I have 69 Administrators in AD and I have noticed they are doing all kinds of whacky (and untrustworthy) things.
This is an audit nightmare, and I was wondering if there is a way to disable an Admin on, say, every Monday and Wednesday?
Asked
Active
Viewed 225 times
-1
-
Is there a way to limit your admins in such a way as to prevent them from removing that limit? – schroeder Jul 27 '18 at 08:14
-
3I am failing to see why these users admins if this is the case. – Jul 27 '18 at 08:16
-
4by the way, how large is your AD that it got 69 admins? – Marcus Müller Jul 27 '18 at 08:17
3 Answers
5
I would characterise the situation (as stated) as: "The dam has burst and the city is flooded with 3 feet of water. Where can I buy mops?" You appear to have a much, much bigger problem on your hands than limiting the access of your admins to certain days.
Limit the people who have admins rights to those who have been trained in your company's policies and procedures and remove those who violate policy. Which means that you need to have policies and procedures and the will of management to enforce it.
And that's where I'm guessing the burst dam is.
If you have neither policies nor management support, then I think that you can set aside your desire for admin limits. It's time to start building that dam to protect the town.
schroeder
- 123,438
- 55
- 284
- 319
-
This is a great answer plus I love the analogy. I'm interested to know how these users became admins in the first place, it kinda' reminds me of that scenario where you set up a community or a forum and you give your friends admin just because they're your friends. – Jul 27 '18 at 11:15
-
1In my experience, probably something like: one admin, a hundred users, many of those with very legitimate need to install software locally, on what is logically understood to be "their" machines. Instead of making dozens of local admins manually, admin, under time, social and management pressure to unclog development, was forced to solve the situation to make all these power users admins. This was not implemented perfectly, so that these are now AD admins. – Marcus Müller Jul 27 '18 at 11:56
-
3
You're trying to fix a problem that is very, very clearly a human one with naive technology. Someone who does "whacky things" on a day where they are not on-duty as admin cannot simply be trusted because it's Tuesday afternoon now and they are on-duty.
While restricting access at times where it's not needed certainly sounds a reasonable additional thing, you have untrustworthy admins on your AD.
The solution to that is not restricting when they do bad things. It's restricting them from doing bad things at all, or educating them to not do such things, and reestablish trust.
If you can't trust your admins, you need better admins, not less time in which they can do harm.
A reasonable thing to do would not be restricting the times they have access, but more finely control what they can do. For example, you might have someone who's gotten admin roles on your AD because it's their job to add new user accounts for new hires. Giving them the right to add admin users, delete users, add machines, change policies on your AD is totally unnecessary. So, take these rights away from them. That can be done via technological means, or via human resources means.
Marcus Müller
- 5,843
- 2
- 16
- 27
1
I know you're looking for something built in to AD, but one thing that comes to mind is custom Credential Providers (ie replacing the Windows login screen with a custom one and adding additional logic on whether or not to accept their username/password).
If you can figure out how to program it, you can enforce it; Jane can only log in on Tuesdays and Saturdays. Fred can only log in on a full moon. John can only log in while Mary is not marked as "In a Meeting". Whatever.
Building your own is probably out of the question, but I'd bet there's a vendor out there that sells a credential provider that will do schedules.
Mike Ounsworth
- 57,707
- 21
- 150
- 207