A change control request to setup a redirect on a site from 1998 that will have the absolute minimum possible impact to anything else isn't going to take more than a signature or two even in a company as large as Microsoft. It might even be outside of the scope of needing any kind of official change control due to its age. While working at Xerox I had authority to kill off long forgotten public facing sites that had slipped through the cracks over time.
At my bank, any type of change requires a 48 hour cool down from request approval to change. Sure you can put it through as an emergency change but then a committee of SVPs and EVPs has to approve it and they pretty much never approve anything.
Even for something so old and outdated? Because I have done consultancy work for some banks and have seen things (mostly incorrect data to be fair) changed in under half an hour once pointed out.
1. Business users. So unbelievably locked down it's ridiculous. Anytime they ask for access rights it's "can't, because of audit".
2. Application IT users. As locked down as possible while still allowing them to somewhat do their job.
3. Infrastructure IT users. Domain admin rights with their standard user login. Ability to bypass any proxy server restriction by default.
It's basically the worst of all worlds. The business users and application IT people can't do anything in the name of following "security best practices" while the infrastructure IT people (including the business analysts and non-technical people in that group) have carte blanche because "they couldn't do their job without it". They don't even follow basic security practices like using a non-privileged account for everyday use and having an elevated account for when they need to do something. It's a complete mess.
So thinking about it more - the infrastructure IT people make instant changes all the time.
Yup that is pretty much my experience of a dozen blue chips and banks. It is either all or nothing. A lot of this is Microsoft's fault due to how crap things were done back in the XP and earlier days and while we have moved on a lot of places stick to how they used to do things rather than re-evaluate how things can and should be done now. Sucks but that is the way the corporate world is it seems.
Banks should be resistant to change, changes have the potential for million dollar mistakes. It would be expensive for them to have 1 procedure for the important money-touching systems and another for the less important website infrastructure.
