RE: Active Directory Responsibility question
Bottom part of the Fortune 500 here: We have a Windows Server Admin group that is responsible for the server hardware, OS, deployment, and AD. We have a separate security group that sets policy and audits to ensure compliance with separate groups for application software. A weird fact - our AD forest is actually controlled by a subsidiary so we can only manage AD at the Domain level. Interestingly, we are getting VMWare in our group - I guess it roughly corresponds to hardware. -Brian From: Barsodi.John [mailto:john.bars...@igt.com] Sent: Friday, April 17, 2009 6:32 PM To: NT System Admin Issues Subject: Active Directory Responsibility question Question for you guysand this is geared to the people who work in a bit larger IT/IS Organizations. What team within your IT/IS org has responsibility of your active directory environment? I think it's typically in the System Administration realm, but if it's in another group/team i.e. Security - why? Thanks. - John Barsodi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Active Directory Responsibility question
Thanks for the feedback everyone. I meant more than a few hundred users. I know there are posters here, yourself included, that work in larger organizations. I wanted that feedback. Thanks! - John Barsodi From: Free, Bob [mailto:r...@pge.com] Sent: Friday, April 17, 2009 5:57 PM To: NT System Admin Issues Subject: RE: Active Directory Responsibility question Don't know what you mean by bit larger, we have a little over 20K regular users, only a SMB to some. I am one of 2.5 FTE's dedicated for AD support, we are in what is now called Windows Server Services under Computing Services which is under Infrastructure Services. Sr. Director has all IT Infrastructure, under her is our Director who has all Computing from the mainframes down to the handhelds.. My manager is responsible for all elements of ~1800 Wintel servers, my team lead has us AD folks, Exchange, BES, VMWARE, UNITY, the various product managers, a couple of system solution design types (we can't call them engineers anymore) and a couple of specialized services such as the Call and Billing Center services. Then there are other separate teams for responsible for deployment, field operations and data center ops under Windows. There are similar manager level teams for mainframe, *nix, Web-cross platform and storage. From what I have seen it varies according to the organization, I know of one large (~30 in the Fortune 500) financial Co in the US that has the Security department govern everything related to AD as they are extremely risk-avoidance driven and their IT process maturity is very high. They have their processes so developed they run their high level AD groups empty. There was a good discussion of this very subject on activedir in 2007 with some people responsible for large orgs weighing in. You can find in the www.activedir.org archives under Active Directory Team Placement in an Organization http://www.activedir.org/ListArchives/tabid/55/forumid/1/tpage/1/view/topic/postid/23697/Default.aspx#23697 Brian D supports some very big environments, maybe he will weigh in From: Barsodi.John [mailto:john.bars...@igt.com] Sent: Friday, April 17, 2009 4:32 PM To: NT System Admin Issues Subject: Active Directory Responsibility question Question for you guysand this is geared to the people who work in a bit larger IT/IS Organizations. What team within your IT/IS org has responsibility of your active directory environment? I think it's typically in the System Administration realm, but if it's in another group/team i.e. Security - why? Thanks. - John Barsodi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Active Directory Responsibility question
Yes - Wintel owns our AD architecture and server design/implementation while Security owns the audting, account creation, who gets what rights, and actions taken on violations from monitored events. Kind of a partnership thing, but when people can't login support goes straight to Intel. From: Brian Desmond br...@briandesmond.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Saturday, April 18, 2009 9:32:38 AM Subject: RE: Active Directory Responsibility question Many large orgs I have worked with have AD living in/under security. One of the large outsourcers has it arranged this way as well in fact. I have also seen it inside of Wintel and Messaging teams. Very large orgs typically can warranty a dedicated AD team so it’s just a matter of the management chain that it lives under. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From:Barsodi.John [mailto:john.bars...@igt.com] Sent: Friday, April 17, 2009 6:32 PM To: NT System Admin Issues Subject: Active Directory Responsibility question Question for you guys….and this is geared to the people who work in a bit larger IT/IS Organizations. What team within your IT/IS org has responsibility of your active directory environment? I think it’s typically in the System Administration realm, but if it’s in another group/team i.e. Security – why? Thanks. - John Barsodi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Active Directory Responsibility question
