Announcement

Collapse
No announcement yet.

Lock up my domain admin account

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Lock up my domain admin account

    Hi all,

    I need your help!!
    I had to lock up my domain account from deleting, locking and resetting....
    we have 2 domain admin accounts.....one for me and one for an external person that can intervene on it.
    We can't block him but I have to prevent that he decide to block me or reset my password....how can i do??

    Every suggestion would be very appreciated.


    Thanks on advance

    ps:we have dc2012 forest...

  • #2
    Re: Lock up my domain admin account

    If you do not trust someone completely, do not give them a domain admin account. Think about disabling it and only enabling when needed, then supervising them.

    Why (in detail) do they need domain admin permissions - there may be alternatives
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Lock up my domain admin account

      I very agree with you...for sure...
      but I've inherited the management of a company that was managed completely by an external consultant....
      Really He built it ....dc...dns...dhcp, network, hyper v infrastructure....now I have to catch this control and can manage from myself and ask him help or consulence if needed...this company is in another country and he has to be a local support and not the owner !!!
      I don't know him very well and I can't say to trust him...so I HAVE TO PROTECT ME!
      additionally I don't know how he configured all systems so I can't revoke some privilege ..

      I'm very desperate!

      Please help me to understand how become the owner of my systems....

      Comment


      • #4
        Re: Lock up my domain admin account

        Under the circumstances you appear to have no option but to trust him - is there any reason why you should not?

        If he is silly enough to damage the systems, check his contract (I hope there is one) has some penalty clauses in it!

        One option is to make him a local admin on client machines (use Restricted Groups GPO) and not a domain admin, so he can do things on everything except domain controllers.

        You should also learn the configuration - ask him for documentation or document it yourself, and enable auditing of Active Directory changes. Also make sure there are reliable backups (and you know how to use them) so if there is any sabotage, you can roll back quickly
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Lock up my domain admin account

          very very thanks.
          I would like to proceed in that way:

          1:try to trust him
          2:make him local administrator
          3:check if he isn't members of local admin of servers
          4: if some service is running whit this account
          5: try to access to all server and service with my account

          6: remove him from domain admins group and leave him all the privilege to acts on server.

          What do you think about?

          Thanks a lot

          Comment

          Working...
          X