Security rights in the IT Department

Posted on 2005-04-13
Last Modified: 2010-04-11
Dear Experts,

I am curious if anyone has dealt with this problem.  I have a small IT department of 3 people including myself.  I do most of the backend "nitty gritty" but the other two individuals who are helpdesk (Hardware) and a software support specialist positions need to get to things or do things for me when I am not accessible.  I have given them both domain admin rights to the network.  I am trying to decide if this is prudent and if I am just being lazy.  It is not that I do not trust them, more over it could be breach in policy to allow them access to so many things on the network as well as a risk.

I am curious how other Administrators are dealing with the security rights of those working "with" them.  I am using a w2k ADS environment.  Any advice you could give would be appreciated.

Question by:ReggieM
    LVL 38

    Accepted Solution

    Thing's like runas can help,, however this means that they get to know a password with admin rights to use runas, but if you audit your workstations and servers daily, it'd be easy to spot abuse of the account(s). You would of course need to copy the log's to a central location and not give them right's to that share or folder where the log's are stored. A tool like Snare is great for parsing through the log's and alerting you to possible misconduct.

    I also have a few examples of using RunAs in an automated script, the script is Encoded (not encrypted) to help hide the password with admin priv's
    LVL 9

    Assisted Solution

    If they're trusted, then that's the main thing, but it's still best practice to base access on the "least privilege" required.

    What I'd suggest would be to break up access into certain groups... Have, for example, "File Admin" and "Email Admin", etc etc, then wrap those into an "IT Support" group and assign whomever you want to it.  Yes, this is a little more management on your part to set up, but once it's done you'll be able to tweak things as you may need.  For example, if someone new comes on board and only needs some admin access, you'll probably have to do something along these lines anyway...

    You wouldn't have to have a huge amount of groups,.. keep it simple for a small IT dept., but I think this would be the way to go... Technically, being lazy and assigning Domain Admin rights is ok if they're absolutely trusted AND know what they're doing, and while I'm all for being lazy, it's better to take a pro-active approach...

    Hope this helps!
    LVL 18

    Expert Comment

    I can relate. I also work in a small IT department....we have 3 people that can do IT stuff, but I'm the main admin. I'm the only one who really knows anything about server 2003 and what active directory is, group policies, etc. Upper management basically mandated that all 3 of us have equal and full control over everything since the other 2 are "suppossed" to run things if I'm not around.  

    So they both have domain admin rights as well....I'm not happy about that, but I've expressed my concern and was told it had to be this

    Its not really a trust issue for is just as a system admin and really THE system admin, I just have to cringe when I think about giving someone domain admin rights who doesn't know a thing about adminstering active directory. I have asked the other two to please not alter *anything* on the server :) and I think they do understand that they could seriously screw things. I haven't had any problems with them so far, but then again....nothing has needed to be changed while I wasn't around.

    If it was my choice to make, I would not give anyone domain admin rights unless they were going to be fully responsible for the domain and had experience with active directory and the structure you have in place.
    LVL 1

    Expert Comment

    I would firs create Groups. Then create groups policy. Move users to appropriate groups.
    That may be a little work, but it is good to have set groups and groups policy for future. If someone new comes to work, no problem, you just assign user to groups with privileges that are right for that user. Second if you are out for any reason and you need someone to do work while you are not at place, again just move user you trust to admin group and out of group when you are back. Also you can delegate user to do some administrative work, but still not give a complete and unlimited rights.  Having Groups and groups police set up on server and workstation is for my opinion, must have.  
    Hope this will help in making your decision what to do.
    LVL 16

    Expert Comment

    I have created an IT Group and as my helpdesk and IT support does the majority of their work on workstations, I have made that group a local admin on all of them.  For the password changes, etc., that need to be done in Active Directory, you can just give them those rights.
    LVL 5

    Expert Comment

    giving any user account domain admin rights is bad news in my opinion, trust aside (you have to trust your own team), it allows for mistakes or clumsy decisions to have immediate global effect.  There are a few of us in the IS team here, but our logon accounts are fairly standard accounts that we'd give to other technical type people.  Any server work that needs doing is done under the admin login accounts.  If you want traceability you can create more than one domain admin account, but i think it should be a seperate and intentional logon to do any server work.

    i learned this the hard way years ago when i was just starting in IT, i was given admin access from day 1 and was setting up a windows 95 pc.  It took a very long to install and then took ages to boot once it was setup, it took me a day to work out that somehow it had installed all of the program files on to a Netware login drive !  :)

    LVL 8

    Expert Comment


    In my current place of employement, our IT user rights are assigned "Role Based". no person is given any more access than their emplotyement role would call for (only things in their job scope).
    this is different than choosing what a particular individual might have to do on a day to day basis.
    this way we can create a group profile for each job title, and users are added to the group.
    this assures uniformity and that no 1 person can see any transaction all the way through.
    LVL 3

    Expert Comment

    Any account that is a Domain Admin should have an extremly strong password 20 characters, alphanumeric, case, and special characters. That alone should deter people from daily use (oh and change it once a month). Windows group policy allows for delegation of admin rights at OU levels. Use this to your advantage as per the suggestions above.

    Even you should not regularly login as a domain user. You should have a delegated account as well.

    Good Luck and make sure that you have a VERY regular and current backup of your AD ... sooner or later you WILL need it if you have too many fingers in the pie


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now