Generally there is a dedicated AD team for escalated issues (problems/issues) and monitoring (monitoring replication etc) Common low-level tasks (like resetting passwords, account creation etc) would be handled by various other service desk type teams (usually using some kind of front end tool) - these may not be devoted to Wintel platforms, but might also handle passwords/access/user provisioning to multiple platforms (Mainframe, midrange, Wintel etc) For project work (implementing new features - SSO, self-service PW reset etc), other teams might be involved. Security is generally a platform agnostic unit IME, and doesn't manage AD specifically. It might set general standards and look at some risk issues, but isn't involved in the day-to-day operations of AD. Cheers Ken From: Barsodi.John [mailto:john.bars...@igt.com] Sent: Saturday, 18 April 2009 9:32 AM To: NT System Admin Issues Subject: Active Directory Responsibility question Question for you guysand this is geared to the people who work in a bit larger IT/IS Organizations. What team within your IT/IS org has responsibility of your active directory environment? I think it's typically in the System Administration realm, but if it's in another group/team i.e. Security - why? Thanks. - John Barsodi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Active Directory Responsibility question
Many large orgs I have worked with have AD living in/under security. One of the large outsourcers has it arranged this way as well in fact. I have also seen it inside of Wintel and Messaging teams. Very large orgs typically can warranty a dedicated AD team so it's just a matter of the management chain that it lives under. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Barsodi.John [mailto:john.bars...@igt.com] Sent: Friday, April 17, 2009 6:32 PM To: NT System Admin Issues Subject: Active Directory Responsibility question Question for you guysand this is geared to the people who work in a bit larger IT/IS Organizations. What team within your IT/IS org has responsibility of your active directory environment? I think it's typically in the System Administration realm, but if it's in another group/team i.e. Security - why? Thanks. - John Barsodi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Active Directory Responsibility question
I've seen quite a few customers where AD ops falls under the security umbrella. This is really a management chain discussion in the end. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Saturday, April 18, 2009 8:44 AM To: NT System Admin Issues Subject: RE: Active Directory Responsibility question Generally there is a dedicated AD team for escalated issues (problems/issues) and monitoring (monitoring replication etc) Common low-level tasks (like resetting passwords, account creation etc) would be handled by various other service desk type teams (usually using some kind of front end tool) - these may not be devoted to Wintel platforms, but might also handle passwords/access/user provisioning to multiple platforms (Mainframe, midrange, Wintel etc) For project work (implementing new features - SSO, self-service PW reset etc), other teams might be involved. Security is generally a platform agnostic unit IME, and doesn't manage AD specifically. It might set general standards and look at some risk issues, but isn't involved in the day-to-day operations of AD. Cheers Ken From: Barsodi.John [mailto:john.bars...@igt.com] Sent: Saturday, 18 April 2009 9:32 AM To: NT System Admin Issues Subject: Active Directory Responsibility question Question for you guysand this is geared to the people who work in a bit larger IT/IS Organizations. What team within your IT/IS org has responsibility of your active directory environment? I think it's typically in the System Administration realm, but if it's in another group/team i.e. Security - why? Thanks. - John Barsodi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Active Directory Responsibility question
On Sat, Apr 18, 2009 at 10:34 AM, Brian Desmond br...@briandesmond.com wrote: I’ve seen quite a few customers where AD ops falls under the security umbrella. This is really a management chain discussion in the end. Not really AD specific, but: In some of the large aerospace companies I've dealt with as customers of %DAYJOB%, their management structure seems to be very distributed. I suspect this stems from their history of merges on top of mergers. So they'll have local IT and security departments with a fair degree of autonomy, and then corporate supervision. Different office locations will have different standards. Makes for interesting an interesting time when you try and integrate systems. It appears some offices look to a corporate AD department, while some have the local guys running their own show. And then there's outsourced services, where we can't talk to the people doing the work, but the people we can talk to don't know anything. There's one particular SharePoint extranet site we're supposed to be using. They've been trying for over a year to get it to work and they still can't. But I digress. :) At %DAYJOB%, we only have 120 people, and the IT department is me and another guy. If it uses 1s and 0s, it's our responsibility. (If it uses electricity and it's greasy or wet, it's maintenance, otherwise, IT.) That includes Active Directory. Also servers, desktops, networks, applications, phones, IT security, Internet, BlackBerry, electronic door locks, printers/scanners/fax... :) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Active Directory Responsibility question
