| Author | Messages | |
bwatson
Posts:28
 | | 08/13/2008 12:35 PM |
| Our company is probably about 33% business (finance, accounting, HR,
ect...) and 67% engineering folks (heavy software development). The
business side of the company never needs admin rights on their local
workstation, regardless of whether they think they need it or not and we
have their local administrator's group controlled via a Restricted
Groups GPO. However, the engineering side oftentimes does need local
admin rights due to the type of development they do and the nature of
the products we develop.
So my question is this, how do you control local administrative rights
at the workstation level, especially those of you that work in very
large companies? How do you delegate local admin privileges? How do
you manage it so you can easily take it away? How do you mange it so
you know exactly who has admin rights?
Thanks guys, I really look forward to any advice and suggestions you may
have.
~Ben
| | | |
| deji
Posts:140
| | 08/13/2008 12:57 PM |
| You give developers "development" machines that are not part of the corporate network. And you give them corporate machines to do "corporate-y" stuff on. You lock down corporate and let them play roulette on the development machines.
Can't afford multiple machines per developer? Maybe Virtual PC can help.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.name<http://www.akomolafe.name/> - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________
From: ActiveDir-owner@mail.activedir.org [ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN [bwatson@appsig.com]
Sent: Wednesday, August 13, 2008 9:32 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Controlling Local Admin Rights
Our company is probably about 33% business (finance, accounting, HR, ect…) and 67% engineering folks (heavy software development). The business side of the company never needs admin rights on their local workstation, regardless of whether they think they need it or not and we have their local administrator’s group controlled via a Restricted Groups GPO. However, the engineering side oftentimes does need local admin rights due to the type of development they do and the nature of the products we develop.
So my question is this, how do you control local administrative rights at the workstation level, especially those of you that work in very large companies? How do you delegate local admin privileges? How do you manage it so you can easily take it away? How do you mange it so you know exactly who has admin rights?
Thanks guys, I really look forward to any advice and suggestions you may have.
~Ben
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| kurtbuff
Posts:26
| | 08/13/2008 1:11 PM |
| I'm aiming for a model of complete separation.
Each developer will get a PC that is on the corporate network and
conforms to corporate standards - no local admin, only the usual
corporate apps. If they need a machine to develop on, which requires
that they have local admin, they get a different PC, and it's on a
completely different network. There will be a lab manager who is
responsible for their AD, if they even have an AD. The most access
they'll have from the dev/test environment to the corporate network,
and vice versa, will be ports 80, 443 and 3389, for HTTP(S) and RDP.
Access to the Internet from the test/dev network will be controlled
via a separate firewall, under IT's control, not the lab manager's.
That's the goal, anyway, and my company has about 230 people in HQ,
with some engineering folks in another country. This will make it more
difficult, because I have to work the politics with the engineer who
is the part time IT guy over there.
Kurt
On Wed, Aug 13, 2008 at 9:32 AM, WATSON, BEN <bwatson@appsig.com> wrote:
> Our company is probably about 33% business (finance, accounting, HR, ect…)
> and 67% engineering folks (heavy software development). The business side
> of the company never needs admin rights on their local workstation,
> regardless of whether they think they need it or not and we have their local
> administrator's group controlled via a Restricted Groups GPO. However, the
> engineering side oftentimes does need local admin rights due to the type of
> development they do and the nature of the products we develop.
>
>
>
> So my question is this, how do you control local administrative rights at
> the workstation level, especially those of you that work in very large
> companies? How do you delegate local admin privileges? How do you manage
> it so you can easily take it away? How do you mange it so you know exactly
> who has admin rights?
>
>
>
> Thanks guys, I really look forward to any advice and suggestions you may
> have.
>
>
>
> ~Ben
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| davyp
Posts:11
| | 08/13/2008 1:28 PM |
| Bring management out of the workstation and into AD..
Per set of developer workstations (OU?), let restricted groups policies
clean up the local admins and add an AD group.
Add/remove the nasty developers to/from this group at your discretion.
