that you keep obsessing about it? I keep alternating between incredulity and fascination that something so terrible was not only implemented but defended. Its like a never ending train wreck for me to watch. I'll probably lose some sleep over it tonight in all honesty. (I wish that wasn't the case but I know it'll happen)
Basically a customer has no idea how to use Cloud services, and configured it in such a way that email accounts from yahoo, gmail or really any private company can be added as owners\administrators of their cloud based resources. Not only that but they are refusing to sync dedicated privileged accounts from their own AD environment to be used as admin accounts. They want administrators to use their regular accounts for privileged access (which is against oh so very many best practices) So joe@aol.com can admin a machine but adminaccount@actual.domain is a no go. And they are fighting me on changing this. "We don't want to end up with junk accounts in our cloud environment."
Well WTF do you call those 1,000+ non-domain accounts already in there??? Those are fine but your AD accounts that you can control things like password complexity, duration, etc on aren't?
In order to be closer in line with basic IT best practices I think I'll recommend that all the admins sign up for a yahoo account, add that to their resources and use that as for administration tasks.
Basically a customer has no idea how to use Cloud services, and configured it in such a way that email accounts from yahoo, gmail or really any private company can be added as owners\administrators of their cloud based resources. Not only that but they are refusing to sync dedicated privileged accounts from their own AD environment to be used as admin accounts. They want administrators to use their regular accounts for privileged access (which is against oh so very many best practices) So joe@aol.com can admin a machine but adminaccount@actual.domain is a no go. And they are fighting me on changing this. "We don't want to end up with junk accounts in our cloud environment."
Well WTF do you call those 1,000+ non-domain accounts already in there??? Those are fine but your AD accounts that you can control things like password complexity, duration, etc on aren't?
In order to be closer in line with basic IT best practices I think I'll recommend that all the admins sign up for a yahoo account, add that to their resources and use that as for administration tasks.