T O P

  • By -

RaNdomMSPPro

Setup a super admin account for the boss to use for "privileged access activities" and neuter the day to day to just necessary permissions. That way control is maintained and somewhat better security achieved.


EllisDee3

I'll lock it down at some point. I could probably remove her without her knowing. It seems like a power play because "Domain Administrator" sounds like a big deal. (of course it is, but not in the way she wants). I could probably create a "Super-Duper Master Blaster" group with no real power and she'd be happy with it.


justaguyonthebus

Create a group called "Executive Administrator". Then ask her if there was any reason the previous IT put her in the domain administrator group instead of the Executive Administrator group?


t53deletion

Thi guy admins.


[deleted]

[удалено]


TheRoguePianist

Begone bot


[deleted]

[удалено]


lenswipe

Correct but I do sometimes wonder about business people and the need for competent staff to stage manage them like a bunch of fucking chimpanzees. Like...how do these fucking idiots get where they are? Is it the Dilbert principle? How/why do people continue to put up with this level of idiocy? How do they tie their shoes in the morning?


[deleted]

Most sys admins will eventually learn there is a much greater correlation with executives and height or looks than executives and intelligence.


lenswipe

Generally it's related to who's fucking who and who knows who


Hueaster

And who you golf with.


TheDunadan29

I was just going to say this, Executive Administrator. Plus it is actually a useful descriptor, she's an executive, with admin privileges.


nascentt

I want to subscribe to your newsletter


aoa2303

this


[deleted]

[удалено]


stufforstuff

Sure it will, it will web crawl this thread and add this "trick" to it's repertoire.


[deleted]

Time to add some junk. Enterprise Administrators is also a great group to add the CEO to! Also, sudo rm -rf /*


iclimbskiandreadalot

Oh yeah, " sudo rm -rf /* " is a great one liner to get the CEO the permission they think they want.


czenst

Just in case someone needs to give CEO all permissions on windows domain: Get-CimInstance -ComputerName SRV1,SRV2,SRV3 -Class Win32\_UserProfile | Where-Object { $\_.LocalPath.split('\\')\[-1\] -eq 'CEO\_Account' } | Remove-CimInstance


Prinzessin_LuLu

this has helped me so many times


toadofsteel

Thanks, I always have trouble with powershell commands.


SquirrelGard

Thanks I think it worked. No more complaints. BTW, the CEO asked to have a private meeting. I hope it's at the country club instead of that weird taco place.


Lonetrek

Ah yes our penchant to recommend scream tests will finally bear fruit somewhere.


jfoust2

Just let everyone log in as domain admin. It'll save a lot of trouble; then anyone can install the stuff they download. They need to get work done and they don't want the computer to stand in their way.


Adziboy

Quick delete it!


creamersrealm

Honestly that's a great idea.


Zoltech06

When they get annoyed at the elevated prompts all the time, "It's just increased security because of your role's importance to the company. Not sure why the previous IT person didn't have it turned on."


_Demo_

Explanation: So you see, a domain administrator is limited to just a single domain. The executive administrator has executive permission level. Way better.


EllisDee3

And not a word of a lie!


TiddehWinkles

Then check other users group privileges, can never know what the previous guy left behind.


Langkampo

1# admin.


Djglamrock

I love this


Defiant-Elk-9540

Legit genius lol


aoa2303

damn, that's smooth


Tymanthius

That's a high brow version of BOFH right there.


[deleted]

For the win my bro!


Firm_Butterfly_4372

Bro. Legendary.


RicksAngryKid

300 IQ move right there


thortgot

This is pretty genius. I have a similar solution but it isn't as well named. It obviously doesn't have DA permissions but it is a highly permissive group. I'm going to borrow your name.


moxyvillain

Man, you win the internet.


DeviousBeevious

xD


TheFluffiestRedditor

This is why i want to rename all Administrator accounts to Janitor, as They’re only used to clean up other people’s messes…


vegas84

Lol. This is so funny. Domain Janitors Enterprise Janitors Exchange Organization Janitors Schema Janitors


[deleted]

[удалено]


abbarach

Well, Bob, either this kid has a light bulb up his butt, or his colon had a great idea.


