RE: RE: Restrict the Domain Admin
Friday, September 30th, 2005Hi
I think people are missing the point. You can allow / create an adminwho can not edit logs for example. The issue is not technical - but procedural. The comments allong the lines “Sounds good, but in practice, and in urgent situations, you have to contact all the persons holding the password… ” are not correct. You do not need an admin to do everything - even reinstalling the forest does not require all rights.
You can allow the DELETE user profile - but setup a log of this action as an example. Domain admin and a user with nearly all the rights but with segregated security rights is feasible and occurs in many organisations now.
Craig
—–Original Message—–
From: sf_mail_sbm@yahoo.com [mailto:sf_mail_sbm@yahoo.com]
Sent: Thu 29/09/2005 9:18 PM
To: security-basics@securityfocus.com
Cc:
Subject: Re: RE: Restrict the Domain Admin
>.. you can split the authentication between several people (have them each type a char and put their section in a safe…
Sounds good, but in practice, and in urgent situations, you have to contact all the persons holding the password… we have put something similar in place, and we face resistance from the operations and business guys who want a minimum downtime
>Any right can be assigned under Microsoft
Tried to implement this also, and found that if I do not give a user the right to DELETE a user profile, he will NOT be able to MOVE a user from one OU to another OU… has anyone encountered this OR better is there a solution for this