Re: Keep admins off of client machines
- From: "Jeff Middleton [SBS-MVP]" <jeff@xxxxxxxxxxxxxxxx>
- Date: Sat, 31 Dec 2005 08:41:42 -0600
Nick,
The thing that should be coming clear to you (and many others) is that too
many people foolishly think that there is only 2 levels of control:
User
Domain Administrator
Not true. The scenario you have described points out that you have the need
for people who can manage a range of computers, but are not able to grant
themselves elevation of privileges. Therefore, what you want to to assign
something other than Domain Admin rights.
This requires you to build a plan, a matrix of what machines, users and
degree of access you want to have assigned for the typical user, the machine
adminitrators, and then you have a level I'll call the Data Administrators.
The key point is that you would need to understand a substantial amount
about Active Directory management and delegation to truly know that you have
locked down what you think you have to the degree of protecting privacy.
>From the previous discussion, the first thing you probably come to realize
is that you may not want to have your "computer support team" as Domain
Administrators for the simple reason that you have no cascade of management
above them...you made them ultimately powerful.
Therefore, you need to look at a power matrix as part of your
job/task/access assigments.
You can make members of a computer support team workstation Administrators
without them being Domain Administrators, but it's pretty hard to have them
manage your Domain if you intend for them to not have full control.
The only way this really gets handled in Enterprise operations is to use the
delegation controls in AD, but that implies someone above them that has
greater access.
Eventually it becomes apparent that you are bound to control some of this by
audit logs and legal enforcement....not technology, at least, not in a
relatively small business.
"Nick" <nickmirro@xxxxxxxxxxxxxx> wrote in message
news:u9oltmXDGHA.312@xxxxxxxxxxxxxxxxxxxxxxx
> Well this is eye opening. The discussion is informative. The issue first
> came up due a ways back following an apparent pointless sharrepoint admin
> logon to a local laptop. A new profile was created under D&S. This was
> unsettling.
>
> I think the Audit route would be best. The admins do periodically need
> access to various machines, so we can't rely on inventorying profiles.
> Being I'm not an developer myself (though with admin privileges) how do I
> audit admin activity?
>
>
>
> "Nick" <nickmirro@xxxxxxxxxxxxxx> wrote in message
> news:urp8i3PDGHA.812@xxxxxxxxxxxxxxxxxxxxxxx
> > We have an SBS admin, a Sharepoint admin and 2 others who go between our
> > SBS and local Linux server. Those helping administer the servers should
> > not have access to client machines as they contain patient records,
> > proprietary applications, etc. How can we prevent transient
adminstrators
> > with admin status from logging onto client machines (unless essential)
> > since those machines contain sensitive data?
> >
>
>
.
- References:
- Keep admins off of client machines
- From: Nick
- Re: Keep admins off of client machines
- From: Nick
- Keep admins off of client machines
- Prev by Date: Re: CALs
- Next by Date: Re: Check Sender's IP
- Previous by thread: Re: Keep admins off of client machines
- Next by thread: Pop3 Error Message
- Index(es):
Relevant Pages
|
Loading
