Re: Accountability of Domain Admins

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 01/25/04


Date: Sun, 25 Jan 2004 13:37:09 -0500

And another response I thought of after the first...

Make your domains more like a single deity or a holy trinity setup, not like
a Greek or Roman deity set up.

As an aside to support Roger and Robert's posts. I am part of a team of
three domain admins that run an AD composed of 9 domains and 250,000 users
and about 400 domain controllers globally located... Yes, we have three
domain admins... holy trinity. It can be done and it works very well. All
major day to day admin work is delegated to beings with lesser power. :op

-- 
www.joeware.net
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:u4INHgs4DHA.2624@TK2MSFTNGP09.phx.gbl...
> I am falling in line with Joe's, and especially Robert's ending comment.
> IOW, why is a Domain Admin account being used ?
>
> It is my contention that if you analyze job tasks you will find very
little
> in the way of day-to-day activity that cannot be accomplished with a
> less fully empowered account.  It is a matter of defining the delegations
> and enabling the needed distributed-systemwide accesses.
>
> If one does this, as a side-effect one ends up with an inventory of all
> accounts that are able to what.  This, when combined with controls
> over where those accounts are allowed to log in locally and secured
> auditing of those accounts and those machines, gets you well down
> the road toward an environment that "encourages" trustworthy behavior.
>
> If as Joe states, DomAdms are gods, then why promote a pantheon
> with multiple, unpredictable, all-empowered personalities?
>
> -- 
> Roger
> "Skarch" <noreply@x859mvic.com> wrote in message
> news:uLgAmvQ4DHA.2332@TK2MSFTNGP10.phx.gbl...
> > Kind of a different question here, if I should post to another
newsgroup,
> > please advise...
> >
> > I'm in a situation were there's more than one Domain Admin (including
me)
> > and there are some trust issues coming up.  Like reading other peoples
> > email, remote accessing user root drives and poking around, etc.
> >
> > I looking for some advice on how to approach resolving these issues.
Even
> > if all the DAs were completely trustworthy, what procedures or methods
of
> > accountability are there that would ensure continued trust?  For
example,
> > how would the VP know he can trust the IT department to not snoop on his
> > desktop system?
> >
> > For us, unfortunately some of this is going on, but at the moment
there's
> no
> > defined way to track or prove it.
> >
> > I can think of a few things, like tracking Admin logins, password reset
> > procedures, killing admins shares, etc, but I'm hoping there might be
> > real-world examples out there of IT departments that already have
similar
> > procedures in place.
> >
> > Any thoughts, examples or pointers to web resources are much
appreciated!
> >
> > Thanks,
> > SK
> >
> >
> >
>
>


Relevant Pages

  • RE: local admin account password
    ... Subject: local admin account password ... > 4) Only use domain accounts so delete the local ones. ... > The DB file would be encrypted with EFS so only the limited user SQL ... > backup user can make a zip backup of the DB whenever it gets changed ...
    (Focus-Microsoft)
  • RE: local admin account password
    ... Say you have more then 1000 systems, how do you handle the local admin ... Only use domain accounts so delete the local ones. ... The DB file would be encrypted with EFS so only the limited user SQL ... There would be basically two stored procs, ...
    (Focus-Microsoft)
  • local admin account password
    ... Only use domain accounts so delete the local ones. ... 5)My main idea/plan is to store all the passwords on a central SQL server. ... This way you can easily have a different random passwords for the admin ... There would be basically two stored procs, ...
    (Focus-Microsoft)
  • Re: Admin vs limited user account
    ... properly with limited user account (it does work fine with admin users). ... Quite simply, the application doesn't "know" how to handle individual user profiles with differing security permissions levels, or the application is designed to make to make changes to "off-limits" sections of the Windows registry or protected Windows system folders. ... "If your game or application works with admin accounts, but not with limited accounts, you can fix it to allow limited users to access the program files ...
    (microsoft.public.windowsxp.security_admin)
  • Re: More on user permissions in a 2K AD domain
    ... strong pass phrase for the admin accounts then ... settings for workstations in a domain linked GPO, ... Given you are remote from the server and it ...
    (microsoft.public.win2000.security)