RE: RE: Restrict the Domain Admin

["Craig Wright" <cwright () bdosyd com au>]

Hi
 
I think people are missing the point. You can allow / create an adminwho can not edit logs for example. The issue is 
not technical - but procedural. The comments allong the lines "Sounds good, but in practice, and in urgent situations, 
you have to contact all the persons holding the password... " are not correct. You do not need an admin to do 
everything - even reinstalling the forest does not require all rights.
 
You can allow the DELETE user profile - but setup a log of this action as an example. Domain admin and a user with 
nearly all the rights but with segregated security rights is feasible and occurs in many organisations now.
 
Craig

        -----Original Message----- 
        From: sf_mail_sbm () yahoo com [mailto:sf_mail_sbm () yahoo com] 
        Sent: Thu 29/09/2005 9:18 PM 
        To: security-basics () securityfocus com 
        Cc: 
        Subject: Re: RE: Restrict the Domain Admin
        
        
> .. you can split the authentication between several people (have them each type a char and put their section in a 
> safe...

Sounds good, but in practice, and in urgent situations, you have to contact all the persons holding the password... we 
have put something similar in place, and we face resistance from the operations and business guys who want a minimum 
downtime

> Any right can be assigned under Microsoft

Tried to implement this also, and found that if I do not give a user the right to DELETE a user profile, he will NOT be 
able to MOVE a user from one OU to another OU... has anyone encountered this OR better is there a solution for this