List Archives

This forum is an archive of all posts to our mailing list over the past few years. The forum is set read only therefore to contribute you will need to join our list community. See more info about this here.

List Archives

Unanswered Active Topics

Forums Search

Forums >ActiveDir Mail List Archive >List Archives

Subject: [ActiveDir] OT: How to control the proliferation of unintended user access to information

Prev Next

You are not authorized to post a reply.

Author

Messages

RichardKline User is Offline

Posts:10

10/04/2008 8:28 AM
Please excuse this off-topic question. I'd be glad to submit it to another forum if someone would be good enough to suggest something more appropriate. Briefly: What strategies can be used to control unintended user access to information through Security and Distribution List membership? Please understand that this is a hypothetical situation and could never happen in the real world.... Scenario: SupervisorA submits a request to have a domain account created for NewEmployeeB and, in the instructions, states "Just make the new account like OldEmployeeC". So that is done. Eventually SupervisorA realizes that NewEmployeeB is receiving all sorts of confidential E-mails that OldEmployeeC needed (or perhaps didn't). EmployeeB now has access to shared folders that OldEmployeeC once used for a top-secret project that was terminated months ago but never was never "cleaned up". The situation might be extreme if there were years (dating back to NT 4 days) of mismatching domain administrator styles, technology upgrades without thorough review of existing situations, inadequately defined group purposes or loose adherence to those purposes which were defined. It was suggested that a better new user request form would take care of the problem. I'm of the opinion that there is no one "magic bullet" to fix the situation and that a thorough review and enforced adherences to a stricter set of standards and practices would be needed. I'd appreciate thoughts on the subject. Please feel free to e-mail me directly. Thank you.

danholme

Posts:128

10/04/2008 11:30 AM
Hey, Richard. Interestingly, over the last few days there has been a lively discussion about group management best practices and role-based management. There was also a similar thread earlier this summer (May/June I think). Please check out those threads... search for "Role Based" and "Group Management". If you don't have access to those threads, I'd be happy to shoot them to you as well... Email me directly at danh att intelliem dott comm. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Richard Kline Sent: Saturday, October 04, 2008 2:25 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: How to control the proliferation of unintended user access to information Please excuse this off-topic question. I'd be glad to submit it to another forum if someone would be good enough to suggest something more appropriate. Briefly: What strategies can be used to control unintended user access to information through Security and Distribution List membership? Please understand that this is a hypothetical situation and could never happen in the real world.... Scenario: SupervisorA submits a request to have a domain account created for NewEmployeeB and, in the instructions, states "Just make the new account like OldEmployeeC". So that is done. Eventually SupervisorA realizes that NewEmployeeB is receiving all sorts of confidential E-mails that OldEmployeeC needed (or perhaps didn't). EmployeeB now has access to shared folders that OldEmployeeC once used for a top-secret project that was terminated months ago but never was never "cleaned up". The situation might be extreme if there were years (dating back to NT 4 days) of mismatching domain administrator styles, technology upgrades without thorough review of existing situations, inadequately defined group purposes or loose adherence to those purposes which were defined. It was suggested that a better new user request form would take care of the problem. I'm of the opinion that there is no one "magic bullet" to fix the situation and that a thorough review and enforced adherences to a stricter set of standards and practices would be needed. I'd appreciate thoughts on the subject. Please feel free to e-mail me directly. Thank you.

You are not authorized to post a reply.

Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] OT: How to control the proliferation of unintended user access to information

ActiveForums 3.7

Syndicate

Friends

List Archives

List Archives

Friends

Members

Articles

Related Links

Ads