Best practice for system or network administrator accesss

What security access would you typically give a system and network administrator on a windows 2000/2003 server?  Would you grant them overall administrator access?  What is the best practice?  
jodie888Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ron MalmsteadInformation Services ManagerCommented:
I give my admins access... "as needed"....

They start out with user level access, but with admin privilages locally on workstations...
0
scwoaCommented:
I agree.   To many places give out Domain admin rights to junior level guys.    And once you give it out, it becomes hard (politically) to take it away.  

It depends on how big you are, a small shop with one or two IT people you may have to give it to them.

Some examples of when you need \ dont need domain admin rights...

If they are adding domain controllers to the domain, fixing trust relationships, , then they need it.

If they are answering help desk ticket calls, and changing printer toner, they don't.   Local admin is fine.  

If they are doing account maintenance, such as resetting passwords, changing names, you can give them account operators permissions.    Along with instructions stating they cant add anyone to the domain admins \schema admins \ enterprise admins \account operators without your permission.  (You can also create restricted groups..)

If they say they want to change the schema, and join the schema admin group, ask what they are doing and why.   Then say no.  :)   Usually schema changes do not happen very often.

If they are an application person, who only knows an application, and doesnt know what AD users and computers is, they dont need it.

Rebooting servers \ working on servers- no, give them local admin rights to the server, or maybe the server ooperators group.
Rebooting Domain controllers - Yes, they need a domain admin account.

If they are cowboys, and change stuff for no reason and without a backout plan, dont give it to them.

If you have a specific case \question of whether they need domain admins or not, please post it...
0
bbaoIT ConsultantCommented:
basically, if they are TRUSTED REAL administrators, give them the permissions of windows administrators. otherwise, if you are the ACTUAL REAL administrator, give them the permissions JUST satisfied for their role, such as normal users with *extra* rights, or simply the Power Users, even the Power Users with *reduced* rights.

hope it helps,
bbao
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

OriNetworksCommented:
In a domain environment, I usually assign permissions or delegate only on an as needed basis.

For smaller organizations, you may have to assign domain admin or atleast have access to a domain admin account in case the primary admin(you) is not there or something happens.

Any other place, I would stick with the "as needed" and maybe assing as local admin for certain servers if needed.

Common tasks to delegate to someone else:
Create user accounts and possibly group membership(keep in mind this would give them the ability to add their own account to domain admin group)
Reset user passwords
View group policy
Add as local machine admin for regular workstations (install software, etc.)
Join computer to domain
Access to certain network folders(software, logs, etc.)
0
DJM2009Commented:
I would also suggest , depending on what you decide to do , to also monitor ( if you have the tools available ) the addition of users to domain/schema/enterprise admins group.
0
TolomirAdministratorCommented:
Remark, splitting 50 points among the experts is useless, so I decided to suggest  paq w/o refund.
0
ee_autoCommented:
Question PAQ'd, 50 points not refunded, and stored in the solution database.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.