RE: Restrict the Domain Admin

["Craig Wright" <cwright () bdosyd com au>]

Have we heard of segregation of duties?

I am sorry but I have NEVER seen a site with more than 1 IT person where
domain admins are needed for all tasks. It is not about whether you
trust the person - minimise the exposure. The trust argument is just a
waste of time.

Even when I was an admin - I always made sure that I did not have
complete control without going through a change process where everything
is logged and checked - just to cover my own ass if something happened

Craig

PS
Lets hope that you never have me doing a SOX, SAS70 or other audit of
your site

-----Original Message-----
From: cc [mailto:cc () belfordhk com] 
Sent: 20 September 2005 4:56
To: security-basics () securityfocus com
Subject: Re: Restrict the Domain Admin

sf_mail_sbm () yahoo com sighed and wrote::

> Hi List,
> Is there a way to restrict access of a Domain Admin?

Here's my $0.02.

By restricting the access of a domain admin, you've already defeated the
purpose of a domain admin.  The main point of the matter is that in
order for one person to be a domain admin, you must have extraordinary
(or maybe just special) trust in both the person's ability and their
standards of
operating procedures.   By restricting access to the domain
admin, you are in essence saying, "Here's the domain access, but we
don't trust you enough to give you the full 9 yards so we're restricting
your access to these privileges."

If you don't have 100% confidence in either the person's ability or
their ethics, you really shouldn't be giving the person that much access
to begin with.

As some other poster (Mr. Armfield) mentioned here, eventually you'll
need a person who has access to the whole nine yards.