Security rights in the IT Department

Dear Experts,

I am curious if anyone has dealt with this problem.  I have a small IT department of 3 people including myself.  I do most of the backend "nitty gritty" but the other two individuals who are helpdesk (Hardware) and a software support specialist positions need to get to things or do things for me when I am not accessible.  I have given them both domain admin rights to the network.  I am trying to decide if this is prudent and if I am just being lazy.  It is not that I do not trust them, more over it could be breach in policy to allow them access to so many things on the network as well as a risk.

I am curious how other Administrators are dealing with the security rights of those working "with" them.  I am using a w2k ADS environment.  Any advice you could give would be appreciated.

Who is Participating?
Rich RumbleSecurity SamuraiCommented:
Thing's like runas can help,, however this means that they get to know a password with admin rights to use runas, but if you audit your workstations and servers daily, it'd be easy to spot abuse of the account(s). You would of course need to copy the log's to a central location and not give them right's to that share or folder where the log's are stored. A tool like Snare is great for parsing through the log's and alerting you to possible misconduct.

I also have a few examples of using RunAs in an automated script, the script is Encoded (not encrypted) to help hide the password with admin priv's
If they're trusted, then that's the main thing, but it's still best practice to base access on the "least privilege" required.

What I'd suggest would be to break up access into certain groups... Have, for example, "File Admin" and "Email Admin", etc etc, then wrap those into an "IT Support" group and assign whomever you want to it.  Yes, this is a little more management on your part to set up, but once it's done you'll be able to tweak things as you may need.  For example, if someone new comes on board and only needs some admin access, you'll probably have to do something along these lines anyway...

You wouldn't have to have a huge amount of groups,.. keep it simple for a small IT dept., but I think this would be the way to go... Technically, being lazy and assigning Domain Admin rights is ok if they're absolutely trusted AND know what they're doing, and while I'm all for being lazy, it's better to take a pro-active approach...

Hope this helps!
I can relate. I also work in a small IT department....we have 3 people that can do IT stuff, but I'm the main admin. I'm the only one who really knows anything about server 2003 and what active directory is, group policies, etc. Upper management basically mandated that all 3 of us have equal and full control over everything since the other 2 are "suppossed" to run things if I'm not around.  

So they both have domain admin rights as well....I'm not happy about that, but I've expressed my concern and was told it had to be this

Its not really a trust issue for is just as a system admin and really THE system admin, I just have to cringe when I think about giving someone domain admin rights who doesn't know a thing about adminstering active directory. I have asked the other two to please not alter *anything* on the server :) and I think they do understand that they could seriously screw things. I haven't had any problems with them so far, but then again....nothing has needed to be changed while I wasn't around.

If it was my choice to make, I would not give anyone domain admin rights unless they were going to be fully responsible for the domain and had experience with active directory and the structure you have in place.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

I would firs create Groups. Then create groups policy. Move users to appropriate groups.
That may be a little work, but it is good to have set groups and groups policy for future. If someone new comes to work, no problem, you just assign user to groups with privileges that are right for that user. Second if you are out for any reason and you need someone to do work while you are not at place, again just move user you trust to admin group and out of group when you are back. Also you can delegate user to do some administrative work, but still not give a complete and unlimited rights.  Having Groups and groups police set up on server and workstation is for my opinion, must have.  
Hope this will help in making your decision what to do.
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
I have created an IT Group and as my helpdesk and IT support does the majority of their work on workstations, I have made that group a local admin on all of them.  For the password changes, etc., that need to be done in Active Directory, you can just give them those rights.
giving any user account domain admin rights is bad news in my opinion, trust aside (you have to trust your own team), it allows for mistakes or clumsy decisions to have immediate global effect.  There are a few of us in the IS team here, but our logon accounts are fairly standard accounts that we'd give to other technical type people.  Any server work that needs doing is done under the admin login accounts.  If you want traceability you can create more than one domain admin account, but i think it should be a seperate and intentional logon to do any server work.

i learned this the hard way years ago when i was just starting in IT, i was given admin access from day 1 and was setting up a windows 95 pc.  It took a very long to install and then took ages to boot once it was setup, it took me a day to work out that somehow it had installed all of the program files on to a Netware login drive !  :)


In my current place of employement, our IT user rights are assigned "Role Based". no person is given any more access than their emplotyement role would call for (only things in their job scope).
this is different than choosing what a particular individual might have to do on a day to day basis.
this way we can create a group profile for each job title, and users are added to the group.
this assures uniformity and that no 1 person can see any transaction all the way through.
Any account that is a Domain Admin should have an extremly strong password 20 characters, alphanumeric, case, and special characters. That alone should deter people from daily use (oh and change it once a month). Windows group policy allows for delegation of admin rights at OU levels. Use this to your advantage as per the suggestions above.

Even you should not regularly login as a domain user. You should have a delegated account as well.

Good Luck and make sure that you have a VERY regular and current backup of your AD ... sooner or later you WILL need it if you have too many fingers in the pie

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.