Go Premium for a chance to win a PS4. Enter to Win


Change control policy testing in windows environment

Posted on 2011-09-29
Medium Priority
Last Modified: 2012-05-12
What kind of things in a windows environment, i.e. users/computers/servers/AD would typically go through "change control"?

90% of our IT service is outsourced - and we dont have a documented change management policy.

However - if for example we want a new user setting up - it can be logged as a service request - but it needs approval from either our in house IT managers before it is ok'd and the 3rd party can set them up in AD. Does that constiture effective change control?

Do we need a documented policy if our call logging system enforces approval?

WHeres the risk of us not having an internal change control documented policy?

And what other areas in windows could we test to see certain activities went through change control?
Question by:pma111
  • 3
  • 2
  • 2
  • +1

Accepted Solution

Lester_Clayton earned 1200 total points
ID: 36815012
Change control is good, but it can also be a pain in the proverbial backside.  The way I like to look at change is as follows:

Change control should always be done in a situation where an action is taken that will affect more than 1 user.  Things that won't be included include:

Creating of a new user
Creating of a mailbox
Creating of a Group
Placing members in the group
Giving rights to a user
Removing rights from a user

Things that would be included include:

Distributing an application to a group
Creating a Group Policy Object
Changing Exchange policies
Installing a new server

Change control is all bout Risk management - you're trying to determine what the risk is of any given action, which is why it needs to be scrutinized by your peers and managers.  Change Control should be approved by a peer (even if that peer is lower grade to yourself), and a manager.

Change control should include testing (if possible) - implementation - Rollback Plan - signoff/confirmation

Testing: Has the change you're proposing been done before?  Has it been tested?  What was the expected results?  
Implementation: When is it going to be implemented?  Is there going to be any downtime?  Who should be notified?
Rollback Plan: If the change doesn't go through as planned, is there a rollback plan?  Has that been tested?
Signoff/Confirmation: Was the change successful?  Has there been testing done to verify the change succeeded?

Yes, you will most definitely need a documented policy.  You will need this for quality purposes, and also to be able to show people that there is a process in place which should be adhered to.  The policy should be approved by the highest ranking IT Official, that way it becomes law.

The risk of not having a policy in place could be anything from minor downtime due to a mistake made by an operator who implemented a change, to worst case scenario - accidental loss of data.  If you lose money as a result of a change which was done, and you try to claim back from Insurance, they're going to ask you who authorized the change, where your change documentation is and what your change policies are.

Governing change is very hard to do - all of your trusted colleagues are administrators, and can freely make change without consequence.  If you start implementing a consequence, like a fine, warning or dismissal for an unauthorized change.

You must also take into consideration emergencies.  Emergencies is when a senior engineer takes the decision to make a change without approval when the change was necessary and could not wait.  For example, if one of my disk drives fail, I would change it immediately without raising a change control.  If a disk became full, I would increase it without change.  These should however be logged in any event, so that the people who are responsible are aware of what happened.

Hope this helps you define some new change processes :)

Author Comment

ID: 36815096
Good post - will leave open a while longer in case anyone else has input
LVL 66

Assisted Solution

johnb6767 earned 400 total points
ID: 36816571
Excellent post above... Only 1 thing to add....

It might be worth taking a course in ITIL.

I believe it would be the V3 Foundations for the entry level course.. Gets pretty in depth. Only problem to learning, is that it needs to be implemented, and from what I have seen it is very selective which practices truly are followed....

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.


Author Comment

ID: 36890498
How does approval fit in with change management.
For example you say:

Things that won't be included include:
Creating of a new user

What if a department request a new in a sensitive network - does that just get approved - or does it have to go through some approval from management/IT before its setup? Does that sort of scenario not fall under change management?
LVL 84

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 400 total points
ID: 36892186
Users are consumers of IT, we supply the tools they use them.  The new user has already been vetted by HR and the Department Head (who is ultimately responsible).  If the 'new user' has to go through corporate and then outsourced what is the cost to the company is having an unproductive employee that was hired to do a job that isn't being done.

Author Comment

ID: 36908565
So in a nutshell change control is not neccesary for setting up a new security group or a new domain user account?
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 36910366
New Security Group: yes because this has security implications

new domain user: no as this does not have security implications

Assisted Solution

Lester_Clayton earned 1200 total points
ID: 36910480
This could be debated.  In my opinion, I'd say that a new Security Group would not require a change control, but granting this security group permission to a resource might.  You really need to find the right balance between creating a process that aides your infrastructure without tipping too far into the ludicrous.

I'd suggest that you have a documented process that people should follow when it comes to installing a new printer - one that has been tried and tested, this kind of pre-approved instruction should not require a change control.  This can include configuring DHCP IP reservation, installing a tested driver into a test environment, installing it into a live environment, creating a group, linking the printer to the group and putting members in the group - all pre-approved because it's been documented.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question