Everyone knows that you can’t solve the problems you don’t see. Seeing a problem itself doesn’t necessarily solve it, but if we can’t see the problems in the first place, then without our knowledge hidden potential ones can become visible with all kinds of consequences – see “Sony Pictures Inc.”. I was working with a couple of clients at the end of last year and ran into issues that make the same point, although a lot less spectacularly.
For the first client, we were in early stages of a Proof of Concept, running some collections designed to highlight the AD landscape. The customer taps his monitor and says to me: “You guys have a bug here, it’s showing way too many users in this group – it shows 23, it should be 3.”
I was on a call with a client of ours a few weeks back, doing the usual “hey, how’s it going?”, keeping on top of what’s working, what’s done, and what’s outstanding with their deployment. Usual stuff. He has been a cool customer, using our tools to help with a common problem.
When he started, he was new on the job, hired to make sense out of an “AD Environment Gone Wrong.” While that may sound like a bad reality TV show, it happens a lot out there. He was effectively merging together 7 different organizations under a single banner, onboarding a number of acquisitions and a number of different IT styles and rules. A big mess – it took him 6 months just to get admin privileges to the servers he was responsible for. Last week I ran into a prospect with the same challenge – brought in to an existing organizational mess and given direction by management to clean-it-up and make-it-better. That’s good – but the difference between being told to get everyone on the same page and making it so can be a wide gap.
The common challenge is that there are existing administrators well-entrenched in their domains and “They Know Better.” Maybe they do know better, but when you have 8 domain admins with different ideas of how to do things, they can’t all be right. Plus, they have the rights and privileges to resist – they don’t have to follow along because they’re the domain admins and they have the native rights to do what they want, how they want it, and they’re going to feel like they have a responsibility to do it their way – the right way – because they’re right. So what do you do?
The answer is a unified security solution that works hand-in-hand with AD, but puts additional controls outside of AD permissions. Any solution that relies on AD native permissions is going to fail, your existing admins can work around native permissions as easy as breathing – you need something that can make even administrators follow along with the rules. You don’t use it everywhere, of course – with great power comes great responsibility – but apply it sparingly and ensure that your admins know that:
a. You’re serious
b. You have the tools to enforce the rules if you need them
c. Everyone is following the same rules
The older client has now been using such a tool for a while, and after we provided him with some information about the latest version and scheduled up an upgrade, he and I got to chatting. It’s a year or so on now, and he’s actually getting to the point where he can relax some of his rules. His guys get it – he can make them do it his way if he needs to, and they know it, and they’re following along more or less willingly now. Job done. And the new prospect, well, his reaction was excellent. “I can prevent my domain admins from making changes to my GPOs?”, he asked. “You sure can – that and more” was my response – they’ll be trialing our solution later this year. Glad to help.