Re: Accountability of Domain Admins

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 01/25/04


Date: Sun, 25 Jan 2004 13:37:09 -0500

And another response I thought of after the first...

Make your domains more like a single deity or a holy trinity setup, not like
a Greek or Roman deity set up.

As an aside to support Roger and Robert's posts. I am part of a team of
three domain admins that run an AD composed of 9 domains and 250,000 users
and about 400 domain controllers globally located... Yes, we have three
domain admins... holy trinity. It can be done and it works very well. All
major day to day admin work is delegated to beings with lesser power. :op

-- 
www.joeware.net
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:u4INHgs4DHA.2624@TK2MSFTNGP09.phx.gbl...
> I am falling in line with Joe's, and especially Robert's ending comment.
> IOW, why is a Domain Admin account being used ?
>
> It is my contention that if you analyze job tasks you will find very
little
> in the way of day-to-day activity that cannot be accomplished with a
> less fully empowered account.  It is a matter of defining the delegations
> and enabling the needed distributed-systemwide accesses.
>
> If one does this, as a side-effect one ends up with an inventory of all
> accounts that are able to what.  This, when combined with controls
> over where those accounts are allowed to log in locally and secured
> auditing of those accounts and those machines, gets you well down
> the road toward an environment that "encourages" trustworthy behavior.
>
> If as Joe states, DomAdms are gods, then why promote a pantheon
> with multiple, unpredictable, all-empowered personalities?
>
> -- 
> Roger
> "Skarch" <noreply@x859mvic.com> wrote in message
> news:uLgAmvQ4DHA.2332@TK2MSFTNGP10.phx.gbl...
> > Kind of a different question here, if I should post to another
newsgroup,
> > please advise...
> >
> > I'm in a situation were there's more than one Domain Admin (including
me)
> > and there are some trust issues coming up.  Like reading other peoples
> > email, remote accessing user root drives and poking around, etc.
> >
> > I looking for some advice on how to approach resolving these issues.
Even
> > if all the DAs were completely trustworthy, what procedures or methods
of
> > accountability are there that would ensure continued trust?  For
example,
> > how would the VP know he can trust the IT department to not snoop on his
> > desktop system?
> >
> > For us, unfortunately some of this is going on, but at the moment
there's
> no
> > defined way to track or prove it.
> >
> > I can think of a few things, like tracking Admin logins, password reset
> > procedures, killing admins shares, etc, but I'm hoping there might be
> > real-world examples out there of IT departments that already have
similar
> > procedures in place.
> >
> > Any thoughts, examples or pointers to web resources are much
appreciated!
> >
> > Thanks,
> > SK
> >
> >
> >
>
>