25 September 2017
- Last edited 25 September 2017
What does your boss mean by “keep it secure”? There’s no such thing as “secure” – there’s only degrees of risk management.
Thanks everybody. First of all I would like to let you know that I am completely against this approach and I already suggested using Local Admins (Controlled by LAPS or other ways). But he is indicating like this:
"We can have a user account in out domain admin group, but keep it disabled and have heavy passwords in place. Once there is a need to login to that workstation, we enable that computer and do our stuff, and once the task is finished we disable it again"
I just cannot accept this guys. Even if I say that this is not best practice, he simply will say:
"OK we can have a user account, once there is a need to login to workstation, add that to domain admin, once ithe job is done, remove it from DA."
this is funny in my point of view.. but he is in charge..
From: ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx]
On Behalf Of matcollins66@xxxxxxxxxxxxxxxx
Sent: Monday, 25 September 2017 5:25 PM
Subject: [ActiveDir] temporary domain admin. opinions?
My boss insist on having a separate user in domain admin group for later use. He says when we want to troubleshoot clientside problems we need a domain admin to logon (because it is much easier than local admin
among 3K computers) and since I have configured built-in domain admin to only logon to DCs, he wants to have a user in DA group.
I am trying to convince him that, this is not best practice to have more domain admins. I am saying no matter if you change password every day and make it disabled, it is still in DA group! But he says that this
is the option we have. we can have a user in DA group but keep it secure.
Am I too much worried as an AD specialist? I can not convince myself to accept that.