Only risk is they mess up their team members computers when powertripping in
their temporarily administrator mode, but this is usually resolved by
auditing and retribution.
Davy
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: woensdag 13 augustus 2008 18:32
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Controlling Local Admin Rights
Our company is probably about 33% business (finance, accounting, HR, ect.)
and 67% engineering folks (heavy software development). The business side
of the company never needs admin rights on their local workstation,
regardless of whether they think they need it or not and we have their local
administrator's group controlled via a Restricted Groups GPO. However, the
engineering side oftentimes does need local admin rights due to the type of
development they do and the nature of the products we develop.
So my question is this, how do you control local administrative rights at
the workstation level, especially those of you that work in very large
companies? How do you delegate local admin privileges? How do you manage
it so you can easily take it away? How do you mange it so you know exactly
who has admin rights?
Thanks guys, I really look forward to any advice and suggestions you may
have.
~Ben
| | | |
| robertsingers
Posts:150
| | 08/13/2008 5:23 PM |
| Just remember those second PCs don't have to be physical. There's a lot
you can do with Virtual PC.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Kurt Buff
Sent: Thursday, 14 August 2008 5:10 a.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Controlling Local Admin Rights
I'm aiming for a model of complete separation.
Each developer will get a PC that is on the corporate network and
conforms to corporate standards - no local admin, only the usual
corporate apps. If they need a machine to develop on, which requires
that they have local admin, they get a different PC, and it's on a
completely different network. There will be a lab manager who is
responsible for their AD, if they even have an AD. The most access
they'll have from the dev/test environment to the corporate network, and
vice versa, will be ports 80, 443 and 3389, for HTTP(S) and RDP.
Access to the Internet from the test/dev network will be controlled via
a separate firewall, under IT's control, not the lab manager's.
That's the goal, anyway, and my company has about 230 people in HQ, with
some engineering folks in another country. This will make it more
difficult, because I have to work the politics with the engineer who is
the part time IT guy over there.
Kurt
On Wed, Aug 13, 2008 at 9:32 AM, WATSON, BEN <bwatson@appsig.com> wrote:
> Our company is probably about 33% business (finance, accounting, HR,
> ect...) and 67% engineering folks (heavy software development). The
> business side of the company never needs admin rights on their local
> workstation, regardless of whether they think they need it or not and
> we have their local administrator's group controlled via a Restricted
> Groups GPO. However, the engineering side oftentimes does need local
> admin rights due to the type of development they do and the nature of
the products we develop.
>
>
>
> So my question is this, how do you control local administrative rights
> at the workstation level, especially those of you that work in very
> large companies? How do you delegate local admin privileges? How do
> you manage it so you can easily take it away? How do you mange it so
> you know exactly who has admin rights?
>
>
>
> Thanks guys, I really look forward to any advice and suggestions you
> may have.
>
>
>
> ~Ben
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
########################################################################
#####################
This e-mail message has been scanned for Viruses and cleared by NetIQ
MailMarshal.
########################################################################
######################
############################################################
PLEASE NOTE:
The information contained in this email message and any
attached files may be confidential and subject to privilege.
Any opinions expressed in this message are not necessarily
those of the Department of Building and Housing. All technical
opinions are offered on a ?no-liability? basis. This message
and any files transmitted with it are confidential and solely
for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure
or copying of this email is unauthorised. If you have received
this email in error, please notify us immediately by reply email
and delete the original and any attachment(s). Thank you.
############################################################
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| kurtbuff
Posts:26
| | 08/13/2008 6:01 PM |
| Yes, you can do a lot with VMWare/Virtual PC, but you can't physically
isolate them, and in my case that's what I want to do.
