Politics at work...

RobertKaucherRobertKaucher Member Posts: 4,298
As I have mentioned in the past, where I work is organizationally complex. I work for a joint venture that is technically an independent company from its parents. But in many ways we piggyback off one of the parent’s infrastructure (“Parent A”), although from an IT perspective we own our own hardware and we are responsible for the administration of our own systems. Where it gets complex is that the previous statement is not 100% true. For example, backups are done by “Parent A” and we have SLAs with them for recoverability, etc.

So today I was working on documenting what is being backed up to ensure all critical systems are being backup properly. One of the DCs was not being backed up at all because the backup agent was unable to login and I was asked to create a GPO granting the account the logon as a service right. Done. I mentioned to the sys admin from “Parent A” that I could set the logon info for the service since I was logged on and he told me the account was joint-venture\administrator. (Never mind that they are using the Domain Administrator account as a service account…) We have our own domain in its own forest with a 2 way trust between the forests.

I opened our password safe and looked for the entry for administrator and found nothing. So I asked my boss where it was located and we discovered that the domain predated him and that we in fact had no documentation of the account’s password. So I asked if I could have it for our documentation and I was told that the sr. admin for Parent A told him not to give it out.

On a practical level I suppose it does not matter. But on another level, this is really a big pain that we are going to have to deal with because Parent A (the company, not the sys admins) constantly treats us as a proverbial red-headed stepchild and we are getting to the point where we need to fight for ownership of our own data and infrastructure in order to grow as a company.

Thought you guys would get a kick out of this… :-/

Comments

  • the_Grinchthe_Grinch Member Posts: 4,164 ■■■■■■■■■■
    I hear you on this. One company we support, controls their IT, but most of the account creation goes through their parent company. It is a pain to wade through all of their crap because at times it turns into us asking them for something, waiting, them asking their parent company, waiting, and then it gets denied. Two days for a no is not a fun thing to look forward too. But the kicker is their IT staff is pure crap. I am under the impression that they sabotage us on projects and work that we do for them. It was occurring so often that we had to have their manager give us the ok to remove their Exchange creds so that they'd stop screwing up. The latest issue was one of their workers didn't know they had their Exchange rights taken away (and in typical management fashion nobody told him) so he stood up another Exchange server (virtual). Don't know how, but this apparently brought all their email to a halt and we got a frantic call asking what we screwed up. A couple hours later one of our network guys asked when they brought this virtual Exchange server online....what virtual Exchange server was the reply and the worker explained what he did. Feel your pain!
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • EveryoneEveryone Member Posts: 1,661
    I went through the same kind of crap back when I was in the Air Force and they decided to try and centralize control of everything at the Major Command level. I went from having control of everything, to having to spend a lot of time on the phone telling someone on the other side of the country with less knowledge and experience how to do something I used to be able to do myself.

    Now I am at a big company that frequently acquires other companies. It is an interesting process taking over systems of a newly acquired company. New acquisition? Oh boy, now I have to find room for a few thousand more mailboxes as we migrate theirs into ours.
  • RobertKaucherRobertKaucher Member Posts: 4,298
    The really annoying things is that our infrastructures are completely independent. Except backups they don't touch our server and we NEVER touch theirs.

    We are our own forest and our own domain. They even have accounts that are domain admins for their use. They have no need at all what-so-ever to even know what the domain admin password is for our domain/forest. I imagine that the problem is that every domain administrator account in their forest shares the same password with the one on this account and that is why they don't want to give it to us. And they are not willing to change it because they have used it on 12 servers in our domain to run different services and don't want to have to change the passwords for every service being run under that account.
  • HeeroHeero Member Posts: 486
    In my experience, politics result is retarded requirements being passed down to the engineering level of things, where poorly designed solutions have to be put in place to accommodate. It sucks, but its part of life.
  • colemiccolemic Member Posts: 1,568 ■■■■■■■□□□
    Well, what is your organization's policy regarding passwords/admin accounts? Inform them that they are in violation of such policy, and that the account will be disabled until the password is provided. Easy to do, as long as your policy is on your side. :)

    *I know that's not realistic or practical. But it is the RIGHT answer.
    Working on: CCSP, definitely, maybe. On the twitters: @mcole1008
  • RobertKaucherRobertKaucher Member Posts: 4,298
    colemic wrote: »
    Well, what is your organization's policy regarding passwords/admin accounts? Inform them that they are in violation of such policy, and that the account will be disabled until the password is provided. Easy to do, as long as your policy is on your side. :)

    *I know that's not realistic or practical. But it is the RIGHT answer.

    Honestly this is the right answer and this situation was basically a kick to the hornet's nest. What may not be obvious to you guys is that, as a joint venture, we have two parents who explicitly do not trust each other. That's why they formed a joint venture as a seperate company. The potential for industrial espionage is very high and 2 cases have been prosecuted within my bosses time at the company [informed this may be company lore - i.e. gossip]. The fact that the admins from "Parent A" have this and are not using their own accounts seems to have caused my boss's boss to have us considering buying all of our own equipment, etc. 10 to 1, though, nothing actually happens.
  • colemiccolemic Member Posts: 1,568 ■■■■■■■□□□
    Well, given that is the scenario, it would make me that much more eager to lock down their accounts... if they are as separate as you say (not doubting you), I don't see where the authority of Company A is coming from, to impose its will on Company B?
    Working on: CCSP, definitely, maybe. On the twitters: @mcole1008
  • RobertKaucherRobertKaucher Member Posts: 4,298
    colemic wrote: »
    Well, given that is the scenario, it would make me that much more eager to lock down their accounts... if they are as separate as you say (not doubting you), I don't see where the authority of Company A is coming from, to impose its will on Company B?

    They have none. I could change the passwords tomorrow morning and grant them 0 access and their is nothing they could do about it. But then we would not be getting our backups done... And we would have started a "war" with capable people whom we need more than they need us.
Sign In or Register to comment.