[unisog] Those with Active Directory...Domain Admin question for you

Brokken, Allen P. BrokkenA at missouri.edu
Thu Dec 8 21:20:23 GMT 2005

Is it this person's "primary" account that has the privileges?  We went
through a process where no-one's primary email/desktop access account is
the same as the account they use for domain admin.  All admins have a
secondary account, and we only have 2 System Admins and 2 Security guys
with domain admin privileges between 2 domains with ~35,000 active
accounts and ~12,000 active computers.

If you can get that kind of thing into a security policy, then it's much
easier to deal with individual cases like this.

Allen Brokken
IAT Services - ISAM
University of Missouri
brokkena at missouri.edu

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Alex Tirdil
Sent: Thursday, December 08, 2005 7:40 AM
To: unisog at lists.sans.org
Subject: [unisog] Those with Active Directory...Domain Admin question
for you

Hey everyone,

This has recently become a hot topic on my campus and I would
appreciate any feedback anyone has.

There are a few people on my campus that have Domain Administrator
privledges for Active Directory.  These people are supposed to have it,
they have been trained on how to be a responsible Domain Administrator,
and they have a valid reason for being one (upper level desktop support
and server team members)

However recently an issue has cropped up which has caused some debate
internally.  An upper level management figure (cant really go into more
detail than that) has requested and recently acquired Domain
Administrator privledges.  This person has not been trained on how to be
a responsible Domain Administrator and they have no need to be one.  The
person wanted the pivledges because it was the "latest and greatest"
thing to have.

The issue is that the current trained Domain Admins know this shouldnt
happen, but they are at a loss on how to approach the issue.  How can
you approach upper management and basically tell them they should not
have the privledges they do?

Anyone have any ideas?  One that has popped up in my head is the fact
that we are currently being audited and maybe sending the auditor an
email to "verify who the domain administrators are" which might solve
the issue...but this is all very sneaky.  We would like to see the
situation defused as calmly as possible.

Any feedback would be appreciated, thank you in advance.

unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list