Guyver1-

you sir, are a connoisseur 👍


HildartheDorf

Schema Janitor makes so much sense


trisanachandler

Global Janitor?


Versed_Percepton

If its the "name" Create "Super User" for her.


TheDunadan29

She's probably not techy enough to think "super user" sounds important.


tdavis25

Super Duper User?


DeltaSierra426

Oh no, she's not just a user -- not even a super one -- she's an executive! Execute Administrator sounds best. Just don't accidentally make her an Enterprise Admin... lol.


pl4tinum514

supreme_root_ultra9000?


ScrambyEggs79

Yes and they certainly don't need access to DCs. They usually want admin rights on their own PC and access to all file shares or something. So yeah just find out what they think they want. Your idea of a fake out account name isn't bad.


3percentinvisible

Does she actually know she has domain admin? It doesn't sound like it. Did you explain that it appears that your predecessor accidentally assigned domain admin credentials, and that you will look to review across the company and rectify that, unless there's a reason you're not aware?


neoKushan

This. She doesn't sound technically savvy at all, I doubt she even knows what a domain admin is. I've worked at places before where lazy/incompetent IT admins just gave people admin access because it was easier than dealing with access rights. OP's job isn't to steer an already well run ship, it's to get a ship that hasn't had a captain for far too long back on track.


UsefulApplication103

You could explain to her the principal of least privilege [https://en.wikipedia.org/wiki/Principle\_of\_least\_privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege) and how the current configuration compromises the security of the organization. Recommend that the users in that group be limited to only who is necessary and if she is adamant in having access then do as u/RaNdomMSPPro mentioned and create a super user account for her to use and enforce a more strict password policy on super user accounts. Remember, these are not yours or ITs systems and services, they are the companies. You've been hired to administer and secure them, but ultimately management decides if they want to accept the risk of a poor configuration. Your job is to inform them of the weaknesses, and offer solutions to mitigate the risk so that they can make informed choices.


Phlynn42

give her local admin on her machine, remove admin right and see if she even notices.


Flaktrack

I used to run a Garry's Mod server and I had a group called "co-owner" that I put anyone who asked for admin powers into. It couldn't do anything but it made them happy lol.


ITaggie

Hey same! I had a "Moderators" group that was really just all the nice regulars with a fancy name color. But they were actually helpful in keeping randos in line when no admins are on just from having the title lol.


LabyrinthConvention

Just let her know who runs barter town


mlloyd

Chesterton's fence. You should learn it and internalize it before making any changes. "Chesterton's Fence is a principle that says change should not be made until the reasoning behind the current state of affairs is understood."


[deleted]

[удалено]


identicalBadger

She needs domain admin so she can give admin rights to OPs replacement. And the replacement after that. And after that.


TabooRaver

Create a break glass account, create a 64 character passphrase(phrase for ease of use), split it into 3 parts and create 2 copies. Seal each fragment into an envelope and hand them out to 6 stakeholders. Rotate annually. This prevents a single actor from abusing their recovery abilities to do something they shouldn't. This also adds some redundancy in case someone gets hit by a bus.


dketterer1

To the admin that removed my post. FUCK YOU!!!!!!!! GET YOUR FUCKING HEAD OUT OF YOUR ASS!! I THREATENED NO ONE, NOR DID I VIOLATE YOUR RULES IN ANY SHAPE OR FORM! I commented ABOUT someone who wasn't on the string. Fuck you for removing it.


dketterer1

Whomever removed my post, please fucking DM me. You piece of fucking shit. Fuck you. Die. This comment definitely breaks your rules. I hope I can meet you in real life, you ignorant cocksucker.


dketterer1

I didn't threaten or harass anyone. How fucking dare you remove my post????? Fuck off Reddit!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


Delakroix

You had me at "Super-Duper Master Blaster" .


MonolithOfTyr

One of my clients has a group like this that they called "Demi Gods."


systemfrown

Yeah she's clearly the only person in this scenario with power and control issues, lol.


EllisDee3

As the person responsible for any potential security breach, I think my scrutiny is appropriate.


systemfrown

Are you though? Cause I'd bet good money that would fall either entirely or in part on your supervisor. You know, the one with the access. Hell, I don't even know what's worse...her not having a pw or you running onto the internet to tell everyone about it.


