Change control policy testing in windows environment

Posted on 2011-09-29
Last Modified: 2012-05-12
What kind of things in a windows environment, i.e. users/computers/servers/AD would typically go through "change control"?

90% of our IT service is outsourced - and we dont have a documented change management policy.

However - if for example we want a new user setting up - it can be logged as a service request - but it needs approval from either our in house IT managers before it is ok'd and the 3rd party can set them up in AD. Does that constiture effective change control?

Do we need a documented policy if our call logging system enforces approval?

WHeres the risk of us not having an internal change control documented policy?

And what other areas in windows could we test to see certain activities went through change control?
Question by:pma111
  • 3
  • 2
  • 2
  • +1

Accepted Solution

Lester_Clayton earned 300 total points
ID: 36815012
Change control is good, but it can also be a pain in the proverbial backside.  The way I like to look at change is as follows:

Change control should always be done in a situation where an action is taken that will affect more than 1 user.  Things that won't be included include:

Creating of a new user
Creating of a mailbox
Creating of a Group
Placing members in the group
Giving rights to a user
Removing rights from a user

Things that would be included include:

Distributing an application to a group
Creating a Group Policy Object
Changing Exchange policies
Installing a new server

Change control is all bout Risk management - you're trying to determine what the risk is of any given action, which is why it needs to be scrutinized by your peers and managers.  Change Control should be approved by a peer (even if that peer is lower grade to yourself), and a manager.

Change control should include testing (if possible) - implementation - Rollback Plan - signoff/confirmation

Testing: Has the change you're proposing been done before?  Has it been tested?  What was the expected results?  
Implementation: When is it going to be implemented?  Is there going to be any downtime?  Who should be notified?
Rollback Plan: If the change doesn't go through as planned, is there a rollback plan?  Has that been tested?
Signoff/Confirmation: Was the change successful?  Has there been testing done to verify the change succeeded?

Yes, you will most definitely need a documented policy.  You will need this for quality purposes, and also to be able to show people that there is a process in place which should be adhered to.  The policy should be approved by the highest ranking IT Official, that way it becomes law.

The risk of not having a policy in place could be anything from minor downtime due to a mistake made by an operator who implemented a change, to worst case scenario - accidental loss of data.  If you lose money as a result of a change which was done, and you try to claim back from Insurance, they're going to ask you who authorized the change, where your change documentation is and what your change policies are.

Governing change is very hard to do - all of your trusted colleagues are administrators, and can freely make change without consequence.  If you start implementing a consequence, like a fine, warning or dismissal for an unauthorized change.

You must also take into consideration emergencies.  Emergencies is when a senior engineer takes the decision to make a change without approval when the change was necessary and could not wait.  For example, if one of my disk drives fail, I would change it immediately without raising a change control.  If a disk became full, I would increase it without change.  These should however be logged in any event, so that the people who are responsible are aware of what happened.

Hope this helps you define some new change processes :)

Author Comment

ID: 36815096
Good post - will leave open a while longer in case anyone else has input
LVL 66

Assisted Solution

johnb6767 earned 100 total points
ID: 36816571
Excellent post above... Only 1 thing to add....

It might be worth taking a course in ITIL.

I believe it would be the V3 Foundations for the entry level course.. Gets pretty in depth. Only problem to learning, is that it needs to be implemented, and from what I have seen it is very selective which practices truly are followed....
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.


Author Comment

ID: 36890498
How does approval fit in with change management.
For example you say:

Things that won't be included include:
Creating of a new user

What if a department request a new in a sensitive network - does that just get approved - or does it have to go through some approval from management/IT before its setup? Does that sort of scenario not fall under change management?
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 100 total points
ID: 36892186
Users are consumers of IT, we supply the tools they use them.  The new user has already been vetted by HR and the Department Head (who is ultimately responsible).  If the 'new user' has to go through corporate and then outsourced what is the cost to the company is having an unproductive employee that was hired to do a job that isn't being done.

Author Comment

ID: 36908565
So in a nutshell change control is not neccesary for setting up a new security group or a new domain user account?
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 36910366
New Security Group: yes because this has security implications

new domain user: no as this does not have security implications

Assisted Solution

Lester_Clayton earned 300 total points
ID: 36910480
This could be debated.  In my opinion, I'd say that a new Security Group would not require a change control, but granting this security group permission to a resource might.  You really need to find the right balance between creating a process that aides your infrastructure without tipping too far into the ludicrous.

I'd suggest that you have a documented process that people should follow when it comes to installing a new printer - one that has been tried and tested, this kind of pre-approved instruction should not require a change control.  This can include configuring DHCP IP reservation, installing a tested driver into a test environment, installing it into a live environment, creating a group, linking the printer to the group and putting members in the group - all pre-approved because it's been documented.

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
In-place Upgrading Dirsync to Azure AD Connect
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question