<rant>
I've had hardware engineers, and software developers, write apps that
trash my network or bang on my firewall too often to want it
otherwise. They write networking stuff, and some of them have no clue
about networks and how their work affects one. I've had them plug
multiple patch cables from live wall jacks into small 5 or 8 port
swtiches, because they thought they needed more or different
connectivity, and cause layer 2 loops that broght down the entire
network for hours (this was before I had switches capable of using
STP, but not as long ago as you might think). I've also had them turn
up logging on their applications to 11, and send the logs to
non-existent IP addresses on non-existent subnets, and fill my syslogs
and seriously impact performance on my firewall, after sticking second
NICs in their machines, so I couldn't easily track which machine the
IP address is coming from. If an engineer or software developer can
screw it up, one of mine will do it. I've used each incident to point
out to management the deficiencies in our environment, and have been
able to remedy many of them, but I don't want my network abused like
it has been, so I'm going for the gold. Let them whine, says I.
</rant>
Kurt
On Wed, Aug 13, 2008 at 2:20 PM, Robert Singers
<robert.singers@dbh.govt.nz> wrote:
> Just remember those second PCs don't have to be physical. There's a lot
> you can do with Virtual PC.
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Kurt Buff
> Sent: Thursday, 14 August 2008 5:10 a.m.
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Controlling Local Admin Rights
>
> I'm aiming for a model of complete separation.
>
> Each developer will get a PC that is on the corporate network and
> conforms to corporate standards - no local admin, only the usual
> corporate apps. If they need a machine to develop on, which requires
> that they have local admin, they get a different PC, and it's on a
> completely different network. There will be a lab manager who is
> responsible for their AD, if they even have an AD. The most access
> they'll have from the dev/test environment to the corporate network, and
> vice versa, will be ports 80, 443 and 3389, for HTTP(S) and RDP.
>
> Access to the Internet from the test/dev network will be controlled via
> a separate firewall, under IT's control, not the lab manager's.
>
> That's the goal, anyway, and my company has about 230 people in HQ, with
> some engineering folks in another country. This will make it more
> difficult, because I have to work the politics with the engineer who is
> the part time IT guy over there.
>
> Kurt
>
> On Wed, Aug 13, 2008 at 9:32 AM, WATSON, BEN <bwatson@appsig.com> wrote:
>> Our company is probably about 33% business (finance, accounting, HR,
>> ect...) and 67% engineering folks (heavy software development). The
>> business side of the company never needs admin rights on their local
>> workstation, regardless of whether they think they need it or not and
>> we have their local administrator's group controlled via a Restricted
>> Groups GPO. However, the engineering side oftentimes does need local
>> admin rights due to the type of development they do and the nature of
> the products we develop.
>>
>>
>>
>> So my question is this, how do you control local administrative rights
>
>> at the workstation level, especially those of you that work in very
>> large companies? How do you delegate local admin privileges? How do
>> you manage it so you can easily take it away? How do you mange it so
>> you know exactly who has admin rights?
>>
>>
>>
>> Thanks guys, I really look forward to any advice and suggestions you
>> may have.
>>
>>
>>
>> ~Ben
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> ########################################################################
> #####################
> This e-mail message has been scanned for Viruses and cleared by NetIQ
> MailMarshal.
> ########################################################################
> ######################
> ############################################################
> PLEASE NOTE:
>
> The information contained in this email message and any
> attached files may be confidential and subject to privilege.
> Any opinions expressed in this message are not necessarily
> those of the Department of Building and Housing. All technical
> opinions are offered on a 'no-liability' basis. This message
> and any files transmitted with it are confidential and solely
> for the use of the intended recipient. If you are not the
> intended recipient, you are notified that any use, disclosure
> or copying of this email is unauthorised. If you have received
> this email in error, please notify us immediately by reply email
> and delete the original and any attachment(s). Thank you.
> ############################################################
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| robertsingers
Posts:150
| | 08/13/2008 6:36 PM |
| I understand your pain as I've been there. (Actually I've been on both
sides of that fence.) However experience has taught me that any solution
that involves additional infrastructure fails fairly quickly. The
arguments tend be be different over time but they all come down to the
fact that duplicating infrastructure means increasing costs. You also
have to consider that those staff are just doing what they're hired to
do. Sure it sucks when you're the guy who has to wipe their arse all
the time, but it's just a fact of life when you're doing ICT in an ICT
company.
