Wednesday, February 22, 2006
Know your Rights!
One of the 'fun' things (I'll use that term loosely) in coming into a company 40 years into their existence is digging through all the inconsistencies, oddities, historical goodies and that favourtite of IT words "legacy" items that you can then try to reverse and steer toward best practices.
Almost a year ago I took over the Windows team, and still we're trying to turn the ship around on certain decisions that made sense at one time (NT 3?) but don't hold water anymore.
Dealing with assigning domain admin rights is one we're hitting on right now. Years ago, the decision was made that all helpdesk members should have Domain Admin rights. In fact, anyone who does any Windows desktop support was given Domain Admin rights. The other thing is that Admin rights were granted to the user's daily user account, and as there were multiple domains, the accounts were often duplicated between domains. Obviously this isn't good, but what we're working to design now is to setup a situation where we can limit those with Administrator rights to an absolute minimum, still allow helpdesk to reset passwords and manage accounts, and also to perform desktop troubleshooting and support on the company PCs. We also need to have separate admin accounts and user accounts, and prevent duplicating user accounts. Of course there's ways to do all of these things, but finding the right mix is a challenge.
The other trick of course, is to sell this to the IT teams so that they can still work effectively, and we're not introducing huge inconveniences or extra steps into their jobs.
This is such a common thing, I was sure I would find lots of good documentation out there on best practices and how-tos, but surprisingly that hasn't been the case. We're still in the design and testing phase, so I'll let you know what we come up with...
Almost a year ago I took over the Windows team, and still we're trying to turn the ship around on certain decisions that made sense at one time (NT 3?) but don't hold water anymore.
Dealing with assigning domain admin rights is one we're hitting on right now. Years ago, the decision was made that all helpdesk members should have Domain Admin rights. In fact, anyone who does any Windows desktop support was given Domain Admin rights. The other thing is that Admin rights were granted to the user's daily user account, and as there were multiple domains, the accounts were often duplicated between domains. Obviously this isn't good, but what we're working to design now is to setup a situation where we can limit those with Administrator rights to an absolute minimum, still allow helpdesk to reset passwords and manage accounts, and also to perform desktop troubleshooting and support on the company PCs. We also need to have separate admin accounts and user accounts, and prevent duplicating user accounts. Of course there's ways to do all of these things, but finding the right mix is a challenge.
The other trick of course, is to sell this to the IT teams so that they can still work effectively, and we're not introducing huge inconveniences or extra steps into their jobs.
This is such a common thing, I was sure I would find lots of good documentation out there on best practices and how-tos, but surprisingly that hasn't been the case. We're still in the design and testing phase, so I'll let you know what we come up with...
