[unisog] Those with Active Directory...Domain Admin question for you

Stasiniewicz, Adam stasinia at msoe.edu
Thu Dec 8 23:46:26 GMT 2005

A Word from experience, never under any circumstance or under any level
of duress give out domain administrative privileges to people who do not
know what they are doing.  In a pervious job I saw far too many broken
servers and problems caused by people with too much access.  

Point in case, a senior person who had domain admin privileges needed to
backup someone's PC.  So they ran ntbackup set to backup the full HD
(about 10GB).  (This is odd in the first place, since there is no reason
to backup the whole HD, just need the user's files...)  Anyway, the guy
needed to put the ntbackup file on a server, well he apparently did not
know which box was the file server, so he just randomly browsed servers
looking for file shares.  He found one of our DCs on the local subnet,
saw a share called SYSVOL, and uploaded.  Did I mention that we have
about 1/2 dozen DCs linked together by 100+KB/s WAN link?  See a
problem?  Well FRS started up and began pegging the entire WAN with
replication traffic.  And then the phones started ringing off the hook
from people yelling at us about the network being slow...

I got a lot more similar stories from that job about some of things I
had to deal with...  But I was basically stuck because this guy was my
superior and if I took away his access he would take away my job.

In comparison, at MSOE our IT director does one thing (and does it very
well), he directs.  His access is equal to that of a standard staff
member (the lowest level helpdesk worker has more access than he does);
thereby leaving the administration to the people who know how to
administer the systems best.  IMHO the modern IT group is getting more
and more political pressure from the outside and you need to have a
dedicated person that will deal with all these outside pressures.  

Our domain admins are the people that daily do lots of things in AD.  We
also have setup a way for "on-call" staffers to be able to get Domain
Admin access should a crisis arise after hours and none of the Windows
guys are available.

Past that, helpdesk staff and senior helpdesk staff are given very
limited access to AD.  And the remaining staff, which consist of
hardware techs, Unix admins, Novell admins, telephone techs, network
admins, the assistant director, and the director have nothing over
standard staff access.

One way to approach the problem is to require all domain admins to be
MCP/MCSA/MCSE or some other industry certification.

The auditor route is tricky path.  Here is another story from my
pervious job that will highlight this point:  

A different senior guy was working with a consultant company on some
network changes.  So he thought he might get the opinion of them as to
where he should fall in the structure so as to cement him in his job.
Without first asking the consultant, while in a meeting with the
consultant and his boss, he asked where he should fall.  The answer the
consultant gave him was "level 1: helpdesk".  I personally fully
disagree with that assessment, but hey, I was fairly low on the totem
pole, so I did not any say in the matter.

So I would definitely save that option as a last resort.  Even if he
agrees with you, there will still be the political fall out.  Nobody
likes when they are side stepped or made a fool out of in public.
Especially in front of an outside organization or auditor.

But you can always talk to him.  Have a meeting with this guy and your
domain admins and express your concern.  AD is very flexible when it
comes to permissions; maybe all he needs is "Account Operator" or
"Server Operator" rights.  If that does not fit, you can always delegate
permissions for finer control.

Hope that helps,
Adam Stasiniewicz 
Computer and Communication Services Department 
Milwaukee School of Engineering 

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Alex Tirdil
Sent: Thursday, December 08, 2005 7:40 AM
To: unisog at lists.sans.org
Subject: [unisog] Those with Active Directory...Domain Admin question
for you

Hey everyone,

This has recently become a hot topic on my campus and I would
appreciate any feedback anyone has.

There are a few people on my campus that have Domain Administrator
privledges for Active Directory.  These people are supposed to have it,
they have been trained on how to be a responsible Domain Administrator,
and they have a valid reason for being one (upper level desktop support
and server team members)

However recently an issue has cropped up which has caused some debate
internally.  An upper level management figure (cant really go into more
detail than that) has requested and recently acquired Domain
Administrator privledges.  This person has not been trained on how to be
a responsible Domain Administrator and they have no need to be one.  The
person wanted the pivledges because it was the "latest and greatest"
thing to have.

The issue is that the current trained Domain Admins know this shouldnt
happen, but they are at a loss on how to approach the issue.  How can
you approach upper management and basically tell them they should not
have the privledges they do?

Anyone have any ideas?  One that has popped up in my head is the fact
that we are currently being audited and maybe sending the auditor an
email to "verify who the domain administrators are" which might solve
the issue...but this is all very sneaky.  We would like to see the
situation defused as calmly as possible.

Any feedback would be appreciated, thank you in advance.

unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list