Re: Controlling IT manager access?


"Danny Sanders" <DSanders@xxxxxxxxxxxxxxx> wrote in message
news:OqnsQQ3FJHA.224@xxxxxxxxxxxxxxxxxxxxxxx
You might consider keeping the domain admin role and hiring a Jr. admin.
You can create task pads so he can do most of his work.........depending
on what you want him to do.

Here is a start:
http://support.microsoft.com/kb/555986/en-us

Good advice, but the OP is planning on hiring someone (over) qualified as a
domain admin, so I'm not sure how he would take being treated as a Jr.
admin, and an untrusted one, at that.

I guess it comes down to this: is the OP more interested in helping out a
friend, getting in more admin help, or preserving the status quo for his
company? Seems to me that the security of the company is not something he
would want to play with.

And as for his friend, perhaps he would consider some sort of a Jr admin
arrangement as a fair trade-off for the chance to get out of the bad
situation mentioned below.

So, what started out as a technical question seems to have moved into other,
less technical, but no less difficult, areas.

/Al

hth
DDS


"BrianG" <decc@xxxxxxxxxxx> wrote in message
news:09e34c37-8a4b-46b8-9dbf-cfc7a8264901@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Sep 12, 8:38 pm, "Al Dunbar" <AlanD...@xxxxxxxxxxxxxxxxxxx> wrote:

I definitely have someone very trustworthy and qualified (probably
over qualified) but he is a relative who would be taking the position
as a way out of his current bad situation. The benefits package we
can afford to offer him would put him in the middle of the pack of
this company (11 employees) but his responsibilities would be
significant. I am very concerned about the animosity that might
develop if he becomes knowledgeable of the salaries and benefits of
others, including mine. Is it common practice for domain admins in
large enterprises to have access to information regarding benefits
packages of co-workers & corporate execs?

My guess is that it is not common practice for domain admins to have
access
to all information stored on the company's systems. That said, larger
organizations accomplish this by compartmentalizing it through various
methods, One of these is to house their data within applications rather
than
as documents on a file server.

Small organizations such as yours typically work on a more casual basis.
While this can work, it likely means that there is a significantly
different
level of trust.

But let me ask you this: do the other ten or so employees know
everyone's
salary, and will they know what the IT guy is paid? If you trust them
with
this information and trust the new guy less, well, that alone would be
enough to sour the relationship.

Benefit packages of employees is not shared knowledge. All employees
except the company President have limited access to the server.


And, if he is a competent administrator, he might note that some things
are
blocked to him. In that situation, I might suspect that the previous
(untrained) administrator had inadvertently messed up the permissions,
and
I'd start looking for a fix. Either that, or he would see it as a flag
of
untrust and, well, you know where I'm going with that...

I am and always have been the only domain admin. I am also the only
accounting guy and the only HR guy so it has been easy to control
access to those files. The issue for me now is the hiring of someone
to manage IT and assist with accounting functions. HR files have been
very private to date but hiring an IT manager changes that which make
me uncomfortable and is why I asked for suggestions on how small to
mid sized businesses control access to HR files by IT managers. From
the feedback so, far I'm thinking it might be time for a personal
laptop.






.

Relevant Pages

  • Re: Controlling IT manager access?
    ... You might consider keeping the domain admin role and hiring a Jr. ... The benefits package we ... But let me ask you this: do the other ten or so employees know everyone's ...
    (microsoft.public.windows.server.security)
  • Re: Controlling IT manager access?
    ... him he as a domain admin can undo. ... trust Him/her". ... The benefits package we ...
    (microsoft.public.windows.server.security)