Mitigating risks of outsourcing desktop management

["David West" <davidawest () gmail com>]

Hello,
Our Operations team are investigating outsourcing the management of
desktops, adds/moves/changes/break-fix etc.

One of the proposals on the table is for a vendor to build/add
desktops to our AD domain off-site at the third parties premises. They
propose to achieve this by extending our AD domain to their premises.
I have a number of concerns with this approach, including; extending
our domain to an uncontrolled environment; policy and procedure
conformance of the third party; access required to add computers to
AD; potential to poison AD; identity management issues, etc. Some of
these concerns can be limited with tight commercial contractual terms,
however I was wondering if anyone can provide insight into how other
enterprises solve this problem? Ie, Somehow provide only a subset of
AD functionality to the third party; policy conformance somehow; or
don't do it at all?

Any advice would be appreciated.

Thanks,

David