[unisog] Those with Active Directory...Domain Admin question for you

Alan Amesbury amesbury at oitsec.umn.edu
Thu Dec 8 21:36:09 GMT 2005

Alex Tirdil wrote:


>However recently an issue has cropped up which has caused some debate
>internally.  An upper level management figure (cant really go into more
>detail than that) has requested and recently acquired Domain
>Administrator privledges.  This person has not been trained on how to be
>a responsible Domain Administrator and they have no need to be one.  The
>person wanted the pivledges because it was the "latest and greatest"
>thing to have.
>The issue is that the current trained Domain Admins know this shouldnt
>happen, but they are at a loss on how to approach the issue.  How can
>you approach upper management and basically tell them they should not
>have the privledges they do?

It's not just an AD situation, but one that applies wherever privilege
controls are used.  Similar situations can arise (and have arisen)
regarding root privs on Unix systems.

Policy is the best tool for this.  If your policy limits privileges
based on demonstrable need, I'd recommend following policy.  If this
person really wants privileges, then the two obvious courses of action
they can take are:  1) Demonstrate need.  2) Rewrite policy to account
for their superfluous desires.

I ran into this problem while working in banking.  People wanted root
privs on their Solaris boxes when policy explicitly forbade it.  I
enforced the policy, which was based on the principle of least
privilege.  However, I was also really lucky in that my manager (who, as
a manager, didn't have *accounts* on most systems, much less privileged
access) backed my play all the way.

If it's an Orwellian "some animals are more equal than others"
situation, I don't know what to say... other than, "Good luck."  Common
sense rarely prevails in those situations.  :-(

It's an unenviable position, but one where I don't think "playing
nicely" is entirely appropriate.  Again, good luck.

Alan Amesbury
University of Minnesota

More information about the unisog mailing list