Re: Corporate Idiots

From: Ray (reply_in_at_news.only)
Date: 04/15/04 

Date: Wed, 14 Apr 2004 22:18:51 -0400

Inline.

> Does anyone know how an NT admin can do thier job with out domain admin
priviledges? Some security and helpdesk type has come up that to do this
they would grant us limited access only for a short time to do a certain job
and then take it away. We would have to request access on the change
control system and wait for a reply.

Sounds like your organization has had some bad experiences with a lack of
change control. Also sounds like you may have a ton of "service" accounts
that have domain admin rights and passwords that are years old.

> This would be for everything exchange, backups, user rights, unlocking
accounts, printer setup everything.

Exchange admin does not require domain admin rights, not even the service
account. Nor do backups. User rights, perhaps, but how big an organization
are we talking? Printer setup, nope.

> Other than let this 24 by 7 operation come to a screeching halt what can
the domain admins do?????

Start off with limited rights, like account operator and stop letting your
everyday network account have domain admin privileges. Have a second
account, non-shared, set up to do that. It doesn't take that long to logout
and back in or to use "RunAs". That's what I do. Keeps me from messing up
things inadvertently.

> These are supposedly highly educated computer specialists and
managers...... There is even an CISSP in on this one so I don't want to hear
anymore about the great CISSP cert. You certainly don't have to have a
brain to get this cert. Reply's requested or comments.

Yeah, well, think about the principle of least privilege. Don't allow
anything that is not needed and then only allow it for the duration that it
is needed. If you think the CISSP is a no-brainer, take it.

Ray, CISSP

Relevant Pages

  • Re: Finding a Hacker
    ... definitely had the capability to obtain the domain admin credentials and may ... If the hacker did get in remotely using an administrator account on the ... Your problem is not restricting remote desktop connections. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Need to filter domain admin from GPO
    ... But think always about the part that a deny is the highest blocking you set and if you forget that you have set a deny or you are not in and someone else have to search for errors, it will be really heavy to find it. ... It's best practice to use a 2nd administrator account as your ... Block inheritance (I would have to move the domain admin from ... particular GPO using ACL deny. ...
    (microsoft.public.windows.group_policy)
  • Re: Administrator--Client installation account problem
    ... I stated the account was only required to be a ... Of course if it is a domain admin that works also. ... Jeff said to use a Regular domain user, ... You do not have to be in advanced security to push the client. ...
    (microsoft.public.sms.admin)
  • Re: Need to filter domain admin from GPO
    ... Normally Block inheritance works fine. ... What GPO setting do you like to filter? ... It's best practice to use a 2nd administrator account as your regular ... Block inheritance (I would have to move the domain admin from ...
    (microsoft.public.windows.group_policy)
  • Re: SQL account rights
    ... Please advice what is the best, suitable rights rather than domain admin ... Warren Brunk - MCITP - SQL 2005, ... Add it as a login to the SQL Server ... files, or backups, make sure that the service account has Full ...
    (microsoft.public.sqlserver.security)
Quantcast