'Read only' Admin privileges for Active Directory environment?

Hello,
Our InfoSec team has requested Domain Admin (or equivalent) privileges
on the corporate Active Directory to audit the environment's security.
The IT team in charge of this environment doesn't want to grant that
level of privilege. InfoSec then requested a 'read-only' equivalent
to everything in the Active Directory. The IT team hasn't been able
to provide this. So my questions...

1) Is there an easy mechanism to grant a security group 'domain admin
read only'? This would need to cover all aspects of the Active
Directory, including all services, servers, any type of access
Domain/Enterprise Admins would have, just not change anything.
(Exchange, SQL, File servers, the works) I was told a product named
Active Roles might solve this, but it seems quite expensive and way
beyond the scope of what we need. Is there anything besides creating
a new group and manually applying permissions for this group
everywhere in the environment?

2) How does your company (assuming you have a seperate security team)
provide access to the InfoSec team to audit/secure AD? Do you give
full admin rights, or what have you guys come up with?

Thanks
Mike

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Relevant Pages

  • RE: Read only Admin privileges for Active Directory environment?
    ... the Security log as well, ... 'Read only' Admin privileges for Active Directory environment? ... Our InfoSec team has requested Domain Admin privileges ... Our program offers unparalleled Infosec management ...
    (Security-Basics)
  • RE: Read only Admin privileges for Active Directory environment?
    ... 'Read only' Admin privileges for Active Directory environment? ... Our InfoSec team has requested Domain Admin privileges ... on the corporate Active Directory to audit the environment's security. ...
    (Security-Basics)
  • Re: Read only Admin privileges for Active Directory environment?
    ... I don't see why your InfoSec team require Domain Admin rights to ... Our InfoSec team has requested Domain Admin privileges ... on the corporate Active Directory to audit the environment's security. ...
    (Security-Basics)
  • Re: Grant Administrative Access to a Domain Controller
    ... Anyone with a good understanding of AD and Windows security will easily see ways of compromising the environment. ... Do not give enhanced rights to Domain Controllers to anyone you don't trust with Domain and/or Enterprise Admins. ... Just know that minimal access can be parlayed into even more access and try as you might, you cannot secure Active Directory from people with server operator or admin or several other levels of access rights on a DC. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Grant Administrative Access to a Domain Controller
    ... MPerrault suggested security, you said "IT CAN BE DONE WITHOUT ANY FANCY ... Joe Richards Microsoft MVP Windows Server Directory Services ... Author of O'Reilly Active Directory Third Edition ... Controller Security Policy are also options to log on as a service, ...
    (microsoft.public.windows.server.active_directory)