I broke everybody’s account today, well not everybody’s but everyone I work with, which you could count at worse.
We have for some time being fighting the battle that is security our Active Directory, not that our Active Directory isn’t secure. Just before we start putting all sorts of extra information into it, we needed to make sure, that not just any Tom, Dick or Eve could go around reading the data.
Now Active Directory security isn’t simple to set up, and it’s definitely not simple to retrofit four years after the AD was set-up. So over the last fortnight; I’ve broken the entire Computing department, broken all the corporate web based applications, and today all accounts for the systems group and operators.
The problem is testing, most of the time, you would test these changes, and we do. The problem is that our Active Directory sits at the center of so many things we do, so we can’t practiably setup a test domain (well we can, but time is the issue) and test everything still works after every change, especially when some systems that rely on the Active Directory, aren’t managed by us (The Computing Department domain for example). The approach we take is test the biggies (computers can logon, email works, etc ) and bite the bullet for the others.
Now when the other problems occour, we of course have to rollback, and I think in total we rolled back 3 times on these changes, but now we are almost done, bar the 14 accounts of the people at the center of it all the Systems Group. Now for security reasons, these accounts have been removed from the normal day to day ACL’s by the Active Directory itself, so today we tried to fix it, and of course broke them all, but we do at least now know how we broke it, and what we have to do next time (tomorrow) to fix it all…. We hope…