Policies vs Network Access Control

scottalanmiller

@DustinB3403 said in how to prevent non domain users from getting ip configuration:

That may be the current marching orders, but IT has their own set obviously which is causing this issue.

No reason to believe that. It's common (and we see it here) that IT will add unneeded, or un-requested controls. Unless we know that management made this a policy, we have to assume that it is not. And we can essentially prove it is not by whether or not management enforces it. Which we know that they do not. So we have our answer. Maybe the require IT to offer it, but that seems extremely unlikely. But they definitely not require that people use it.

scottalanmiller

@Obsolesce said in how to prevent non domain users from getting ip configuration:

Sounds like this place has no company policies or no enforced company policies.

That's one possibility. But it's also very possible that some department added AD without there being a policy. Policies could exist to block things like AD, but a "negative" policy is unlikely.

scottalanmiller

But what @IT-ADMIN explained is that there is, to kind of give it an overview, an overarching "no policy, policy" that basically says that by policy, people can do pretty much whatever they want. That's the one key policy here.

Given that, no, it would seem that there are very few policies beyond that. But I think making the assumption that IT is attempting to run off of policy while everyone else is attempting to work around policy is unfounded and unlikely. Possible, to be sure, but not what we'd expect given the rest of what we know. Far more likely that IT is adding challenges that it either feels are useful or just feels that it is what everyone does and isn't thinking about it at all... how many SMBs implement AD without evaluating it for their needs... easily most. Likely that is all that happened here.

Obsolesce

@scottalanmiller said in how to prevent non domain users from getting ip configuration:

But what @IT-ADMIN explained is that there is, to kind of give it an overview, an overarching "no policy, policy" that basically says that by policy, people can do pretty much whatever they want. That's the one key policy here.

Given that, no, it would seem that there are very few policies beyond that. But I think making the assumption that IT is attempting to run off of policy while everyone else is attempting to work around policy is unfounded and unlikely. Possible, to be sure, but not what we'd expect given the rest of what we know. Far more likely that IT is adding challenges that it either feels are useful or just feels that it is what everyone does and isn't thinking about it at all... how many SMBs implement AD without evaluating it for their needs... easily most. Likely that is all that happened here.

I don't see the issue then. If they're allowed to do what they want without breaking any policies, and they are still doing their job and working efficiently, then what's there to fix?

scottalanmiller

@Obsolesce said in Policies vs Network Access Control:

@scottalanmiller said in how to prevent non domain users from getting ip configuration:

But what @IT-ADMIN explained is that there is, to kind of give it an overview, an overarching "no policy, policy" that basically says that by policy, people can do pretty much whatever they want. That's the one key policy here.

Given that, no, it would seem that there are very few policies beyond that. But I think making the assumption that IT is attempting to run off of policy while everyone else is attempting to work around policy is unfounded and unlikely. Possible, to be sure, but not what we'd expect given the rest of what we know. Far more likely that IT is adding challenges that it either feels are useful or just feels that it is what everyone does and isn't thinking about it at all... how many SMBs implement AD without evaluating it for their needs... easily most. Likely that is all that happened here.

I don't see the issue then. If they're allowed to do what they want without breaking any policies, and they are still doing their job and working efficiently, then what's there to fix?

That's basically what I am saying... it sounds like any attempt to stop the workers from rebuilding their machines and leaving the domain should be avoided, because they are the ones trying to do their jobs and are not breaking any rules in doing so. Or at least no enforced rules, which amounts to the same thing. I think the attempt to stop them from getting network access shouldn't happen because if the helpdesk makes it so that they can't work because of AD, then any attempt to keep them on AD is an attempt to keep them from working.

IRJ

I kind of agree with @scottalanmiller in principal, but from a business point of view this is so ass backwards that it isn't really fixable with any IT tool(s)

• IT staff heads need roll. They so fundamentally failed their job at this point there is no way you can trust the leadership of IT to fix this. I mean its so far behind what we usually call poor IT.

• Policies and Procedures must be drafted and reviewed by management and employees. It is important that every involved manager and employee signs that they have read, understand, and agree to follow said policies and procedures.

• This is likely going to take at least a year to begin this process because you have to first of all implement proper controls, then implement policies and procedures, and finally get complete buy in from everyone and force them to read and sign everything.

IRJ

This is not a problem that can be fixed with compensating controls. It needs to be nuked from orbit and rebuilt properly with employee buy in.

black3dynamite

@IRJ said in Policies vs Network Access Control:

I kind of agree with @scottalanmiller in principal, but from a business point of view this is so ass backwards that it isn't really fixable with any IT tool(s)

• IT staff heads need roll. They so fundamentally failed their job at this point there is no way you can trust the leadership of IT to fix this. I mean its so far behind what we usually call poor IT.

• Policies and Procedures must be drafted and reviewed by management and employees. It is important that every involved manager and employee signs that they have read, understand, and agree to follow said policies and procedures.

• This is likely going to take at least a year to begin this process because you have to first of all implement proper controls, then implement policies and procedures, and finally get complete buy in from everyone and force them to read and sign everything.

https://media1.tenor.com/images/5d35f9f67fca22f09bb55f9ce02046a4/tenor.gif?itemid=5368101

Dashrender

@IRJ said in Policies vs Network Access Control:

This is not a problem that can be fixed with compensating controls. It needs to be nuked from orbit and rebuilt properly with employee buy in.

At this point - that seems very unlikely if you have users who are willing to nuke their own machines and reinstall. They'll likely demand or at least attempt to demand local admin rights.

scottalanmiller

@Dashrender said in Policies vs Network Access Control:

@IRJ said in Policies vs Network Access Control:

This is not a problem that can be fixed with compensating controls. It needs to be nuked from orbit and rebuilt properly with employee buy in.

At this point - that seems very unlikely if you have users who are willing to nuke their own machines and reinstall. They'll likely demand or at least attempt to demand local admin rights.

Really just becomes the same as BYOD. Easy enough to manage. Not ideal, but doable.

Dashrender

@scottalanmiller said in Policies vs Network Access Control:

@Dashrender said in Policies vs Network Access Control:

@IRJ said in Policies vs Network Access Control:

This is not a problem that can be fixed with compensating controls. It needs to be nuked from orbit and rebuilt properly with employee buy in.

At this point - that seems very unlikely if you have users who are willing to nuke their own machines and reinstall. They'll likely demand or at least attempt to demand local admin rights.

Really just becomes the same as BYOD. Easy enough to manage. Not ideal, but doable.

Exactly - better model in most cases anyhow.
Just change how you (the OP) deliver services.