ken
posted this
26 September 2017
At the risk of sounding like a broken record, can I state my previous post in a different way…
Why does the boss feel that there is a need for a DA account? This, once properly analysed (or to whatever sub-optimal level you can manage
to get out of him c.f. stakeholder management posted by Brian) would provide your requirements.
From our very superficial overview, it seems that there’s some troubleshooting or analysis tasks that need to be undertaken on the workstation. So again, the question is “why?” Can you just rebuild
the workstation (assuming you have an automated solution)? Can you just give the user a new workstation and take the old one away for analysis (assuming you actually need to troubleshoot or diagnose/document the issue)? Or is it necessary for your helpdesk/servicedesk
to be able to provide a near instant troubleshooting capability? We don’t know what the SLAs etc. are, so we don’t know the requirements. As such, it’s hard to provide firm solutions.
From basic security principles, this stinks. But then, maybe the
risk of domain compromise is low, and the consequences (financial loss, reputation damage) of domain compromise are also low. If so, then, as I said before, everything is about risk management. If a rogue operator being a DA is not going to cripple
your business, but being unable to quickly troubleshoot issues is, then the risk/business enablement tradeoff might favour what your boss is suggesting (though I strongly doubt it)
Lastly (and please don’t take this as criticism), this also indicates to me a lack of organizational maturity. With 3K seats, I’d recommend a formal risk/governance function of some kind – there
should be a Chief Risk Officer (at least some office bearer that has that responsibility). And they should have a risk policy, and what they consider to be their top 10/20/30 business risks. Some kind of committee where changes (whether it be business, technological,
whatever) that could materially impact business risk are considered and formally endorsed. The last para is a vast oversimplification of the enormous bureaucracy that exists in a major bank to manage risk
😊 But it might be a starting point for you (maybe not now, but at a later point in your career). Try to develop a little
“Risk matrix” – likelihood on one axis, consequence on another. Anything in the, say, “High” bucket needs to go for formal endorsement at some forum (risk, architectural, senior leadership – whatever exists in your org). It’s their job to be accountable for,
and accept risk. And if the proverbial sh*t does hit the fan, then it’s their jobs on the line, not yours.

Cheers
Ken

From: ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx]
On Behalf Of matcollins66@xxxxxxxxxxxxxxxx
Sent: Tuesday, 26 September 2017 3:29 AM
To: activedir@xxxxxxxxxxxxxxxx
Subject: re: [ActiveDir] temporary domain admin. opinions?
What does your boss mean by “keep it secure”? There’s no such thing as “secure” – there’s only degrees of risk management.
Thanks everybody. First of all I would like to let you know that I am completely against this approach and I already suggested using Local Admins (Controlled by LAPS or other ways). But he is indicating like this:
"We can have a user account in out domain admin group, but keep it disabled and have heavy passwords in place. Once there is a need to login to that workstation, we enable that computer and do our stuff, and once
the task is finished we disable it again"
I just cannot accept this guys. Even if I say that this is not best practice, he simply will say:
"OK we can have a user account, once there is a need to login to workstation, add that to domain admin, once ithe job is done, remove it from DA."
this is funnt in my point of view.. but he is in charge..
From: ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx]
On Behalf Of matcollins66@xxxxxxxxxxxxxxxx
Sent: Monday, 25 September 2017 5:25 PM
To: activedir@xxxxxxxxxxxxxxxx
Subject: [ActiveDir] temporary domain admin. opinions?
Hello,
My boss insist on having a separate user in domain admin group for later use. He says when we want to troubleshoot clientside problems we need a domain admin to logon (because it is much easier than local admin
among 3K computers) and since I have configured built-in domain admin to only logon to DCs, he wants to have a user in DA group.
I am trying to convince him that, this is not best practice to have more domain admins. I am saying no matter if you change password every day and make it disabled, it is still in DA group! But he says that this
is the option we have. we can have a user in DA group but keep it secure.
Am I too much worried as an AD specialist? I can not convince myself to accept that.
------------------------------------------------------------------------------------
This message was posted over our web site
http://www.activedir.org/thread/temporary-domain-admin-opinions/
You can still reply to this thread by email and also over the web site.
Tip: You can mark this post as the 'solution' if so desired using the above link.
Forum info: http://www.activedir.org Problems unsubscribing? Email
admin@xxxxxxxxxxxxxxxx