-4 Domain Administrators in my organization-

Me, a Doman Administrator: "Boy, I sure hope the FDIC IT Audit goes well!"

Braindead FDIC Examiner: "So let me get this straight, you use your administrator account to do things on a day-to-day basis?"

Me: "Uhh, I'm an admin so yeah, my account has admin privileges."

Examiner: *gives disapproving glare* "And your personal account has administrative rights?"

Me: "...I'm an admin... So I thought that'd be fairly obvious."

Examiner: "I'm sorry, but that is unacceptable. How can we tell which admin made what change when?"

Me: *dumbfounded* "...I'm sorry, what?"

Examiner: "You're going to need separate accounts, 1 normal user account and 1 admin account per domain admin."

Me: "You do realize that everything I do while I'm working requires elevation of SOME kind, don't you?"

Examiner: "I'm sorry, but you need to make this change. Thank you."

Me: *stares at the short pile of braindead shit as he walks away*

  • 0
    I agree with the other person
  • 1
    @octothorpe And why is that? I already have to enter admin credentials way more times a day than I’d like, with a different account I’d have to enter admin credentials at least 4x more a day. Fuck that.
  • 0
    Whats the point of a user account and an admin account if both have admin privs? Seems like that violates the least priv rule
  • 1
    @octothorpe Maybe I wasn’t clear in my rant. My user account IS an admin account. I’m straight up, all access, administrator. That’s my job. The examiner is saying that we need to CREATE a second account, one that is a NORMAL account without any admin privileges.
  • 1
    Ok. Even so it makes sense. Maybe it seems impractical. I see where he is coming from. Take the very likely event that an admin on your network is the target of a phishing scam as an example. In the hopefully unlikely event that he/she falls for it having a single god account becomes a problem if that is the same account they use for everything. its not crazy to have an account for business,email,etc and an account for admin activities

    [Edited] for clarity i hope
  • 1
    @octothorpe Okay, I can understand that. It is still rather inconvenient.
  • 1
    Oh yeah it would be super incovienant haha
  • 0
    There are recommendations, best practices and rules written out. Braindead examiner is right.
    Source: Am sysadmin and has two accounts. And yes it is frustrating. Just have mmc loaded under your admin account name with run as admin.

    To make things more clear, the admin account is mostly a non interactive login account (dont use it to login to systems unless it is strictly required by some setup or something).
Add Comment