Policies vs Network Access Control
-
@Dashrender said in how to prevent non domain users from getting ip configuration:
This is the ultimate reality of the situation. If management doesn't have an issue with this - as much as it might pain you - you shouldn't have a problem with it either.
While I generally would agree with this stance, I could easily disagree because, and I suspect that once these shadow-IT operators wipe their systems and can't do their jobs, they immediately complain that "IT is stopping me from doing my work" which then likely gets the management team up in arms who then should at @IT-ADMIN.
-
@DustinB3403 said in how to prevent non domain users from getting ip configuration:
I suspect that once these shadow-IT operators wipe their systems and can't do their jobs
That's why you don't want to go through any extra effort to block them from doing work. Don't become part of the "stopping people from working" chain, unless management tells you to.
-
@DustinB3403 said in how to prevent non domain users from getting ip configuration:
@Dashrender said in how to prevent non domain users from getting ip configuration:
This is the ultimate reality of the situation. If management doesn't have an issue with this - as much as it might pain you - you shouldn't have a problem with it either.
While I generally would agree with this stance, I could easily disagree because, and I suspect that once these shadow-IT operators wipe their systems and can't do their jobs, they immediately complain that "IT is stopping me from doing my work" which then likely gets the management team up in arms who then should at @IT-ADMIN.
If their wiping of their machines is what caused them to not be able to work - then they themselves caused the problem - not IT.
I'd be curious what was driving them to wipe and reload their machines in the first place? They want to visit pokemon sites and the corporate image won't allow that, so they wipe to bypass something? LOL
I mean - come on, what business reason are they using for wiping their machine?
-
@scottalanmiller right, but things like accessing an smb share could be complicated from just unbinding from the domain.
So even a passive, not done thing on the part of IT, could land it in the hotseat because management doesn't understand how AD works.
-
@DustinB3403 said in how to prevent non domain users from getting ip configuration:
right, but things like accessing an smb share could be complicated from just unbinding from the domain.
He can't block unbinding, he can only block them being able to work once they do.
If he blocks them from working, ever, that's when he risks being the one fired. When IT starts becoming the barrier between someone honestly trying to work and being able to, that's when IT is likely to be removed. Like the helpdesk that isn't working.
-
@DustinB3403 said in how to prevent non domain users from getting ip configuration:
So even a passive, not done thing on the part of IT, could land it in the hotseat because management doesn't understand how AD works.
Sounds like the obvious answer is to remove AD because AD isn't functional in the organization (because of the helpdesk.)
-
@scottalanmiller said in how to prevent non domain users from getting ip configuration:
@DustinB3403 said in how to prevent non domain users from getting ip configuration:
right, but things like accessing an smb share could be complicated from just unbinding from the domain.
He can't block unbinding, he can only block them being able to work once they do.
If he blocks them from working, ever, that's when he risks being the one fired. When IT starts becoming the barrier between someone honestly trying to work and being able to, that's when IT is likely to be removed. Like the helpdesk that isn't working.
End users should never be able to unbind an domain joined computer (at least on Windows) you need elevated permissions to do this properly aka without having to reload their computers to do their job.
I get what you're saying, but I still would put a lot of blame on these Shadow-IT persons for circumventing the systems that the business has implemented so they can do their jobs.
If they can't do their jobs because of those policies, then the policies and process needs to be updated to something that does work. (what that may be is anyones guess)
-
@DustinB3403 said in how to prevent non domain users from getting ip configuration:
End users should never be able to unbind an domain joined computer
If they need to to do their jobs because AD is blocking them from working they sure should.
-
@DustinB3403 said in how to prevent non domain users from getting ip configuration:
you need elevated permissions to do this properly aka without having to reload their computers to do their job.
But they just reload. No issue there.
-
@DustinB3403 said in how to prevent non domain users from getting ip configuration:
I get what you're saying, but I still would put a lot of blame on these Shadow-IT persons for circumventing the systems that the business has implemented so they can do their jobs.
As a business owner, you really can never put any blame on shadow IT if they do it to do their jobs. And if they ever are in a position where that makes sense to do, the team in the way should be in trouble. Circumventing someone sabotaging the business should never be a bad thing.
-
@DustinB3403 said in how to prevent non domain users from getting ip configuration:
If they can't do their jobs because of those policies, then the policies and process needs to be updated to something that does work. (what that may be is anyones guess)
All they need is a policy to let them work around it, which apparently there is, and they can work. It's not the best approach, but it's working.
-
@scottalanmiller said in how to prevent non domain users from getting ip configuration:
@DustinB3403 said in how to prevent non domain users from getting ip configuration:
If they can't do their jobs because of those policies, then the policies and process needs to be updated to something that does work. (what that may be is anyones guess)
All they need is a policy to let them work around it, which apparently there is, and they can work. It's not the best approach, but it's working.
