Re: Accountability of Domain Admins

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 02/05/04 

Date: Wed, 4 Feb 2004 19:58:31 -0700

I was going to say something, not quite RUN, but more along the
lines of get ready . . . but you beat me to that.

I would suggest that you do nothing to aggrevate your relations
with the other DAs. That is the last extra complication you need.

Rather, plot out some "what if" scenarios. What if someone got
in through the VPN who should not have. What if a desktop used
by a DA became infected. etc.
And then, for these scenarios, outline the transition in practices
that could be incrementally introduced. Emphasize the value
brought from assurance of continuity of the business's operations.

Keep your profile low, do what you can to benefit them, be ready
if all goes sour, and hope that your initiatives meet with favor.

Good luck,
Roger

"Skarch" <noreply@x859mvic.com> wrote in message
news:OiHu3hb5DHA.2412@TK2MSFTNGP11.phx.gbl...
> Gentlemen,
>
> Thank you for your responses, and I am in total agreement with you. Allow
> me to explain a little further, and again, any suggestions you can offer
are
> much appreciated. Please see inline.
>
> >> Well if you don't trust your domain admins
> >>you need new ones. Easier said
> >> than done...
>
> The situation here is, well, kind of screwy. I'm a DA, but I'm the new
kid
> on the block, about 4 months. I've been a net admin for 8 years, in IT
for
> 12. Here, I'm an IT Department Manager. There are 2 other DAs here, each
> who "fell into" their positions about 1.5 years ago when the company
> reshuffled. They're officially "IT Managers" as well. They have no prior
> experience in IT. They should never have been made DAs/IT managers (or at
> least not both of them), but that was before my time. They are partners
in
> crime, basically. They feel they run the IT department.
>
> All three of us are IT Managers (each with a sub-designation - some
previous
> VP's idea.) We all report to a VP.
>
> Upper management is unresponsive, but that is due to somewhat legitimate
> factors. The company was bought out 6 months ago, and management has been
> playing musical chairs ever since. I've had 3 bosses in the past 4
months.
> The original VP that hired me was let go. I think if upper management
> could stay still long enough, I might be able to do something.... "Easier
> said than done."
>
>
> >> In addition to what Joe has said, lets look at the basics. Do you at
> least
> >> use seperate admin accounts for each person (e.g. no one uses the
generic
> >> domain admin account... they all have accounts like "Skarch_Admin" and
> >> "AnotherPerson_Admin", etc)?
>
> No. I absolutely agree that we should (if we kept all DA accounts), but I
> have no authority to dictate the change, and I would be met with hostility
> from the DAs if I tried because it would be perceived (rightly so) as an
> accountability measure. I am already on shakey terms with them as they
see
> me as a threat.
>
>
> >> And, pardon me and don't take this the wrong way - Are you sure that
all
> >> these people need "domain admin" access? Can you maybe delegate away
some
> >> permissions and such like?
>
> I agree 100%! This is not that big a company, about 80 desktops on the
LAN,
> another 15 stand-alone, couple of VPNs, and a LOT of (unnecessary)
printers.
> Again, I do not have the authority at this point to un-delegate
permissions.
>
> ------
>
> I can hear you guys now... RUN!!!!..... RUN AS FAST AS YOU CAN.....
lol!
>
> And believe me, if things don't change fairly soon, I'll move on. But it
> *is* a good company, with a lot of growth potential, a solid market share,
> and outside IT the people are great. Most people are starting to lean
> towards me and shying away from the other DAs, which of course doesn't
make
> the DAs happy. In fact, it's probably encouraging some of their behavior.
>
> My thinking is that I need some sort of evidence of their crime, not for
the
> purpose of necessarily punishing them (albeit a fun thought), but to take
to
> the VP and say "look, this is why we need more security measures... and
> here's what I suggest." Right now it's more my word against theirs
(because
> this VP has only been here 6 weeks.)
>
> Never having been in this type of situation, I'm not exactly sure if this
is
> the right approach. And if it is, I'm not exactly sure what methods to
use.
> (Though you gentlemen have given me some valuable suggstions - thank you!)
>
> So again, any insight anyone might be able to offer is greatly
appreciated.
>
> Thanks,
> SK
>
>
>
>
>
>

Relevant Pages