Change control policy testing in windows environment

What kind of things in a windows environment, i.e. users/computers/servers/AD would typically go through "change control"?

90% of our IT service is outsourced - and we dont have a documented change management policy.

However - if for example we want a new user setting up - it can be logged as a service request - but it needs approval from either our in house IT managers before it is ok'd and the 3rd party can set them up in AD. Does that constiture effective change control?

Do we need a documented policy if our call logging system enforces approval?

WHeres the risk of us not having an internal change control documented policy?

And what other areas in windows could we test to see certain activities went through change control?
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Lester_ClaytonConnect With a Mentor Commented:
Change control is good, but it can also be a pain in the proverbial backside.  The way I like to look at change is as follows:

Change control should always be done in a situation where an action is taken that will affect more than 1 user.  Things that won't be included include:

Creating of a new user
Creating of a mailbox
Creating of a Group
Placing members in the group
Giving rights to a user
Removing rights from a user

Things that would be included include:

Distributing an application to a group
Creating a Group Policy Object
Changing Exchange policies
Installing a new server

Change control is all bout Risk management - you're trying to determine what the risk is of any given action, which is why it needs to be scrutinized by your peers and managers.  Change Control should be approved by a peer (even if that peer is lower grade to yourself), and a manager.

Change control should include testing (if possible) - implementation - Rollback Plan - signoff/confirmation

Testing: Has the change you're proposing been done before?  Has it been tested?  What was the expected results?  
Implementation: When is it going to be implemented?  Is there going to be any downtime?  Who should be notified?
Rollback Plan: If the change doesn't go through as planned, is there a rollback plan?  Has that been tested?
Signoff/Confirmation: Was the change successful?  Has there been testing done to verify the change succeeded?

Yes, you will most definitely need a documented policy.  You will need this for quality purposes, and also to be able to show people that there is a process in place which should be adhered to.  The policy should be approved by the highest ranking IT Official, that way it becomes law.

The risk of not having a policy in place could be anything from minor downtime due to a mistake made by an operator who implemented a change, to worst case scenario - accidental loss of data.  If you lose money as a result of a change which was done, and you try to claim back from Insurance, they're going to ask you who authorized the change, where your change documentation is and what your change policies are.

Governing change is very hard to do - all of your trusted colleagues are administrators, and can freely make change without consequence.  If you start implementing a consequence, like a fine, warning or dismissal for an unauthorized change.

You must also take into consideration emergencies.  Emergencies is when a senior engineer takes the decision to make a change without approval when the change was necessary and could not wait.  For example, if one of my disk drives fail, I would change it immediately without raising a change control.  If a disk became full, I would increase it without change.  These should however be logged in any event, so that the people who are responsible are aware of what happened.

Hope this helps you define some new change processes :)
pma111Author Commented:
Good post - will leave open a while longer in case anyone else has input
johnb6767Connect With a Mentor Commented:
Excellent post above... Only 1 thing to add....

It might be worth taking a course in ITIL.

I believe it would be the V3 Foundations for the entry level course.. Gets pretty in depth. Only problem to learning, is that it needs to be implemented, and from what I have seen it is very selective which practices truly are followed....
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

pma111Author Commented:
How does approval fit in with change management.
For example you say:

Things that won't be included include:
Creating of a new user

What if a department request a new in a sensitive network - does that just get approved - or does it have to go through some approval from management/IT before its setup? Does that sort of scenario not fall under change management?
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
Users are consumers of IT, we supply the tools they use them.  The new user has already been vetted by HR and the Department Head (who is ultimately responsible).  If the 'new user' has to go through corporate and then outsourced what is the cost to the company is having an unproductive employee that was hired to do a job that isn't being done.
pma111Author Commented:
So in a nutshell change control is not neccesary for setting up a new security group or a new domain user account?
David Johnson, CD, MVPOwnerCommented:
New Security Group: yes because this has security implications

new domain user: no as this does not have security implications
Lester_ClaytonConnect With a Mentor Commented:
This could be debated.  In my opinion, I'd say that a new Security Group would not require a change control, but granting this security group permission to a resource might.  You really need to find the right balance between creating a process that aides your infrastructure without tipping too far into the ludicrous.

I'd suggest that you have a documented process that people should follow when it comes to installing a new printer - one that has been tried and tested, this kind of pre-approved instruction should not require a change control.  This can include configuring DHCP IP reservation, installing a tested driver into a test environment, installing it into a live environment, creating a group, linking the printer to the group and putting members in the group - all pre-approved because it's been documented.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.