Solved

Best practice for system or network administrator accesss

Posted on 2009-07-15
8
425 Views
Last Modified: 2013-12-04
What security access would you typically give a system and network administrator on a windows 2000/2003 server?  Would you grant them overall administrator access?  What is the best practice?  
0
Comment
Question by:jodie888
8 Comments
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24872745
I give my admins access... "as needed"....

They start out with user level access, but with admin privilages locally on workstations...
0
 
LVL 3

Expert Comment

by:scwoa
ID: 24880696
I agree.   To many places give out Domain admin rights to junior level guys.    And once you give it out, it becomes hard (politically) to take it away.  

It depends on how big you are, a small shop with one or two IT people you may have to give it to them.

Some examples of when you need \ dont need domain admin rights...

If they are adding domain controllers to the domain, fixing trust relationships, , then they need it.

If they are answering help desk ticket calls, and changing printer toner, they don't.   Local admin is fine.  

If they are doing account maintenance, such as resetting passwords, changing names, you can give them account operators permissions.    Along with instructions stating they cant add anyone to the domain admins \schema admins \ enterprise admins \account operators without your permission.  (You can also create restricted groups..)

If they say they want to change the schema, and join the schema admin group, ask what they are doing and why.   Then say no.  :)   Usually schema changes do not happen very often.

If they are an application person, who only knows an application, and doesnt know what AD users and computers is, they dont need it.

Rebooting servers \ working on servers- no, give them local admin rights to the server, or maybe the server ooperators group.
Rebooting Domain controllers - Yes, they need a domain admin account.

If they are cowboys, and change stuff for no reason and without a backout plan, dont give it to them.

If you have a specific case \question of whether they need domain admins or not, please post it...
0
 
LVL 37

Expert Comment

by:bbao
ID: 24882037
basically, if they are TRUSTED REAL administrators, give them the permissions of windows administrators. otherwise, if you are the ACTUAL REAL administrator, give them the permissions JUST satisfied for their role, such as normal users with *extra* rights, or simply the Power Users, even the Power Users with *reduced* rights.

hope it helps,
bbao
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 17

Expert Comment

by:OriNetworks
ID: 24892240
In a domain environment, I usually assign permissions or delegate only on an as needed basis.

For smaller organizations, you may have to assign domain admin or atleast have access to a domain admin account in case the primary admin(you) is not there or something happens.

Any other place, I would stick with the "as needed" and maybe assing as local admin for certain servers if needed.

Common tasks to delegate to someone else:
Create user accounts and possibly group membership(keep in mind this would give them the ability to add their own account to domain admin group)
Reset user passwords
View group policy
Add as local machine admin for regular workstations (install software, etc.)
Join computer to domain
Access to certain network folders(software, logs, etc.)
0
 
LVL 1

Expert Comment

by:DJM2009
ID: 24905809
I would also suggest , depending on what you decide to do , to also monitor ( if you have the tools available ) the addition of users to domain/schema/enterprise admins group.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 25203194
Remark, splitting 50 points among the experts is useless, so I decided to suggest  paq w/o refund.
0
 

Accepted Solution

by:
ee_auto earned 0 total points
ID: 25229468
Question PAQ'd, 50 points not refunded, and stored in the solution database.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IE Plugin Issue 4 83
Security Permissions Issues 10 79
How can we stop ransomware files from executing if it is downloaded?! 7 140
Non admin needs to install programs 17 67
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
OfficeMate Freezes on login or does not load after login credentials are input.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question