Re: Restrict the Domain Admin

["G. Chomic" <secure.computing () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Really, domain admin management is more of an HR and policy based issue
than anything else.

At some point in current IT organizational structures that may be
possible.  But in current structures I really think that it is an HR
issue.  How far are you going to go with redundant and ever-increasing
tools or circumventions to lock down someone you should really have
complete trust in?

I don't have some of the original links about this issue at hand, but
this one came up in a quick Google search, and I've come across it in my
feeds before:

http://msmvps.com/bradley/archive/2005/08/30/64696.aspx

G. Chomic

sf_mail_sbm () yahoo com wrote:
> Hi List,
> Is there a way to restrict access of a Domain Admin?
>
> Example, can we allow a Dommain admin to do everything EXCEPT user management (e.g. password reset)? 
>
> We want to secure our environment, and do not want to have "ALL-POWERFULL" domain admins around
>
> Thanks for your suggestions
>
> P.S. Environment: Windows (2000 & 2003) - Active Directory
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDLSU9ZEPQmWb53voRAnpCAJ4ypxCD3EnZVnT7hZFZkHkqcrozGACgvNL0
96G4ELpsSiUoLh8Inaw0Xmg=
=9lrL
-----END PGP SIGNATURE-----