If I was in your position again and had the influence to do it, there is
only one thing I would do. I would isolate the development \ system
integrator part of the company almost completely and go for one of the
following two options to give them access to the corporate fuunctions.
1) Have a Terminal Server \ Citrix environment providing all corporate
functions with a secure nfuse \ web gateway.
2) Provide them with cookie cutter VPC client builds that are allowed
to VPN into the Corporate space and access
They then have one set of infrastructure. They're responsible if they
break it. You have a smaller footprint to support, that doubles as a
remote environment for the rest of the company.
In a nutshell my approach in an ICT company would be to create a SaaS
model for all corporate services.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Kurt Buff
Sent: Thursday, 14 August 2008 9:57 a.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Controlling Local Admin Rights
Yes, you can do a lot with VMWare/Virtual PC, but you can't physically
isolate them, and in my case that's what I want to do.
<rant>
I've had hardware engineers, and software developers, write apps that
trash my network or bang on my firewall too often to want it otherwise.
They write networking stuff, and some of them have no clue about
networks and how their work affects one. I've had them plug multiple
patch cables from live wall jacks into small 5 or 8 port swtiches,
because they thought they needed more or different connectivity, and
cause layer 2 loops that broght down the entire network for hours (this
was before I had switches capable of using STP, but not as long ago as
you might think). I've also had them turn up logging on their
applications to 11, and send the logs to non-existent IP addresses on
non-existent subnets, and fill my syslogs and seriously impact
performance on my firewall, after sticking second NICs in their
machines, so I couldn't easily track which machine the IP address is
coming from. If an engineer or software developer can screw it up, one
of mine will do it. I've used each incident to point out to management
the deficiencies in our environment, and have been able to remedy many
of them, but I don't want my network abused like it has been, so I'm
going for the gold. Let them whine, says I.
</rant>
Kurt
On Wed, Aug 13, 2008 at 2:20 PM, Robert Singers
<robert.singers@dbh.govt.nz> wrote:
> Just remember those second PCs don't have to be physical. There's a
> lot you can do with Virtual PC.
#############################################################################################
This e-mail message has been scanned for Viruses and cleared by NetIQ MailMarshal.
##############################################################################################
############################################################
PLEASE NOTE:
The information contained in this email message and any
attached files may be confidential and subject to privilege.
Any opinions expressed in this message are not necessarily
those of the Department of Building and Housing. All technical
opinions are offered on a ?no-liability? basis. This message
and any files transmitted with it are confidential and solely
for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure
or copying of this email is unauthorised. If you have received
this email in error, please notify us immediately by reply email
and delete the original and any attachment(s). Thank you.
############################################################
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| kurtbuff
Posts:26
| | 08/13/2008 8:54 PM |
| ICT? Define, please.
I haven't worked with Citrix since it was based on NT 3.5/3.51, so am
not at all conversant with it any more, nor ever with nfuse.
Setting up TS sessions for the dev/test folks is certainly another
option - giving them a single machine in a relatively isolated network
and a TS box in the production network to get to would certainly work.
It has up front costs, however, in the form of deploying the TS
server(s) and all the related licensing, and management is quite shy
about putting large sums of money up front. I do like that plan, and
if I could start from scratch that's the way I'd do it.
But, I've been able to obtain a fair amount of separation with a
whitebox, three dual-port NICs and FreeBSD. I'll be implementing pf to
limit access at some point, per my plan below.
I can then, over time, give them the boxes they need.
However, this wanders far from the charter of the list, and the
original question, so I think I'll get off the soapbox for now.
Kurt
On Wed, Aug 13, 2008 at 3:33 PM, Robert Singers
<robert.singers@dbh.govt.nz> wrote:
> I understand your pain as I've been there. (Actually I've been on both
> sides of that fence.) However experience has taught me that any solution
> that involves additional infrastructure fails fairly quickly. The
> arguments tend be be different over time but they all come down to the
> fact that duplicating infrastructure means increasing costs. You also
> have to consider that those staff are just doing what they're hired to
> do. Sure it sucks when you're the guy who has to wipe their arse all
> the time, but it's just a fact of life when you're doing ICT in an ICT
> company.
