Any MS Active Directory Admins out there?

Printable View

Show 40 post(s) from this thread on one page

August 20th, 2002, 10:15 PM
Sgt_B

I think he'd like these admins to be able to do their job whether or not they're in the domain admins group or not. Assuming this, I know the OU's will work for what he needs. Like I said previously, I'm not an expert on encryption so I'm not sure how easy or difficult it would be for a domain admin to break in.
Either way, I know OU's would work in this situation. You seem to know that PGP encryption will work too. There are almost always different strategies to accomplish the same task.
So why argue? We all gave some good advice here.
Take care!
:D
August 21st, 2002, 02:50 AM
Palemoon

Another after thought, fact is the original poster of the thread has not responded with any further information and much info has been given. A rather preplexing problem they set forth and so little info was given. Is it a WAN, how many servers, and the need for so many Admins on a network? Now the debate seems to be on how to get around Admin, humm. Just stuff to ponder well at least for me :)
August 21st, 2002, 03:48 PM
mohaughn

Quote:

Originally posted here by Palemoon
Another after thought, fact is the original poster of the thread has not responded with any further information and much info has been given. A rather preplexing problem they set forth and so little info was given. Is it a WAN, how many servers, and the need for so many Admins on a network? Now the debate seems to be on how to get around Admin, humm. Just stuff to ponder well at least for me :)

Have you worked with Win2K much? There are tons of different things that must be done on a daily basis that require domain admin priviledges.. So somebody in the organization must be domain administrator. And usually that would not be someone in the HR department. Think about it. Do you want an HR type person being your domain admin, or do you want an IT specialist to be your domain admin? Ultimately, somebody has to be domain admin... I know the domain admins at my job would probably quit if you took domain admin rights away from them and told them that they would have to go talk to somebody in HR if they wanted to be able to do their job.

OUs are intended to be able to allow different organizations to manage their OU as they see fit. However, in this model there is always an organization that is responsible for administration of the domain(and that is not HR).

Some things only a domain admin can do: run domainprep, forestprep, install cluster servers(cluster service account must be domain admin in order for exchange to be installed in the cluster).. etc....
August 21st, 2002, 04:29 PM
Sgt_B

Like Palemoon said, we just don't know enough about this environment to make such judgments. Perhaps the underling admins do not need to be in the Domain Admins group. In order to do their jobs maybe all they need is to have admin priveleges to a certain OU. Or maybe they absolutely have to have Domain Admin privileges...you don't know that, and neither do I. There are plenty of organizations out there that use OU's just for the purpose of delegating authority to certain people in the IT/IS dept. Each admin has admin rights to his or her OU. Of course there's going to be one or two Domain Admins at the very top, but then there are going to be individuals or groups that control over each OU in their organization.

Quote:

OUs are intended to be able to allow different organizations to manage their OU as they see fit.

No arguement there...

Quote:

However, in this model there is always an organization that is responsible for administration of the domain(and that is not HR).

No...In this model there are two OU's. One for HR, and one for the rest of the domain. The other admin's would have rights, and be responsible for the second OU. The Lead/Senior Network Administrator would be responsible for actual domain/enterprise changes. (Thus handling HR administration as well.)
This is all about the company's security policy towards the HR department. Who should have access, who should manage, etc. If the comany policy says only these people will have access to these documents, then what would you do if the names on that list did not include your group of administrators?

This is a common practice in most medium/large/enterprise type environments. Think about it. Would you want 20-30 Domain Admins in your organization? Hell, I wouldn't even want 10! I'd have certain administrators handling the ins and outs of their specific OU's. This way when something happens, I know exactly who to go to. This is how plenty of people structure their networks with AD. Hell, why do you think this feature is in AD?

I've also done some very basic reading up on PGP. I did come across this SITE
It has to do with some security aspects of PGP. It seems to me that if a highly determined domain admin wanted to get at the data, then he/she could. Remember that a Domain Admin has full access to every single machine on the network. They could venture into the HR managers machine, and I'm sure (if they were malicious and deteremined enough) could find a way to bypass the PGP encryption.

All in all, network structuring depends on how the head of IT/IS wants to structure their Domain/Enterprise. It depends on security policy, and it depends on the environment.

Take Care!
:D

Show 40 post(s) from this thread on one page