Yep you are describing a typical large org that's been built on mergers and acquisitions. Some are further along at integration, others haven't started. Usually when CIOs are looking for a good save money project this rolls straight to the top as long as whoever is doing the accounting is using a special calculator that makes centralization projects look cheap and successful. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Saturday, April 18, 2009 6:40 PM To: NT System Admin Issues Subject: Re: Active Directory Responsibility question On Sat, Apr 18, 2009 at 10:34 AM, Brian Desmond br...@briandesmond.com wrote: I've seen quite a few customers where AD ops falls under the security umbrella. This is really a management chain discussion in the end. Not really AD specific, but: In some of the large aerospace companies I've dealt with as customers of %DAYJOB%, their management structure seems to be very distributed. I suspect this stems from their history of merges on top of mergers. So they'll have local IT and security departments with a fair degree of autonomy, and then corporate supervision. Different office locations will have different standards. Makes for interesting an interesting time when you try and integrate systems. It appears some offices look to a corporate AD department, while some have the local guys running their own show. And then there's outsourced services, where we can't talk to the people doing the work, but the people we can talk to don't know anything. There's one particular SharePoint extranet site we're supposed to be using. They've been trying for over a year to get it to work and they still can't. But I digress. :) At %DAYJOB%, we only have 120 people, and the IT department is me and another guy. If it uses 1s and 0s, it's our responsibility. (If it uses electricity and it's greasy or wet, it's maintenance, otherwise, IT.) That includes Active Directory. Also servers, desktops, networks, applications, phones, IT security, Internet, BlackBerry, electronic door locks, printers/scanners/fax... :) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Active Directory Responsibility question
In my experiences it varies by the organization. I've only once seen a security team involved in directory administration and I didn't ever ask them why. In very large organizations there is usually a dedicated directory services team for whatever that is worth. Thanks, Jeremy Phillips Managing Consultant | Cohesive Logic LLC | M: 540-322-7980 | BB PIN: 318A6889 From: Barsodi.John [john.bars...@igt.com] Sent: Friday, April 17, 2009 4:31 PM To: NT System Admin Issues Subject: Active Directory Responsibility question Question for you guys….and this is geared to the people who work in a bit larger IT/IS Organizations. What team within your IT/IS org has responsibility of your active directory environment? I think it’s typically in the System Administration realm, but if it’s in another group/team i.e. Security – why? Thanks. - John Barsodi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Active Directory Responsibility question
Don't know what you mean by bit larger, we have a little over 20K regular users, only a SMB to some. I am one of 2.5 FTE's dedicated for AD support, we are in what is now called Windows Server Services under Computing Services which is under Infrastructure Services. Sr. Director has all IT Infrastructure, under her is our Director who has all Computing from the mainframes down to the handhelds.. My manager is responsible for all elements of ~1800 Wintel servers, my team lead has us AD folks, Exchange, BES, VMWARE, UNITY, the various product managers, a couple of system solution design types (we can't call them engineers anymore) and a couple of specialized services such as the Call and Billing Center services. Then there are other separate teams for responsible for deployment, field operations and data center ops under Windows. There are similar manager level teams for mainframe, *nix, Web-cross platform and storage. From what I have seen it varies according to the organization, I know of one large (~30 in the Fortune 500) financial Co in the US that has the Security department govern everything related to AD as they are extremely risk-avoidance driven and their IT process maturity is very high. They have their processes so developed they run their high level AD groups empty. There was a good discussion of this very subject on activedir in 2007 with some people responsible for large orgs weighing in. You can find in the www.activedir.org archives under Active Directory Team Placement in an Organization http://www.activedir.org/ListArchives/tabid/55/forumid/1/tpage/1/view/to pic/postid/23697/Default.aspx#23697 Brian D supports some very big environments, maybe he will weigh in From: Barsodi.John [mailto:john.bars...@igt.com] Sent: Friday, April 17, 2009 4:32 PM To: NT System Admin Issues Subject: Active Directory Responsibility question Question for you guysand this is geared to the people who work in a bit larger IT/IS Organizations. What team within your IT/IS org has responsibility of your active directory environment? I think it's typically in the System Administration realm, but if it's in another group/team i.e. Security - why? Thanks. - John Barsodi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~