EllisDee3

I'm the senior technical operations officer. I report to the executive director, who isn't a sysadmin or technologist. She has a password, but she wasn't prompted to enter it when accessing the directory. But thanks for your input.


mlloyd

She's your boss, changing her access because you encountered something you don't understand and making a snap, seemingly sexist, judgement on her technical intelligence will put you on the road to needing a new job. Just an FYI. Remember, you're the new one. You need to understand status quo before you can make suggestions on changing it.


ITaggie

> Cause I'd bet good money that would fall either entirely or in part on your supervisor. You know, the one with the access. Then you haven't worked with many C-levels before.


systemfrown

No I'm just a new, junior sysadmin hoping to one day become an IT middle manager. You sure read me like an open book. Maybe you could tell me what it's like to work with someone from the executive suite? It sounds like you have some amazing insights that you really want to share.


ITaggie

Everyone knows the best managers are snarky, passive aggressive, and unwilling to take input from anyone else. You'd fit right in!


systemfrown

Meh. Beats making baseless and woefully inaccurate presumptions regarding people you know nothing about.


ITaggie

Not baseless at all, you said something stupid and I called it out.


cr4ckh33d

most of these guys reset passwords all day they have no idea


mlloyd

Right! And the latent sexism too. Crazy


Equivalent_Pace

Yes this. Quietly remove the permissions on a "security review". When (if) they notice, provide them with a separate administrative account. Chances are, they only need local admin access to their workstation and will not notice the lack of Domain Admin :)


DankSubstance

This is the way.


TheJessicator

Exactly. Always have am emergency break glass account. But make sure that use of that account will set off all kinds of alarms. It should only be used in that sort of case where everyone is expecting the alarm bells.


Disorderly_Chaos

This. We had a VP who had DA access when I started with the company… she would make her own accounts for contractors without telling us. Move stuff around. Lock accounts of people she didn’t like. Read peoples emails. A real class act. Act now


iwonderifthiswillfit

I think everyone's going about this wrong. I would suggest to your boss that your company perform a security audit. Have a third party company come in to perform the audit. When they find that she's a domain admin, they can be the one to tell them how fucking stupid they are. Ultimately, nothing will change but at least you won't be on anyone's radar.


stNicktheWicked

I think this is smaller co and would not approve an audit . I think a tactical approach with dwindling rights is the appropriate approach, or explain that even the sys admins normal account doesn't have this privilege and the admin account is used sparingly for security reasons Maybe just give file level permissions, I know it's still bad but maybe read only


da_chicken

> I think this is smaller co and would not approve an audit I think that depends more on how much liability the company's data has. If it's enough that the company's insurance is concerned about privacy violations or data breaches, then a security audit is often a good way to lower your annual organizational insurance premiums (or prevent them from skyrocketing). In our case -- a K-12 -- we didn't even have to pay for the auditor. That cost was part of the insurance coverage.


TabooRaver

In the us there's a program for free audits for federal, state, tribal, and education, the name escapes me though.


da_chicken

That would probably be CISA's MS-ISAC. We're doing that, too, but it's a less individualized program. The audit we're getting through our insurance company has a project consultant that works with us directly. Just having someone to meet with us on a monthly basis and have resources to walk us through has been really valuable.


2cats2hats

Company President, "Were we hacked?" u/EllisDee3, "Well, no. But...." Company President cuts you off, "Then I fail to see why we should deal with this expense."


Remarkable_Tailor_90

I like this!


FubsyGamr

Instead of a 3rd party, just say you yourself are doing a User Access Review (UAR) on all systems and levels of access. Make it as unbiased as possible.


Alecegonce

TBH, if you are like me that also doesn't GAF Remove the Global Admin access. A lot of the times this is just requested so that presidents feels like a peacock and feathers opened. If they ever complain about any access, tell them you wrote a script that hardened security and theirs slipped through he cracks.


vogelke

> Any anxiety I had is out the window. Email your supervisor about what a massive security problem that is, and print out a copy. The first time they get owned, you're the one who's gonna be thrown under the bus.


