Granting Admin rights to non administrators - Windows NT

This is a discussion on Granting Admin rights to non administrators - Windows NT ; I'm a system administrator at a University. My primary responsibility is to take care of the Microsoft side of the house...as you can imagine, security is always an issue. The management has told me that I will grant domain administrator ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Granting Admin rights to non administrators

  1. Granting Admin rights to non administrators

    I'm a system administrator at a University. My primary responsibility
    is to take care of the Microsoft side of the house...as you can
    imagine, security is always an issue. The management has told me that I
    will grant domain administrator access to a certain individual (this is
    not a request).
    Unfortunately, this individual is not a system administrator. This
    person is a manager that admits on his own accord "I'm not technical."
    He is indeed talented within his own area - programming, project
    management and "visionary" digital development. However, a sys admin
    this does not make.
    Since I have worked at this location (3+years), this individual has
    attempted to gain such rights since day 1. From a sys admin point of
    view, he does not need these rights...nor does he have the experience
    or technical background to know what he's doing. Management has told me
    that I will show him how to do what he wants. (I had to "show" him how
    to have his computer join a domain and map a network drive last week).
    The staff that report to him also admit that he does not need these
    rights. The management has admitted that they are not making me give
    this person domain admin rights for technical reasons....but to (and
    I'm quoting here) - "stoke his ego."
    I have tried explaining several times that this is a really really bad
    idea....but have run out of arguments. I don't want to lose my job
    here, but I also want to be able to have a credible future in this
    career. So, my question(s) are:
    What argument would you give / what would you do in this circumstance?
    Do other folks have to deal with similar situations?
    What protections can I provide for myself?
    Am I the one being unreasonable? Am I just over reacting?
    Thanks in advance.


  2. Re: Granting Admin rights to non administrators

    Keep documents showing that you protest this. Frame and hang them in
    your office. Perhaps laminate a pocket-sized copy for frequent refrence.
    Also, be sure to start looking for a job where they treat you as a
    professional.

  3. Re: Granting Admin rights to non administrators

    Just give the stupid fool local admin rights and be done with it. When he
    "fries" his machine and loses all his data then you will have him by the
    short ones.

    "Admin" wrote in message
    news:1107309843.226061.243940@o13g2000cwo.googlegr oups.com...
    > I'm a system administrator at a University. My primary responsibility
    > is to take care of the Microsoft side of the house...as you can
    > imagine, security is always an issue. The management has told me that I
    > will grant domain administrator access to a certain individual (this is
    > not a request).
    > Unfortunately, this individual is not a system administrator. This
    > person is a manager that admits on his own accord "I'm not technical."
    > He is indeed talented within his own area - programming, project
    > management and "visionary" digital development. However, a sys admin
    > this does not make.
    > Since I have worked at this location (3+years), this individual has
    > attempted to gain such rights since day 1. From a sys admin point of
    > view, he does not need these rights...nor does he have the experience
    > or technical background to know what he's doing. Management has told me
    > that I will show him how to do what he wants. (I had to "show" him how
    > to have his computer join a domain and map a network drive last week).
    > The staff that report to him also admit that he does not need these
    > rights. The management has admitted that they are not making me give
    > this person domain admin rights for technical reasons....but to (and
    > I'm quoting here) - "stoke his ego."
    > I have tried explaining several times that this is a really really bad
    > idea....but have run out of arguments. I don't want to lose my job
    > here, but I also want to be able to have a credible future in this
    > career. So, my question(s) are:
    > What argument would you give / what would you do in this circumstance?
    > Do other folks have to deal with similar situations?
    > What protections can I provide for myself?
    > Am I the one being unreasonable? Am I just over reacting?
    > Thanks in advance.
    >




  4. Re: Granting Admin rights to non administrators

    greetings.

    i must agree, that you should CYA as much as possible here, and that
    you should verify that your resume is up-to-date, and then use it to
    perhaps find a better work environment.

    Some other suggestions:

    * Ensure that the backups are running clean and with 100% integrity.

    * Review logs to see where tinkerbell wanders off into. If you do not
    have such logging in place, then there's another project to add to the
    list, for total network security of course.

    * If you are paranoid that tinkerbell is just an accident waiting to
    happen, then lock his account out of system critical areas. From the
    description you gave, it does not seem as though he will be able to
    circumvent even the simplest security mechanisms. Also, this ties in
    with the logging ... if you find he is intentionally trying to get to
    such areas, where he most likely has no right to even know they exist,
    then the logs could come in handy.

