joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

AD Admin Access is a Privilege, Not a Right

by @ 12:03 pm on 4/17/2015. Filed under tech

I have never successfully been able to stabilize an environment while someone thinks they have god given rights to have Domain Admin rights based on any number of perceptions they have about themselves and their abilities but no real feet to the fire responsibility for the Directories core functionality.

You know those people, they complain that things aren’t done fast enough or to their standards or they have some application that absolutely requires it (go get a different app then). They think that there really is nothing to being a Domain Admin and that anyone can do it or at least they could and a damn sight better than those doing it now. They may be right, they may be very very wrong. My experience has been that if they are loud or insistent about it, they are usually very very wrong.

Personally, I never want any Admin access when I walk in the door of any company I go into. I usually have to say no, take that access away… If I must have an ID, I want a normal user ID, not an admin ID. If I need something I can’t reach as a normal user (a surprisingly small list usually) I will reach out to someone who is an admin and truly responsible for the environment and ask them to help. And this is with me generally being the best, or one of the best, most knowledgeable, most informed AD people involved with that company at that or possibly any time.

I am not trying to be boisterous, I am trying to be honest about it and you will find many of your best Windows/AD guys are in the same boat. I have been doing this AD thing a very long time now (since beta of Windows 2000 and beta of VMware Workstation in the 90’s) and Window NT before it and computer programming going well back into the 80’s. I have been a Microsoft MVP for Directory Services since 2001 which says MSFT says it is worth listening to me about AD and they often do so internally. In my day jobs over the years and through conferences and people contacting me via email I have worked directly and indirectly with hundreds of companies’, governments’, and militaries’ AD’s including probably most of the Fortune 50. Generally when someone is clamoring for the admin access, I often feel they are someone who truly shouldn’t get it. When deciding if someone should have Domain Admin access I ask myself, is that person the last line of defense before calling Microsoft when everything goes pear shaped at 2:00AM?

In a previous Fortune 5 company I worked in, ok it has been long enough that I have been away now, it was Ford Motor Company, we set up a process by which someone could get Domain and Enterprise Admin rights when HIRED to be on the Enterprise Admin team (the name of the group that ran Ford’s Active Directory).

How long do you think it took for someone to get Domain Admin? A day? A week? A month? If they were good it would take at least 3-6 months. They spent that time learning the environment and how we did things there and more importantly why we did things the way we did them. We beat "be scared but not too scared to react" into them. The idea being that you may think you know it all but you can still screw up so take things slow and make sure you know what you are doing for sure from all angles first. At the end of their "internship" they would have to run the gauntlet which involved sitting in a conference room with the current Enterprise Admin Team for several hours and being questioned by them and the team manager on any and every possible thing including their favorite color if a team member so chose to ask that question. We had a list of questions but that was a minimum bar guideline.

If anyone on the team wasn’t comfy at the end of it knowing full well they were giving a gun to someone who could quite figuratively shoot all of them in the head with one stray bullet the person went back to internship for another month or two before they could run the gauntlet again. Note this wasn’t a brain pissing match or my AD junk is bigger than yours; it was about truly and completely doing what we could do to safeguard who got critical access rights that we would at some point be completely depending on some night at 2:30AM when the Domain Controllers were burning to the ground. The team was such that if something really bad happened, you could get anyone on the team and you would be in great hands.

    joe

Rating 4.50 out of 5

2 Responses to “AD Admin Access is a Privilege, Not a Right”

  1. Fred says:

    Joe,

    Great information. Do you still have that list of questions you mentioned?

    Thanks,

    Fred

  2. Ken B says:

    I read that…and all I could think of was “wow…I wish we would do something…anything like that here!”

    I’d also be interested in the nature of the questions…if only to see if I could answer them for myself! (being I’ve been doing “AD” since June 2000, NT 4.x back to 3.1 and before (3.1 betas delivered on (qty) 36-39 3.5″ floppies…I think I still have a set at home!) I remember some of the interview questions from MCS (I declined the job) so I would think they would be on par with those.

[joeware – never stop exploring… :) is proudly powered by WordPress.]