>
> If I was in your position again and had the influence to do it, there is
> only one thing I would do. I would isolate the development \ system
> integrator part of the company almost completely and go for one of the
> following two options to give them access to the corporate fuunctions.
>
> 1) Have a Terminal Server \ Citrix environment providing all corporate
> functions with a secure nfuse \ web gateway.
>
> 2) Provide them with cookie cutter VPC client builds that are allowed
> to VPN into the Corporate space and access
>
> They then have one set of infrastructure. They're responsible if they
> break it. You have a smaller footprint to support, that doubles as a
> remote environment for the rest of the company.
>
> In a nutshell my approach in an ICT company would be to create a SaaS
> model for all corporate services.
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Kurt Buff
> Sent: Thursday, 14 August 2008 9:57 a.m.
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Controlling Local Admin Rights
>
> Yes, you can do a lot with VMWare/Virtual PC, but you can't physically
> isolate them, and in my case that's what I want to do.
>
> <rant>
> I've had hardware engineers, and software developers, write apps that
> trash my network or bang on my firewall too often to want it otherwise.
> They write networking stuff, and some of them have no clue about
> networks and how their work affects one. I've had them plug multiple
> patch cables from live wall jacks into small 5 or 8 port swtiches,
> because they thought they needed more or different connectivity, and
> cause layer 2 loops that broght down the entire network for hours (this
> was before I had switches capable of using STP, but not as long ago as
> you might think). I've also had them turn up logging on their
> applications to 11, and send the logs to non-existent IP addresses on
> non-existent subnets, and fill my syslogs and seriously impact
> performance on my firewall, after sticking second NICs in their
> machines, so I couldn't easily track which machine the IP address is
> coming from. If an engineer or software developer can screw it up, one
> of mine will do it. I've used each incident to point out to management
> the deficiencies in our environment, and have been able to remedy many
> of them, but I don't want my network abused like it has been, so I'm
> going for the gold. Let them whine, says I.
> </rant>
>
> Kurt
>
> On Wed, Aug 13, 2008 at 2:20 PM, Robert Singers
> <robert.singers@dbh.govt.nz> wrote:
>> Just remember those second PCs don't have to be physical. There's a
>> lot you can do with Virtual PC.
> #############################################################################################
> This e-mail message has been scanned for Viruses and cleared by NetIQ MailMarshal.
> ##############################################################################################
>
> ############################################################
> PLEASE NOTE:
>
> The information contained in this email message and any
> attached files may be confidential and subject to privilege.
> Any opinions expressed in this message are not necessarily
> those of the Department of Building and Housing. All technical
> opinions are offered on a 'no-liability' basis. This message
> and any files transmitted with it are confidential and solely
> for the use of the intended recipient. If you are not the
> intended recipient, you are notified that any use, disclosure
> or copying of this email is unauthorised. If you have received
> this email in error, please notify us immediately by reply email
> and delete the original and any attachment(s). Thank you.
> ############################################################
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| miller4
Posts:12
| | 08/13/2008 9:40 PM |
| "However, this wanders far from the charter of the list"
Well, technically yes. One could successfully argue that point.
But I, for one, think these discussions have some value for some of us,
perhaps many of us.
As well as the Wednesday vs Sunday change period thread which someone
could also argue strays from the charter.
I prefer to avoid learning the hard way when other list members already
have the scars.
And the messages are small - no animated GIFs, embedded video. ;-)
-mjm
Kurt Buff wrote:
> ICT? Define, please.
>
> I haven't worked with Citrix since it was based on NT 3.5/3.51, so am
> not at all conversant with it any more, nor ever with nfuse.
>
> Setting up TS sessions for the dev/test folks is certainly another
> option - giving them a single machine in a relatively isolated network
> and a TS box in the production network to get to would certainly work.
