Re: Controlling IT manager access?




"BrianG" <decc@xxxxxxxxxxx> wrote in message
news:aa7f3adc-3159-4026-bc30-f71966247df7@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Sep 12, 10:53 am, "Danny Sanders" <DSand...@xxxxxxxxxxxxxxx> wrote:
I probably didn't state it right but professional competence and
experience
*usually* goes a log ways toward developing that trust, along with
checking
references.....etc.

hth
DDS

"S. Pidgorny <MVP>" <slavi...@xxxxxxxxx> wrote in
messagenews:OVU8rZLFJHA.3288@xxxxxxxxxxxxxxxxxxxxxxx

G'day:

Danny Sanders wrote:
If he is going to be the domain admin, anything you can do to restrict
him he as a domain admin can undo.

The most important thing to consider when hiring a domain admin is
"Can I
trust Him/her".

Hire somebody you can trust.


I definitely have someone very trustworthy and qualified (probably
over qualified) but he is a relative who would be taking the position
as a way out of his current bad situation. The benefits package we
can afford to offer him would put him in the middle of the pack of
this company (11 employees) but his responsibilities would be
significant. I am very concerned about the animosity that might
develop if he becomes knowledgeable of the salaries and benefits of
others, including mine. Is it common practice for domain admins in
large enterprises to have access to information regarding benefits
packages of co-workers & corporate execs?

My guess is that it is not common practice for domain admins to have access
to all information stored on the company's systems. That said, larger
organizations accomplish this by compartmentalizing it through various
methods, One of these is to house their data within applications rather than
as documents on a file server.

Small organizations such as yours typically work on a more casual basis.
While this can work, it likely means that there is a significantly different
level of trust.

But let me ask you this: do the other ten or so employees know everyone's
salary, and will they know what the IT guy is paid? If you trust them with
this information and trust the new guy less, well, that alone would be
enough to sour the relationship.

And, if he is a competent administrator, he might note that some things are
blocked to him. In that situation, I might suspect that the previous
(untrained) administrator had inadvertently messed up the permissions, and
I'd start looking for a fix. Either that, or he would see it as a flag of
untrust and, well, you know where I'm going with that...

/Al


.



Relevant Pages

  • Re: Domain Admin Access across Trusted domains
    ... > users to a Domain Local security group, I can't add that Domain Local ... Much, not all, can be conferred my making members of the ... same as making them members of Domain Admins. ... >>> The trust is a two way external trust. ...
    (microsoft.public.win2000.security)
  • Re: Domain Admin Access across Trusted domains
    ... users to a Domain Local security group, I can't add that Domain Local ... security group to the Domain Global group "Domain Admins" ... ... > not attempting to next externals into your globals. ... >> The trust is a two way external trust. ...
    (microsoft.public.win2000.security)
  • RE: software to control domain administrators
    ... "Does anyone know any software to control, audit, or restrict access or privileges to domain administrators." ... I will restate my mantra differently, If you can not trust someone to be in a position of complete un-adulterated control of your network, then they should not be in that position. ... >(assuming we are talking about NT/AD Domain Admins) ...
    (Security-Basics)
  • Re: ADMT v3 Access is Denied
    ... Check to make sure that it resides in both domain admins groups. ... Having a trust doesn't explicity grant you access to all, ... > I discovered that the Forest functional level on the test domain needed ... >> Is the access denied error caused by the type of trust I have created? ...
    (microsoft.public.win2000.active_directory)
  • Re: Track Domain Admin.
    ... The reality is there is no way to fully audit a domain administrator in a ... domain if you don't trust them. ... The best way to fix this kind of an issue is ... want to protect information from domain admins the only way is to use EFS ...
    (microsoft.public.win2000.general)