[unisog] Those with Active Directory...Domain Admin question for you
michael.holstein at csuohio.edu
Fri Dec 9 14:14:41 GMT 2005
> The issue is that the current trained Domain Admins know this shouldnt
> happen, but they are at a loss on how to approach the issue. How can
> you approach upper management and basically tell them they should not
> have the privledges they do?
Actually, it's not a dumb idea that at least one member of management
have *access* to those rights, for disaster recovery reasons .. but to
have them "just because it's cool" is silly.
> Anyone have any ideas? One that has popped up in my head is the fact
> that we are currently being audited and maybe sending the auditor an
> email to "verify who the domain administrators are" which might solve
> the issue...but this is all very sneaky. We would like to see the
> situation defused as calmly as possible.
Having been party to a number of these audits, this is exactly what
happens. They print off a list of admins and make you explain who they
are and why they're an admin. You almost *always* get nicked because you
have too many admins -- I'd go with this logic when you make your case.
> Any feedback would be appreciated, thank you in advance.
Good luck :)
Michael Holstein CISSP GCIA
Cleveland State University
More information about the unisog