RE: software to control domain administrators

["Keenan Smith" <kc_smith () clark net>]

All,

I'm going to move myself out of the weeds on this one and share a 25,000
foot perspective.

On any computer, there has to be a "super user" procedure of some sort
that can bypass any protections placed on the system.  Without a
capability like this, any misbehaving application, malicious user or
runaway process has the potential to require a rebuild of the system as
the only solution.

Limiting the rights and privileges of the "super user" would be
dangerous in that a simple mis-configuration could eliminate access to
"super user" and therefore limit access to the resources necessary to
reconfigure.

In the Unix world, there has been a tool named "SuDo" for many years.
The application itself runs as the user "root" and can be configured by
"root" to allow one or more other users access.  Running that
application allows any properly configured user to run a command as
"root" without actually having to be "root".  For traceability the
execution is logged making it a safer way to run "root" commands.  I
believe that the application being mentioned here is a similar product
for Windows. (i.e. Applications can be run as the "domain admin" without
the user actually having to be a "domain admin".)

Keenan