Re: Restrict the Domain Admin

From: cc (cc_at_belfordhk.com)
Date: 09/20/05

  • Next message: sf_mail_sbm_at_yahoo.com: "Re: Security Training for Company's Employee"
    Date: Tue, 20 Sep 2005 14:56:18 +0800
    To: security-basics@securityfocus.com
    
    

    sf_mail_sbm@yahoo.com sighed and wrote::

    > Hi List,
    > Is there a way to restrict access of a Domain Admin?

    Here's my $0.02.

    By restricting the access of a domain admin, you've already
    defeated the purpose of a domain admin. The main point of
    the matter is that in order for one person to be a domain
    admin, you must have extraordinary (or maybe just special)
    trust in both the person's ability and their standards of
    operating procedures. By restricting access to the domain
    admin, you are in essence saying, "Here's the domain access,
    but we don't trust you enough to give you the full 9 yards
    so we're restricting your access to these privileges."

    If you don't have 100% confidence in either the person's
    ability or their ethics, you really shouldn't be giving
    the person that much access to begin with.

    As some other poster (Mr. Armfield) mentioned here, eventually
    you'll need a person who has access to the whole nine yards.


  • Next message: sf_mail_sbm_at_yahoo.com: "Re: Security Training for Company's Employee"