> It has up front costs, however, in the form of deploying the TS
> server(s) and all the related licensing, and management is quite shy
> about putting large sums of money up front. I do like that plan, and
> if I could start from scratch that's the way I'd do it.
>
> But, I've been able to obtain a fair amount of separation with a
> whitebox, three dual-port NICs and FreeBSD. I'll be implementing pf to
> limit access at some point, per my plan below.
>
> I can then, over time, give them the boxes they need.
>
> However, this wanders far from the charter of the list, and the
> original question, so I think I'll get off the soapbox for now.
>
> Kurt
>
> On Wed, Aug 13, 2008 at 3:33 PM, Robert Singers
> <robert.singers@dbh.govt.nz> wrote:
>
>> I understand your pain as I've been there. (Actually I've been on both
>> sides of that fence.) However experience has taught me that any solution
>> that involves additional infrastructure fails fairly quickly. The
>> arguments tend be be different over time but they all come down to the
>> fact that duplicating infrastructure means increasing costs. You also
>> have to consider that those staff are just doing what they're hired to
>> do. Sure it sucks when you're the guy who has to wipe their arse all
>> the time, but it's just a fact of life when you're doing ICT in an ICT
>> company.
>>
>> If I was in your position again and had the influence to do it, there is
>> only one thing I would do. I would isolate the development \ system
>> integrator part of the company almost completely and go for one of the
>> following two options to give them access to the corporate fuunctions.
>>
>> 1) Have a Terminal Server \ Citrix environment providing all corporate
>> functions with a secure nfuse \ web gateway.
>>
>> 2) Provide them with cookie cutter VPC client builds that are allowed
>> to VPN into the Corporate space and access
>>
>> They then have one set of infrastructure. They're responsible if they
>> break it. You have a smaller footprint to support, that doubles as a
>> remote environment for the rest of the company.
>>
>> In a nutshell my approach in an ICT company would be to create a SaaS
>> model for all corporate services.
>>
>> -----Original Message-----
>> From: ActiveDir-owner@mail.activedir.org
>> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Kurt Buff
>> Sent: Thursday, 14 August 2008 9:57 a.m.
>> To: ActiveDir@mail.activedir.org
>> Subject: Re: [ActiveDir] Controlling Local Admin Rights
>>
>> Yes, you can do a lot with VMWare/Virtual PC, but you can't physically
>> isolate them, and in my case that's what I want to do.
>>
>> <rant>
>> I've had hardware engineers, and software developers, write apps that
>> trash my network or bang on my firewall too often to want it otherwise.
>> They write networking stuff, and some of them have no clue about
>> networks and how their work affects one. I've had them plug multiple
>> patch cables from live wall jacks into small 5 or 8 port swtiches,
>> because they thought they needed more or different connectivity, and
>> cause layer 2 loops that broght down the entire network for hours (this
>> was before I had switches capable of using STP, but not as long ago as
>> you might think). I've also had them turn up logging on their
>> applications to 11, and send the logs to non-existent IP addresses on
>> non-existent subnets, and fill my syslogs and seriously impact
>> performance on my firewall, after sticking second NICs in their
>> machines, so I couldn't easily track which machine the IP address is
>> coming from. If an engineer or software developer can screw it up, one
>> of mine will do it. I've used each incident to point out to management
>> the deficiencies in our environment, and have been able to remedy many
>> of them, but I don't want my network abused like it has been, so I'm
>> going for the gold. Let them whine, says I.
>> </rant>
>>
>> Kurt
>>
>> On Wed, Aug 13, 2008 at 2:20 PM, Robert Singers
>> <robert.singers@dbh.govt.nz> wrote:
>>
>>> Just remember those second PCs don't have to be physical. There's a
>>> lot you can do with Virtual PC.
>>>
>> #############################################################################################
>> This e-mail message has been scanned for Viruses and cleared by NetIQ MailMarshal.