    * If you are curious ... setup a honeypot/net on the network.

    * You said he has attempted to gain network admin access since day one.
    If you mean just politically that is one thing. If you mean by
    attacking the network, that is an entirely different matter. If
    anyone, apart from an authorized pen-tester or such, hits the network,
    that should, amongst other things, shortly follow-up with some HR
    and/or Legal counselling.

    * Pray for an out.

    I sure do not envy your situation. Good luck!

    ~ ciao
    ..te


  5. Re: Granting Admin rights to non administrators

    Obviously as you clearly already know, no user (including ourselves as
    Admins) should ever "use" our computers with that elevated of privledges.
    Those privledges are for use only upon the necessity to make changes to our
    production environments, and that's it. If you stand by this philosophy in
    your everyday use of your systems, that should be communicated. "I don't
    use my computer with that high of privledges, and neither should anyone
    else".

    Then try to reconcile with your "authorities" one more time, explaining that
    if a programmer (or manager ) needs elevated domain wide privledges to
    perform his job function, where he may ultimately create programs with
    elevated privledges, increasing the risk of contamination outbreaks, then
    what do we have username and passwords for? Why do we have a domain or any
    form of authentication for that matter?

    Then pull the "Would you grant ROOT or GOD access to anyone on your
    MainFrame or UNIX platforms?". The answer will assurably be no. You can
    also try to lean back on Sarbains Oxely (the new buzz word in auditing) and
    computer compliance. You can fail an inspection by your auditing company
    for infringing on the trusted security practices of your network operating
    system by granting employees such privledges. Ask them, do they want to be
    the next ENRON? It's plain and simply NOT LEGAL. You are entrusted with
    the title of Network Administrator or whatever, and the auditing company
    checks your credentials to be such.

    However, having been in similar shoes, but it was my CIO requesting the
    elevated privledges, it's a hard conversation to come out successful with
    your convictions being understood or complied with. The powers that be
    always think that "need to know" is lower ranking than "RANK".

    If the individual "complaining" hasn't identified a situation where he was
    limited with his privledges that warranted his request, you are going to
    have to go the CYA route for sure. If he has identified specific
    situations, and you have been successful in alleviating his stess of the
    situation by creating a privledge for him to do what he wants, ensure you
    have that documented somewhere as well, and attempt to communicate that you
    are doing all you can and should to address his concerns. If they still
    won't budge, ensure you enable Auditing on your domain to the highest degree
    (will cause performance degredation, but you will need tracking for your
    "azz")




    "CJC" wrote in message
    news:XpAMd.24881$t67.6098@bignews5.bellsouth.net.. .
    > Just give the stupid fool local admin rights and be done with it. When he
    > "fries" his machine and loses all his data then you will have him by the
    > short ones.
    >
    > "Admin" wrote in message
    > news:1107309843.226061.243940@o13g2000cwo.googlegr oups.com...
    >> I'm a system administrator at a University. My primary responsibility
    >> is to take care of the Microsoft side of the house...as you can
    >> imagine, security is always an issue. The management has told me that I
    >> will grant domain administrator access to a certain individual (this is
    >> not a request).
    >> Unfortunately, this individual is not a system administrator. This
    >> person is a manager that admits on his own accord "I'm not technical."
    >> He is indeed talented within his own area - programming, project
    >> management and "visionary" digital development. However, a sys admin
    >> this does not make.
    >> Since I have worked at this location (3+years), this individual has
    >> attempted to gain such rights since day 1. From a sys admin point of
    >> view, he does not need these rights...nor does he have the experience
    >> or technical background to know what he's doing. Management has told me
    >> that I will show him how to do what he wants. (I had to "show" him how
    >> to have his computer join a domain and map a network drive last week).
    >> The staff that report to him also admit that he does not need these
    >> rights. The management has admitted that they are not making me give
    >> this person domain admin rights for technical reasons....but to (and
    >> I'm quoting here) - "stoke his ego."
    >> I have tried explaining several times that this is a really really bad
    >> idea....but have run out of arguments. I don't want to lose my job
    >> here, but I also want to be able to have a credible future in this
    >> career. So, my question(s) are:
    >> What argument would you give / what would you do in this circumstance?
    >> Do other folks have to deal with similar situations?
    >> What protections can I provide for myself?
    >> Am I the one being unreasonable? Am I just over reacting?
    >> Thanks in advance.
    >>

    >
    >




+ Reply to Thread