| Author | Messages | |
adwulf
Posts:39
 | | 03/10/2006 2:35 AM |
| Dear collective,
In your esteemed opinions, is it better to have one central admin
account which every member of the sysadmin team should use, or is it
better to give ever member of the team their own admin account?
I'm inclined towards giving people their own admin accounts, purely
from an audit point of view, but I'm being told that it's better to
have one central admin account, as it is easier to track which
accounts have admin rights. I would have thought that NET GROUP would
make that fairly obvious.
Am I missing something here?
--
AdamT
'Thank-you for not requesting read receipts'
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:497
| | 03/10/2006 2:48 AM |
| Every user MUST have their own admin account, you have ZERO accountability
if you have "generic" accounts. The builtin admin IDs should be assigned
insanely long difficult passwords and locked in an envelope which is locked
in an executive's safe.
You shouldn't be giving so many people rights that it is hard to keep track
of them. In fact, if you are talking about DA/EA accounts, you should be
able to count all of the different people in the forest with those rights on
one hand.
I once had a manager tell me I needed to produce a report of who had used a
certain generic application admin ID at different times, I couldn't stop
laughing. I wanted to ask him if he had installed the keyboard cam on every
machine that was triggered by the attempts to log onto that account.
Using generic IDs defeats every possible mechanism for personal
accountability built into the OS.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of AdamT
Sent: Friday, March 10, 2006 9:19 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Individual admin accounts vs Generic admin account.
Dear collective,
In your esteemed opinions, is it better to have one central admin account
which every member of the sysadmin team should use, or is it better to give
ever member of the team their own admin account?
I'm inclined towards giving people their own admin accounts, purely from an
audit point of view, but I'm being told that it's better to have one central
admin account, as it is easier to track which accounts have admin rights. I
would have thought that NET GROUP would make that fairly obvious.
Am I missing something here?
--
AdamT
'Thank-you for not requesting read receipts'
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001290
Posts:0
| | 03/10/2006 2:52 AM |
| I take the following approach:
1. Assign admins a secondary account.
Primary accounts are used to perform day to day stuff - admin accounts
are used to perform priv operations.
This allows for audit trails to be created, as you state, which help
identify who made what change, when and how etc etc
2. Monitor and manage the memberships of the priv groups.
Create a committee or similar who manage the AD from a strategic
perspective. They own the priv groups and are responsible for vetting
new admins and approving change to the memberships of priv groups. Run
regular reports showing who has membership of these groups and action
any anomalies.
neil
___________________________
Neil Ruston
Global Technology Infrastructure
Nomura International plc
Telephone: +44 (0) 20 7521 3481
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of AdamT
Sent: 10 March 2006 14:19
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Individual admin accounts vs Generic admin account.
Dear collective,
In your esteemed opinions, is it better to have one central admin
account which every member of the sysadmin team should use, or is it
better to give ever member of the team their own admin account?
I'm inclined towards giving people their own admin accounts, purely from
an audit point of view, but I'm being told that it's better to have one
central admin account, as it is easier to track which accounts have
admin rights. I would have thought that NET GROUP would make that
fairly obvious.
Am I missing something here?
--
AdamT
'Thank-you for not requesting read receipts'
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001377
Posts:0
| | 03/10/2006 5:14 AM |
| "being told that it's better to have one central admin account"
I think you are being told by someone who will eventually, through some
means obtain a privileged account, and knows that his/her own self has a
very good chance of screwing something up or doing something unethical. In
cases like those a single admin account is perfect for that person. I have
dealt with people like that before. CYA
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| Gil
Posts:119
| | 03/10/2006 9:43 AM |
| There's no way you should use a single admin account. You have no way to
track who did what. Managing admin accounts and their group memberships
is not difficult, certainly not as difficult as trying to figure out who
screwed something up when the audit logs all say "Administrator". You
shouldn't have that many admins to worry about anyway. I know several
very large AD installations (>100K users, 100s of sites, a few domains)
and they have 2 or at most 3 domain admins per domain.
Most organizations I've worked with give admins two accounts, a regular
everyday account and an admin account that they use only when they need
the extra privs. The admin account doesn't have email, and in some envs
is restricted to logging in on a handful of highly locked-down
workstations. This reduces the possibility of malware running under
admin privs.
And I've worked with a couple of companies that use shared accounts (not
just admin accounts), and it is a complete and utter nightmare from an
administration and auditing standpoint.
-gil
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of AdamT
Sent: Friday, March 10, 2006 7:19 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Individual admin accounts vs Generic admin account.
Dear collective,
In your esteemed opinions, is it better to have one central admin
account which every member of the sysadmin team should use, or is it
better to give ever member of the team their own admin account?
I'm inclined towards giving people their own admin accounts, purely
from an audit point of view, but I'm being told that it's better to
have one central admin account, as it is easier to track which
accounts have admin rights. I would have thought that NET GROUP would
make that fairly obvious.
Am I missing something here?
--
AdamT
'Thank-you for not requesting read receipts'
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|