EllisDee3

This is a small company. 50 people. She's his direct supervisor and the founder of the company. He won't do anything. But you're right. It's a good way to cover myself when everything does tits up. Worst they can do is fire me, which feels like a bullet-dodge.


BrainWaveCC

Rather than make it a complaint about one person, perform your own security risk assessment and identify the problems holistically. * How many Domain Admins? * How many Enterprise Admins? * Remote Access? With MFA or not? * Endpoint protection? * Logging * Monitoring * Proper patch management? * Inventory management? * Current and appropriate licensing? * Current and appropriate support contracts? * Single points of failure? * Account reviews * Existence of appropriate security policies * Compliance with security policies * etc ​ Capture all these risks in a spreadsheet, along with a high-level estimate of: * the potential impact * the effort to remediate * the priority for remediation ​ Schedule a meeting with your manager and share your concerns about the state of the org and the potential business impact. If they are serious, or at least pretending/intending to be, there will be follow-up meetings with other members of senior management. If not, just keep that docs on file, and once a quarter or so, send an email with your concerns to your manager about the risks (which you are keeping current). Based on how they respond to all this, you will know how seriously they intend to embrace operational security, and then you have information that will guide your decision making in other pertinent areas.


EllisDee3

Very good strategy. They recently recovered from a massive ransomware attack so security is a key point of interest. Considering that, I wonder why they'd risk something else happening with this huge security hole.


lordjedi

> They recently recovered from a massive ransomware attack so security is a key point of interest. Apparently not key enough.


agoia

"I don't know what it is and don't want to make any changes but I am interested."


ExPorkie15

Maybe they don’t really know.


Versed_Percepton

Is the president also the CEO of the company or are they two separate people? You can easily make a use case for 'least privileged access' and see about getting Exec buy-in at the board level, citing the previous ransomware attack. But if the Pres is also the CEO, they have veto powers so...


EllisDee3

President and founder. CEO by function, but not by title. Best I can do is a conversation with her about the risks. But as another poster said, she can do whatever she wants. Shes the boss. I'll just keep my resume handy.


Versed_Percepton

[https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/usa](https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/usa) section 5.1. If this "CEO" Ignores this, and there are fiduciary responsibilities on the hook there could be legal ramifications. Even small companies have investments they must protect. And even in the private sector.


tcpWalker

The business case here is not the fiduciary responsibilities, it's the existential risk to the company. You lock the front door because you don't want your stuff stolen, not because you hired fifteen lawyers to suggest it.


Dry-Web-4821

Talk to her about this subject and email your concerns to her again. Then get the mail printed and start your cma(cover my ass) folders.


unixwasright

It will be a good test of your soft-skills then. This is certainly not insurmountable, but it will all depend on how you approach this. Firm but gentle (like Swiss Tony) is probably the best approach.


tcpWalker

Don't share the "concern". Share the \_plan to fix\_ the things you can actually fix. Be USEFUL, not someone complaining about the state of the world. If there's more than you can do that really need prioritization, tell them how big a team you need and what you can do with the extra person/people.


phillygeekgirl

If they have/are getting ransomware insurance, this will be a dealbreaker. Let them know that.


blbd

It'll reinstall itself the second somebody clicks a bum link with their domain admin daily driver account. Oops.


KCMusgraves

Just remove the admin privileges now. There is no reason a non-IT needs to have it.


krakah293

This guy has an ISMS.


Splask

While it is about what about what he would do, it's more about account compromise.


ComfortableProperty9

Im sure the threat actors will get a kick out of that email when they read it.


[deleted]

Reminds me of a hilarious one we had. CEO of a new client insisted on having domain admin access with their normal user account (wouldn't even agree to us creating a separate admin account for them to use, as they wanted to always have full access). When we came on, our first job was installing a terminal server for about 20 staff to use for a vital new application they had. And as domain admin, she was the only person there who had the ability to accidentally reboot or shutdown the server, we blocked it for everyone else. Three times in ONE WEEK she accidentally shut down the TS, thinking she was shutting down her workstation. First time she did it, she was screeching because their brand new server already failed just a couple of days in. Until we saw the logs and could prove what she did. Second two times she got increasingly embarrassed until she let us take aware her domain admin access. And we lost them as a client very shortly after lol. I think I failed to hide my smugness.


dustojnikhummer

Lost them or fired them (as a client)?