That may be the current marching orders, but IT has their own set obviously which is causing this issue. So management needs to get their heads out of the sand and get everyone on a uniform policy.
-
Sounds like this place has no company policies or no enforced company policies.
-
@DustinB3403 said in how to prevent non domain users from getting ip configuration:
That may be the current marching orders, but IT has their own set obviously which is causing this issue.
No reason to believe that. It's common (and we see it here) that IT will add unneeded, or un-requested controls. Unless we know that management made this a policy, we have to assume that it is not. And we can essentially prove it is not by whether or not management enforces it. Which we know that they do not. So we have our answer. Maybe the require IT to offer it, but that seems extremely unlikely. But they definitely not require that people use it.
-
@Obsolesce said in how to prevent non domain users from getting ip configuration:
Sounds like this place has no company policies or no enforced company policies.
That's one possibility. But it's also very possible that some department added AD without there being a policy. Policies could exist to block things like AD, but a "negative" policy is unlikely.
-
But what @IT-ADMIN explained is that there is, to kind of give it an overview, an overarching "no policy, policy" that basically says that by policy, people can do pretty much whatever they want. That's the one key policy here.
Given that, no, it would seem that there are very few policies beyond that. But I think making the assumption that IT is attempting to run off of policy while everyone else is attempting to work around policy is unfounded and unlikely. Possible, to be sure, but not what we'd expect given the rest of what we know. Far more likely that IT is adding challenges that it either feels are useful or just feels that it is what everyone does and isn't thinking about it at all... how many SMBs implement AD without evaluating it for their needs... easily most. Likely that is all that happened here.
-
@scottalanmiller said in how to prevent non domain users from getting ip configuration:
But what @IT-ADMIN explained is that there is, to kind of give it an overview, an overarching "no policy, policy" that basically says that by policy, people can do pretty much whatever they want. That's the one key policy here.
Given that, no, it would seem that there are very few policies beyond that. But I think making the assumption that IT is attempting to run off of policy while everyone else is attempting to work around policy is unfounded and unlikely. Possible, to be sure, but not what we'd expect given the rest of what we know. Far more likely that IT is adding challenges that it either feels are useful or just feels that it is what everyone does and isn't thinking about it at all... how many SMBs implement AD without evaluating it for their needs... easily most. Likely that is all that happened here.
I don't see the issue then. If they're allowed to do what they want without breaking any policies, and they are still doing their job and working efficiently, then what's there to fix?
-
@Obsolesce said in Policies vs Network Access Control:
@scottalanmiller said in how to prevent non domain users from getting ip configuration:
But what @IT-ADMIN explained is that there is, to kind of give it an overview, an overarching "no policy, policy" that basically says that by policy, people can do pretty much whatever they want. That's the one key policy here.
Given that, no, it would seem that there are very few policies beyond that. But I think making the assumption that IT is attempting to run off of policy while everyone else is attempting to work around policy is unfounded and unlikely. Possible, to be sure, but not what we'd expect given the rest of what we know. Far more likely that IT is adding challenges that it either feels are useful or just feels that it is what everyone does and isn't thinking about it at all... how many SMBs implement AD without evaluating it for their needs... easily most. Likely that is all that happened here.
I don't see the issue then. If they're allowed to do what they want without breaking any policies, and they are still doing their job and working efficiently, then what's there to fix?
That's basically what I am saying... it sounds like any attempt to stop the workers from rebuilding their machines and leaving the domain should be avoided, because they are the ones trying to do their jobs and are not breaking any rules in doing so. Or at least no enforced rules, which amounts to the same thing. I think the attempt to stop them from getting network access shouldn't happen because if the helpdesk makes it so that they can't work because of AD, then any attempt to keep them on AD is an attempt to keep them from working.
-
I kind of agree with @scottalanmiller in principal, but from a business point of view this is so ass backwards that it isn't really fixable with any IT tool(s)
-
IT staff heads need roll. They so fundamentally failed their job at this point there is no way you can trust the leadership of IT to fix this. I mean its so far behind what we usually call poor IT.
-
Policies and Procedures must be drafted and reviewed by management and employees. It is important that every involved manager and employee signs that they have read, understand, and agree to follow said policies and procedures.
-
This is likely going to take at least a year to begin this process because you have to first of all implement proper controls, then implement policies and procedures, and finally get complete buy in from everyone and force them to read and sign everything.
-
-
This is not a problem that can be fixed with compensating controls. It needs to be nuked from orbit and rebuilt properly with employee buy in.