[unisog] Those with Active Directory...Domain Admin question for you

Ryan Dorman Ryan.Dorman at millersville.edu
Thu Dec 8 21:31:10 GMT 2005


Having been down similar roads (names omitted to protect the
not-so-innocent), my advice to you is that you will loose this fight so
don't have it.  Layer 8 is politics and they trump everything technical that
falls below, I don't agree with it but it seems to be reality.  Instead,
ensure that you have logging and audit trails on everything.  There is a
saying around here that nothing changes until there is a crisis.  So if
there is a crisis in your network, and you can trace it back to the source,
change can be imparted.

Your mileage may vary due to the political climate at your university.
-- 
Ryan Dorman, CCNP
Network Engineering Specialist
Millersville University
717.871.5883



On 12/8/05 8:39 AM, "Alex Tirdil" <AJTIRDIL at salisbury.edu> wrote:

> Hey everyone,
> 
> This has recently become a hot topic on my campus and I would
> appreciate any feedback anyone has.
> 
> There are a few people on my campus that have Domain Administrator
> privledges for Active Directory.  These people are supposed to have it,
> they have been trained on how to be a responsible Domain Administrator,
> and they have a valid reason for being one (upper level desktop support
> and server team members)
> 
> However recently an issue has cropped up which has caused some debate
> internally.  An upper level management figure (cant really go into more
> detail than that) has requested and recently acquired Domain
> Administrator privledges.  This person has not been trained on how to be
> a responsible Domain Administrator and they have no need to be one.  The
> person wanted the pivledges because it was the "latest and greatest"
> thing to have.
> 
> The issue is that the current trained Domain Admins know this shouldnt
> happen, but they are at a loss on how to approach the issue.  How can
> you approach upper management and basically tell them they should not
> have the privledges they do?
> 
> Anyone have any ideas?  One that has popped up in my head is the fact
> that we are currently being audited and maybe sending the auditor an
> email to "verify who the domain administrators are" which might solve
> the issue...but this is all very sneaky.  We would like to see the
> situation defused as calmly as possible.
> 
> Any feedback would be appreciated, thank you in advance.
> 
> -alex
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list