>> ##############################################################################################
>>
>> ############################################################
>> PLEASE NOTE:
>>
>> The information contained in this email message and any
>> attached files may be confidential and subject to privilege.
>> Any opinions expressed in this message are not necessarily
>> those of the Department of Building and Housing. All technical
>> opinions are offered on a 'no-liability' basis. This message
>> and any files transmitted with it are confidential and solely
>> for the use of the intended recipient. If you are not the
>> intended recipient, you are notified that any use, disclosure
>> or copying of this email is unauthorised. If you have received
>> this email in error, please notify us immediately by reply email
>> and delete the original and any attachment(s). Thank you.
>> ############################################################
>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ma/default.aspx
>>
>>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| kurtbuff
Posts:26
| | 08/13/2008 10:16 PM |
| On Wed, Aug 13, 2008 at 6:37 PM, Michael Miller <miller4@illinois.edu> wrote:
> "However, this wanders far from the charter of the list"
>
> Well, technically yes. One could successfully argue that point.
>
> But I, for one, think these discussions have some value for some of us,
> perhaps many of us.
>
> As well as the Wednesday vs Sunday change period thread which someone could
> also argue strays from the charter.
>
> I prefer to avoid learning the hard way when other list members already have
> the scars.
>
> And the messages are small - no animated GIFs, embedded video. ;-)
>
> -mjm
That's why I launched the missive I did. It was a bit OT, but I
thought someone could benefit from it. I've learned a lot from others
who've rambled as I've done, so I consider a bit of it to be payback,
or pay forward, if you prefer. The trick is in knowing when to stop.
And in knowing when and how to trim...
Heh.
Kurt
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| robertsingers
Posts:150
| | 08/13/2008 10:57 PM |
| > ICT? Define, please.
Information and Communication Technology.
"I have always wished that my computer would be as easy to use as my
telephone. My wish has come true. I no longer know how to use my
telephone."
Bjarne Stroustrup (originator of C++)
[quoted at the 2003 International Conference on Intelligent User
Interfaces]
#############################################################################################
This e-mail message has been scanned for Viruses and cleared by NetIQ MailMarshal.
##############################################################################################
############################################################
PLEASE NOTE:
The information contained in this email message and any
attached files may be confidential and subject to privilege.
Any opinions expressed in this message are not necessarily
those of the Department of Building and Housing. All technical
opinions are offered on a ?no-liability? basis. This message
and any files transmitted with it are confidential and solely
for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure
or copying of this email is unauthorised. If you have received
this email in error, please notify us immediately by reply email
and delete the original and any attachment(s). Thank you.
############################################################
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| kurtbuff
Posts:26
| | 08/14/2008 12:48 AM |
| Ah. Fair enough. Been doing that stuff for about 20 years, but hadn't
heard it called that before.
Learn something new every day...
On Wed, Aug 13, 2008 at 7:53 PM, Robert Singers
<robert.singers@dbh.govt.nz> wrote:
>> ICT? Define, please.
>
> Information and Communication Technology.
>
> "I have always wished that my computer would be as easy to use as my
> telephone. My wish has come true. I no longer know how to use my
> telephone."
>
> Bjarne Stroustrup (originator of C++)
> [quoted at the 2003 International Conference on Intelligent User
> Interfaces]
> #############################################################################################
> This e-mail message has been scanned for Viruses and cleared by NetIQ MailMarshal.
> ##############################################################################################
>
> ############################################################
> PLEASE NOTE:
>
> The information contained in this email message and any
> attached files may be confidential and subject to privilege.
> Any opinions expressed in this message are not necessarily
> those of the Department of Building and Housing. All technical
> opinions are offered on a 'no-liability' basis. This message
> and any files transmitted with it are confidential and solely
> for the use of the intended recipient. If you are not the
> intended recipient, you are notified that any use, disclosure
> or copying of this email is unauthorised. If you have received
> this email in error, please notify us immediately by reply email
> and delete the original and any attachment(s). Thank you.
> ############################################################
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
|
|