Granting limited elevated rights within production
From: Karim Ali (thethinker301_at_hotmail.com)
Date: Tue, 28 Sep 2004 15:09:59 -0700
I am currently consulting with a firm that is in need of
an emergency ID system for elevated user access within
the Production and SYST environments.
Part of my job has been to sniff out the groups and
accounts which have these elevated priviledges but who
really have no immediate need. My recommendations are
being taken very seriously and it will mean that many
will lose admin privs.
The environment has over 1000 servers and has a user
database of over 5000.
Home grown applications proliferate the network, and
developers need access "at times" to straighted out
issues within thier respective databases.
The windows 2000 NOS with AD are implemented in native
There are some ideas out there right now, however I am
seeking some unique ways within the AD structure to grant
the needed permissions to an approved user for a short
period of time with the least administrative hassel.
Mind you, this process will be implemented in the wake of
removing admin level access from a substatial number of
Have you had any experiences which mirror this
initiative? Have I left out any critical details?