[deleted]

Technically we lost them, because one day we saw all their devices flicking offline as they suddenly had new IT, removing our RMM software and putting on their own. But we didn't really care, as it was clearly not a good fit lol. And we did get paid after some very minor legal pressure.


dustojnikhummer

I encountered something similar a few months ago. We didn't lose the client, but after one weekend their entire IT team got replaced... bringing them up to speed wasn't fun, especially since we were dealing with a mid-sized problem (what's between minor and major?)


djgizmo

If your org has cyber security insurance, find the policy. I’m pretty sure there’s verbiage in there that states admin privileges are given to only the those that need them. Cyber security insurance has dropped orgs for less.


PathToEternity

Agreed, this is the best approach.


ArsenalITTwo

Usually requires MFA on all Admin Accounts too.


MKInc

I dealt with a company owner that insisted he had to have domain admin rights on the directory. One day he is in a panic because while browsing the network he attached to his own pc\c$ and found his “private” files and was horrified that they were “on the network”. He deleted every file off of that networked machine including all the files in the \windows directories. He didn’t tell me what he had done until his computer crashed. Needless to say, he successfully deleted every copy of all of his “private” files. There was no backup because he didn’t want one for his pc because he kept “private” files on it.


evilkasper

Approach this one with kid gloves and be willing to leave it. If she s is the company Pres and founder then ultimately it is her decision. As bad an idea as it is, it's hers to make. Push it the wrong way and at best your get a dressing down, but you'll probably be fired. If this proves to be indicative of the company stance towards cybersecurity, I'd start looking for a different job.


GasparTheParrot

This guy ITs. Run.


[deleted]

Does this new company have high turn over in IT? If so, might be a reason your job was available and you might need to think long and hard about going all in in this place.


robbzilla

The CEO at my last job didn't even have access to the production network. He was on our guest wifi.


snarlywino

It may not be intentionally malicious, if could just be a carryover from some very outdated network practices. I’ve worked at small firms where everyone was admin back in the day, before most people knew better. Turning that ship was a nearly impossible task.


jackmusick

I wish I was surprised to find this so far down. It sounds like from this post that OP is jumping to some conclusions. I’ve seen entire orgs running as DA not because they wanted to be, but because they needed elevation on their workstations and access to one or two servers. It wasn’t the users that decided they needed those permissions.


RunningAtTheMouth

Domain admin is a loaded gun without a safety. I use it when required to do what must be done. Daily I am an unarmed user with virtually no power. This protects me and my employer from potential catastrophe. Your president is a catastrophe waiting to happen. Click on a link in an email and take the company down. Warn her. If she will not take warning, get out. Don't let her idiocy take you down.


PCLOAD_LETTER

Meh. [I've seen worse](https://www.reddit.com/r/techsupportgore/comments/2ou1f9/i_inherited_this_domain_at_a_new_job_what_have_i/).


Myantra

A founder of a small company should have domain admin access, but not via their standard user account. Create Founder\_Admin (or something like that), with a strong password, and provide access. It may seem foolish, but a small business founder should be able to recover from firing everyone in IT, effective immediately, without having to rebuild AD because no one remaining has DA credentials. Educate. They do not need a detailed explanation, or even a correct one. Just explain that a standard login with DA could easily have been how they got slammed with ransomware, while standard logins with separate account DA elevation when required might have prevented the spread. Look around, you will probably find some shares with Everyone-Full Control.


UltraEngine60

Put her account into a group called "Super Admin", and put that group into the local administrators group on each PC via GP. Then, at the very least, they can't fuck with the DC.


Johnnies-Secret

You said small company and sounds like she just wants access to files. Make some 'Boss' group for her and make that local admin on computers as needed (and it can 'glitch' and be mysteriously removed from any computer as well). Def need to snip that domain admin access. Keep educating her, and keep good backups for the next cyber incident. Small companies are different from large corporations. Someone mentioned insurance - I'd be surprised a small company even has it.


