[unisog] Those with Active Directory...Domain Admin question for you
Ryan.Dorman at millersville.edu
Thu Dec 8 21:31:10 GMT 2005
Having been down similar roads (names omitted to protect the
not-so-innocent), my advice to you is that you will loose this fight so
don't have it. Layer 8 is politics and they trump everything technical that
falls below, I don't agree with it but it seems to be reality. Instead,
ensure that you have logging and audit trails on everything. There is a
saying around here that nothing changes until there is a crisis. So if
there is a crisis in your network, and you can trace it back to the source,
change can be imparted.
Your mileage may vary due to the political climate at your university.
Ryan Dorman, CCNP
Network Engineering Specialist
On 12/8/05 8:39 AM, "Alex Tirdil" <AJTIRDIL at salisbury.edu> wrote:
> Hey everyone,
> This has recently become a hot topic on my campus and I would
> appreciate any feedback anyone has.
> There are a few people on my campus that have Domain Administrator
> privledges for Active Directory. These people are supposed to have it,
> they have been trained on how to be a responsible Domain Administrator,
> and they have a valid reason for being one (upper level desktop support
> and server team members)
> However recently an issue has cropped up which has caused some debate
> internally. An upper level management figure (cant really go into more
> detail than that) has requested and recently acquired Domain
> Administrator privledges. This person has not been trained on how to be
> a responsible Domain Administrator and they have no need to be one. The
> person wanted the pivledges because it was the "latest and greatest"
> thing to have.
> The issue is that the current trained Domain Admins know this shouldnt
> happen, but they are at a loss on how to approach the issue. How can
> you approach upper management and basically tell them they should not
> have the privledges they do?
> Anyone have any ideas? One that has popped up in my head is the fact
> that we are currently being audited and maybe sending the auditor an
> email to "verify who the domain administrators are" which might solve
> the issue...but this is all very sneaky. We would like to see the
> situation defused as calmly as possible.
> Any feedback would be appreciated, thank you in advance.
> unisog mailing list
> unisog at lists.sans.org
More information about the unisog