[unisog] Those with Active Directory...Domain Admin question for you

Aaron Wade agw8 at cornell.edu
Fri Dec 9 14:09:03 GMT 2005


Alex,
One possible avenue to try is having a talk with HR.  If administering the 
network, domain, and all of its components are not within the job 
description, then this person should not have that level of access, not only 
because they don't need it, but because it is a liability to the university 
and its infrastructure.

-Aaron

On Thursday 08 December 2005 8:39 am, Alex Tirdil wrote:
> Hey everyone,
>
> This has recently become a hot topic on my campus and I would
> appreciate any feedback anyone has.
>
> There are a few people on my campus that have Domain Administrator
> privledges for Active Directory.  These people are supposed to have it,
> they have been trained on how to be a responsible Domain Administrator,
> and they have a valid reason for being one (upper level desktop support
> and server team members)
>
> However recently an issue has cropped up which has caused some debate
> internally.  An upper level management figure (cant really go into more
> detail than that) has requested and recently acquired Domain
> Administrator privledges.  This person has not been trained on how to be
> a responsible Domain Administrator and they have no need to be one.  The
> person wanted the pivledges because it was the "latest and greatest"
> thing to have.
>
> The issue is that the current trained Domain Admins know this shouldnt
> happen, but they are at a loss on how to approach the issue.  How can
> you approach upper management and basically tell them they should not
> have the privledges they do?
>
> Anyone have any ideas?  One that has popped up in my head is the fact
> that we are currently being audited and maybe sending the auditor an
> email to "verify who the domain administrators are" which might solve
> the issue...but this is all very sneaky.  We would like to see the
> situation defused as calmly as possible.
>
> Any feedback would be appreciated, thank you in advance.
>
> -alex
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list