonathan Link jonathan.l...@gmail.com wrote: Not really. I can see that the IT staff in general would want to retain admin rights generally and limit rights to users based on what they need. IT staff at that organization need to adjust to a least permissions framework, too. If they've already pushed that framework down to the users or if the users have always operated under such a framework, then it should be a fairly easy concept to grasp and there will already be precedent for limiting administrative user rights. On Thu, Sep 30, 2010 at 12:29 PM, Crawford, Scott crawfo...@evangel.eduwrote: You’re **incredibly** optimistic. Do you actually think there’s a chance that a company that wants all of IT to be Domain Admins has seen the light and doesn’t let users run as local admins? *From:* Jonathan Link [mailto:jonathan.l...@gmail.com] *Sent:* Thursday, September 30, 2010 10:34 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory Lemme ask this... since there's a need to get management buy in. Is everyone in the organization running as local admin? If not, then an analogy can be drawn. Afterall, if helpdesk had to support staff who ran as admin, well, that would be more difficult, right? It's a good argument to shutdown the helpdesk golfing buddies. If everyone does run as admin, then you have a mighty challenge, sir. On Thu, Sep 30, 2010 at 10:36 AM, Don Guyer don.gu...@prufoxroach.com wrote: When I first arrived here, “everyone and their Grandmother” in IT were Domain Admins. After months of kicking and screaming, we were able to convince management that we need to narrow that list down. It did take quite a bit of work, but needed to be done. Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com *From:* William Robbins [mailto:dangerw...@gmail.com] *Sent:* Thursday, September 30, 2010 10:24 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory I'll see your +1 and raise +11 - WJR On Thu, Sep 30, 2010 at 09:04, Jeff Steward jstew...@gmail.com wrote: +1 -Jeff Steward On Thu, Sep 30, 2010 at 9:47 AM, Andrew S. Baker asbz...@gmail.com wrote: Change = accountability + better levels of support due to less stuff mysteriously breaking. *ASB *(My XeeSM Profile) http://xeesm.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 9:40 AM, James Rankin kz2...@googlemail.com wrote: As usual, the boss of the helpdesk (and his golf buddies) think that change = interruptions to support. I'm going to convince them that change = accountability + the same level of support. On 30 September 2010 14:38, Maglinger, Paul pmaglin...@scvl.com wrote: What are they trying to accomplish? Do they believe that everyone needs domain admin rights just to change passwords or unlock accounts? I’d try to find out what they need to do and then restrict them accordingly. Help desk doesn’t need rights to be able to change administrator passwords, free reign to all files, and add machines to the domain (just to name a few). *From:* James Rankin [mailto:kz2...@googlemail.com] *Sent:* Thursday, September 30, 2010 8:18 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker asbz...@gmail.com wrote: ***However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group?* You might need to enlist the assistance of... dare I say it? ... Auditors. If everyone is a domain admin, then they can all do whatsoever they want in the domain. Seriously, is your
Re: Restricting groups in Active Directory
Ohhh... Just be sure you're not the one left holding the bag. This sounds like a setup, bring the new guy in, reorg, blame problems on him and his newfangled ideas. On Thu, Sep 30, 2010 at 2:09 PM, James Rankin kz2...@googlemail.com wrote: The problem comes because we are consolidating thirteen separate entities with their own IT staff into a single structure. I'm encountering a lot of the resistance you used to get when performing outsourcing operations. Lots of political intrigue. I'm sure we've all experienced it from time to time. Should make for an interesting few months...there's always someone who kicks up a stink. On 30 September 2010 19:02, Jonathan Link jonathan.l...@gmail.com wrote: Not really. I can see that the IT staff in general would want to retain admin rights generally and limit rights to users based on what they need. IT staff at that organization need to adjust to a least permissions framework, too. If they've already pushed that framework down to the users or if the users have always operated under such a framework, then it should be a fairly easy concept to grasp and there will already be precedent for limiting administrative user rights. On Thu, Sep 30, 2010 at 12:29 PM, Crawford, Scott crawfo...@evangel.edu wrote: You’re **incredibly** optimistic. Do you actually think there’s a chance that a company that wants all of IT to be Domain Admins has seen the light and doesn’t let users run as local admins? *From:* Jonathan Link [mailto:jonathan.l...@gmail.com] *Sent:* Thursday, September 30, 2010 10:34 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory Lemme ask this... since there's a need to get management buy in. Is everyone in the organization running as local admin? If not, then an analogy can be drawn. Afterall, if helpdesk had to support staff who ran as admin, well, that would be more difficult, right? It's a good argument to shutdown the helpdesk golfing buddies. If everyone does run as admin, then you have a mighty challenge, sir. On Thu, Sep 30, 2010 at 10:36 AM, Don Guyer don.gu...@prufoxroach.com wrote: When I first arrived here, “everyone and their Grandmother” in IT were Domain Admins. After months of kicking and screaming, we were able to convince management that we need to narrow that list down. It did take quite a bit of work, but needed to be done. Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com *From:* William Robbins [mailto:dangerw...@gmail.com] *Sent:* Thursday, September 30, 2010 10:24 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory I'll see your +1 and raise +11 - WJR On Thu, Sep 30, 2010 at 09:04, Jeff Steward jstew...@gmail.com wrote: +1 -Jeff Steward On Thu, Sep 30, 2010 at 9:47 AM, Andrew S. Baker asbz...@gmail.com wrote: Change = accountability + better levels of support due to less stuff mysteriously breaking. *ASB *(My XeeSM Profile) http://xeesm.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 9:40 AM, James Rankin kz2...@googlemail.com wrote: As usual, the boss of the helpdesk (and his golf buddies) think that change = interruptions to support. I'm going to convince them that change = accountability + the same level of support. On 30 September 2010 14:38, Maglinger, Paul pmaglin...@scvl.com wrote: What are they trying to accomplish? Do they believe that everyone needs domain admin rights just to change passwords or unlock accounts? I’d try to find out what they need to do and then restrict them accordingly. Help desk doesn’t need rights to be able to change administrator passwords, free reign to all files, and add machines to the domain (just to name a few). *From:* James Rankin [mailto:kz2...@googlemail.com] *Sent:* Thursday, September 30, 2010 8:18 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker asbz...@gmail.com wrote: ***However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL
Re: Restricting groups in Active Directory
I'm sure the users will love me when they see an upgrade from a Windows 2000, Presentation Server 3, 256 colour desktop to Windows 2008 R2 on XenApp 6 with sparkling 16 bits of colour depth :-) Actually they need to make sure they're capable of using it. Upgrading from Office 2003 to 2010 will be pretty steepfortunately training is outside my remit On 30 September 2010 19:36, Jonathan Link jonathan.l...@gmail.com wrote: Ohhh... Just be sure you're not the one left holding the bag. This sounds like a setup, bring the new guy in, reorg, blame problems on him and his newfangled ideas. On Thu, Sep 30, 2010 at 2:09 PM, James Rankin kz2...@googlemail.comwrote: The problem comes because we are consolidating thirteen separate entities with their own IT staff into a single structure. I'm encountering a lot of the resistance you used to get when performing outsourcing operations. Lots of political intrigue. I'm sure we've all experienced it from time to time. Should make for an interesting few months...there's always someone who kicks up a stink. On 30 September 2010 19:02, Jonathan Link jonathan.l...@gmail.comwrote: Not really. I can see that the IT staff in general would want to retain admin rights generally and limit rights to users based on what they need. IT staff at that organization need to adjust to a least permissions framework, too. If they've already pushed that framework down to the users or if the users have always operated under such a framework, then it should be a fairly easy concept to grasp and there will already be precedent for limiting administrative user rights. On Thu, Sep 30, 2010 at 12:29 PM, Crawford, Scott crawfo...@evangel.edu wrote: You’re **incredibly** optimistic. Do you actually think there’s a chance that a company that wants all of IT to be Domain Admins has seen the light and doesn’t let users run as local admins? *From:* Jonathan Link [mailto:jonathan.l...@gmail.com] *Sent:* Thursday, September 30, 2010 10:34 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory Lemme ask this... since there's a need to get management buy in. Is everyone in the organization running as local admin? If not, then an analogy can be drawn. Afterall, if helpdesk had to support staff who ran as admin, well, that would be more difficult, right? It's a good argument to shutdown the helpdesk golfing buddies. If everyone does run as admin, then you have a mighty challenge, sir. On Thu, Sep 30, 2010 at 10:36 AM, Don Guyer don.gu...@prufoxroach.com wrote: When I first arrived here, “everyone and their Grandmother” in IT were Domain Admins. After months of kicking and screaming, we were able to convince management that we need to narrow that list down. It did take quite a bit of work, but needed to be done. Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com *From:* William Robbins [mailto:dangerw...@gmail.com] *Sent:* Thursday, September 30, 2010 10:24 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory I'll see your +1 and raise +11 - WJR On Thu, Sep 30, 2010 at 09:04, Jeff Steward jstew...@gmail.com wrote: +1 -Jeff Steward On Thu, Sep 30, 2010 at 9:47 AM, Andrew S. Baker asbz...@gmail.com wrote: Change = accountability + better levels of support due to less stuff mysteriously breaking. *ASB *(My XeeSM Profile) http://xeesm.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Thu, Sep 30, 2010 at 9:40 AM, James Rankin kz2...@googlemail.com wrote: As usual, the boss of the helpdesk (and his golf buddies) think that change = interruptions to support. I'm going to convince them that change = accountability + the same level of support. On 30 September 2010 14:38, Maglinger, Paul pmaglin...@scvl.com wrote: What are they trying to accomplish? Do they believe that everyone needs domain admin rights just to change passwords or unlock accounts? I’d try to find out what they need to do and then restrict them accordingly. Help desk doesn’t need rights to be able to change administrator passwords, free reign to all files, and add machines to the domain (just to name a few). *From:* James Rankin [mailto:kz2...@googlemail.com] *Sent:* Thursday, September 30, 2010 8:18 AM *To:* NT System Admin Issues *Subject:* Re: Restricting groups in Active Directory I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested