[unisog] Those with Active Directory...Domain Admin question for you

Michael Holstein michael.holstein at csuohio.edu
Fri Dec 9 14:14:41 GMT 2005


> The issue is that the current trained Domain Admins know this shouldnt
> happen, but they are at a loss on how to approach the issue.  How can
> you approach upper management and basically tell them they should not
> have the privledges they do?

Actually, it's not a dumb idea that at least one member of management 
have *access* to those rights, for disaster recovery reasons .. but to 
have them "just because it's cool" is silly.

> Anyone have any ideas?  One that has popped up in my head is the fact
> that we are currently being audited and maybe sending the auditor an
> email to "verify who the domain administrators are" which might solve
> the issue...but this is all very sneaky.  We would like to see the
> situation defused as calmly as possible.

Having been party to a number of these audits, this is exactly what 
happens. They print off a list of admins and make you explain who they 
are and why they're an admin. You almost *always* get nicked because you 
have too many admins -- I'd go with this logic when you make your case.

> Any feedback would be appreciated, thank you in advance.

Good luck :)

Michael Holstein CISSP GCIA
Cleveland State University


More information about the unisog mailing list