Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 212
  • Last Modified:

add to group or seperate account

Our auditor needs temporary domain admin rights for a review.

She already has a domain account which is just basic and no elevated rights).

Is it best practice to just add her account into the domain admin group, or create a new domain account in the domain admin group for her?

Can you let me know which is best option and why?
0
pma111
Asked:
pma111
  • 3
  • 3
1 Solution
 
Krzysztof PytkoActive Directory EngineerCommented:
Is this account her temporairly account for audit purpose or she works in your company?
I would suggest to create completely new account add it into Domain Admins and set up expiration account for couple of days (date when audit ends).

After that, you can simply delete this account

REgards,
Krzysztof
0
 
pma111Author Commented:
hi - works for company - the permissions required are temporary - but her domain user rights are permanent.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
So, definitively I would create new account, put in Domain Admins and set up account expires - and the end of audit day
After that, it can be simply deleted. And for security reason, it's much more easy to track in event log for taht new account if it was used for audit or for "spying" :)

Krzysztof
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
pma111Author Commented:
Thanks - slightly off topic - but if this user with domain admin rights is running audit tools that are having an impact on the network performance -

a) what MS/AD tools can be used to identify this
b) and how easy is it to remotely "disable" the tool/stop the scan

How technically coud this be done?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
That's not so simple. Without any 3rd paty network tools it's not possible. If you know which PC is used for audit scans, you can shut it down remotely

shutdown -f -m\\PCNAME -s -t 0

for tools to detect network performance, please ask network guys at EE :)

Krzysztof
0
 
devinnoelCommented:
From a security perspective, auditors should not get Domain Admin rights. The very function of an audit is read only access to data. Domain Admin fundamentally gives you full control over everything. Giving somebody full control over everything to perform an audit is kind of like letting a fox watch the hen house.

The better way to make this happen would be to create an auditors group & grant this group logon permissions to some/all systems on the network as well as read only access to even logs or whatever else is needed. That way they can get onto the systems and see everything, but can't do anything naughty.
0
 
pma111Author Commented:
Ok appreciate that but dont you have to put a level of trust in the auditor - ie theyd be plain stupid in such a rule to abuse their permissions
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now