Re: Accountability of Domain Admins

From: Joe Richards [MVP] (
Date: 01/25/04

Date: Sun, 25 Jan 2004 13:37:09 -0500

And another response I thought of after the first...

Make your domains more like a single deity or a holy trinity setup, not like
a Greek or Roman deity set up.

As an aside to support Roger and Robert's posts. I am part of a team of
three domain admins that run an AD composed of 9 domains and 250,000 users
and about 400 domain controllers globally located... Yes, we have three
domain admins... holy trinity. It can be done and it works very well. All
major day to day admin work is delegated to beings with lesser power. :op

"Roger Abell [MVP]" <> wrote in message
> I am falling in line with Joe's, and especially Robert's ending comment.
> IOW, why is a Domain Admin account being used ?
> It is my contention that if you analyze job tasks you will find very
> in the way of day-to-day activity that cannot be accomplished with a
> less fully empowered account.  It is a matter of defining the delegations
> and enabling the needed distributed-systemwide accesses.
> If one does this, as a side-effect one ends up with an inventory of all
> accounts that are able to what.  This, when combined with controls
> over where those accounts are allowed to log in locally and secured
> auditing of those accounts and those machines, gets you well down
> the road toward an environment that "encourages" trustworthy behavior.
> If as Joe states, DomAdms are gods, then why promote a pantheon
> with multiple, unpredictable, all-empowered personalities?
> -- 
> Roger
> "Skarch" <> wrote in message
> news:uLgAmvQ4DHA.2332@TK2MSFTNGP10.phx.gbl...
> > Kind of a different question here, if I should post to another
> > please advise...
> >
> > I'm in a situation were there's more than one Domain Admin (including
> > and there are some trust issues coming up.  Like reading other peoples
> > email, remote accessing user root drives and poking around, etc.
> >
> > I looking for some advice on how to approach resolving these issues.
> > if all the DAs were completely trustworthy, what procedures or methods
> > accountability are there that would ensure continued trust?  For
> > how would the VP know he can trust the IT department to not snoop on his
> > desktop system?
> >
> > For us, unfortunately some of this is going on, but at the moment
> no
> > defined way to track or prove it.
> >
> > I can think of a few things, like tracking Admin logins, password reset
> > procedures, killing admins shares, etc, but I'm hoping there might be
> > real-world examples out there of IT departments that already have
> > procedures in place.
> >
> > Any thoughts, examples or pointers to web resources are much
> >
> > Thanks,
> > SK
> >
> >
> >