External Domain Accounts
-
What I discovered last week, after going on holiday and the office suffering what should have been a minor power-cut related server issue, is no matter how much I brief people and no matter how much I leave instructions, when something happens everyone panics and forgets everything I've told them.
One of my colleagues is supposed to be the "IT co-coordinator" when I'm on holiday, and will liaise with vendors to get support, and gets extra training and documentation from me on what to do in an emergency when I'm away. Only last week, during the emergency, he went around telling everyone he no longer does that role and hasn't done it for years, so couldn't help. This was news to me!
-
@Carnival-Boy said:
I was thinking of setting something up that e-mails me every time a vendor logs in to the domain. They're supposed to tell me whenever they connect, but they don't. Can anyone explain how I might achieve this?
You lot are useless
I waited all day for the answer and in the end sorted it myself.I create a new security group in AD and added the external users accounts to it.
I created a new GPO and added the new security group to it, and removed authenticated users from it.
I edited the GPO and under user config, windows settings, scripts, logon I added \server\netlogon\emaillogon.vbs
I wrote a vbs that e-mails me details of the logged on username and computer name.Now, whenever an external support guy logs on to any of our servers, I'll immediately know about it.
This is a decent start to solving my worries.
-
@Carnival-Boy said:
What I discovered last week, after going on holiday and the office suffering what should have been a minor power-cut related server issue, is no matter how much I brief people and no matter how much I leave instructions, when something happens everyone panics and forgets everything I've told them.
One of my colleagues is supposed to be the "IT co-coordinator" when I'm on holiday, and will liaise with vendors to get support, and gets extra training and documentation from me on what to do in an emergency when I'm away. Only last week, during the emergency, he went around telling everyone he no longer does that role and hasn't done it for years, so couldn't help. This was news to me!
Maybe you need an MSP that does monitoring and is in active communications with people. Instead of only being emergency on call they actually work while you are gone getting stuff done.
-
@Carnival-Boy we use LogMeIn and get emails at every connection.
-
@scottalanmiller said:
Maybe you need an MSP that does monitoring and is in active communications with people. Instead of only being emergency on call they actually work while you are gone getting stuff done.
Too expensive.
-
@scottalanmiller said:
@Carnival-Boy we use LogMeIn and get emails at every connection.
As far as I know, you can only configure e-mail alerts through the LogMeIn website. Since the vendors are using their own accounts, I don't have access to this. This is why I prefer to use my own LogMeIn account and give them login details. The other thing I could do with my own account is disable cached credentials, which is important since LogMeIn was vulnerable to Heartbleeed. I'm sure that vendors cache credentials - which should be a big no no.
-
If your vendor really can't act responsibly with the connection methods you want to employ, do you really want them as vendors?
-
Yes. Vendor relationships are always about compromise.
-
To get management on board, just point them at the Target system compromise last year. Attack vector - a vendor. If that doesn't scare them into giving least access and dealing with the 'pains' nothing will.
-
@scottalanmiller said:
@Carnival-Boy we use LogMeIn and get emails at every connection.
I can't actually figure out how to do this and it would be very useful. Would you mind letting me know? Is it under the 'Manage Altert Packages' in LogMeIn Central? I've setup a few alerts but can't see one that handles this.