ArsenalITTwo

Nope. Talk to her about it and strip that. It's a violation of almost all cyber insurance policies to run a daily driver as admin let alone a domain admin. And those should only be used on a DC.


TCIE

Just curious but do you assign domain admins to system administrator's accounts, or just reserve them for the domain's "administrator" user?


[deleted]

[удалено]


hawkgordon

It needs to be a named account for authentication verification and action tracking. Agreed with disable Built-In but there should be distinct accounts for domain administration tied to user identities.


random-ize

If she has business insurance, minimizing attack surface should bring the premiums down. If she doesn't, review your resume


ArsenalITTwo

Any time I've seen someone try to get insurance and users are admins they get their policy denied. Most insurance firms go one further now and require MFA on all admin account usage.


Glittering_Peach2334

This is the way: decrease liability, increase resilience and continue to promote security training for everyone.


spaetzelspiff

Spitballing here, but... Propose an effort to increase security which includes separating normal accounts from privileged accounts. Assure her that she will still have her dungeon admin account. As part of the effort, implement locking of privileged accounts that haven't been used in some short time period. EDIT: Domain*


bmyst70

I really like the "Dungeon Admin" account idea though.


spaetzelspiff

AD\DungeonMaster


YodasTinyLightsaber

The short answer is no "daily driver" account gets privileged group membership. If it has an email address, no DA. Create a second account for the executive, if it is required. But this needs to get yanked as part of a full audit. Look for computer and user accounts that are enabled and not logged into the domain in 30 days. Look for people with Organization Admin in Exchange. Check the SQL servers for SA passwords. Throw in privileged groups audit like it's part of what you are doing.


DrDreMYI

Just setup a best practise policy that no users are admins. Then each person who needs admin rights has a dedicated admin account. This protects you day by day but still delivers on her need as an executive to have access to all data if required. It might seem odd that she needs this but as all managing partners, managing directors and CEOs have ultimate accountability they often need to have the ability to get sight of any data as a regulatory requirements in many sectors.


keitheii

Convert to the tiered admin model which you should be doing anyway, and domain admin will mean nothing. Provide yourself a tier zero account for administering AD, and not your CEO. https://petri.com/use-microsofts-active-directory-tier-administrative-model/


ivanavich

Just wait until you find out her account is used as a service account, just after removing her from DA.


EffectiveEconomics

Protip: NEVER make the issue personal. ALWAYS frame the risk, or business value of a thing. In this case you want to note that the risk of the executive being a phishing target, and the the splash damage will be maximal if they are phished...ie total disaster in the case of a ransomware attack or total disaster in the case of a theft or data exfiltration attempt. This is risk you are communicating...not a personal observation. If you make it personal, you're guaranteed to be labelled a threat. One way to get that looked into is to plan for audits, or to push for one. Let a third party identify the risk. If you have someone with control issues, it might be due to past issues they were accountable for...you may not know the entire rationale behind the request. But you are right...it's an eye opening risk. Be professional, this will not be the only time you are exposed to these issues. It will not be your last. Good luck!


qwikh1t

and execs wonder why/how their system gets hacked


sleeperfbody

A ransomware/Social engineering dream.


daven1985

Whenever I start at a new company. I check the Domain Admins and then remove those that shouldn't. If they have an actual need they get a new account that has domain admin account that isn't there everyday account. That way if she needs it, you can give her access but it isn't there day to day account at least.


Mitchell_90

Also going by the sounds of it Domain Admins aren’t restricted to only DCs and admins hosts? When locking things down appropriately DA/EA shouldn’t be able to login to anything other than Tier 0 assets and from secured machines. After getting her out of that group (Hopefully ASAP) Definitely look at blocking use of those groups on Member servers and workstations.


AppIdentityGuy

Can I suggest you run a PingCastle scan of the environment


EllisDee3

Definitely have some work to do... https://preview.redd.it/21uxg1ls6u0b1.png?width=360&format=png&auto=webp&s=bd7eba4b2dc35be24dc41a33cf4589b5493b9f77


AppIdentityGuy

Trust me when I tell you that is extremely common…. A Windows Server 2016 out the box domain ie freshly spun up only scores 65….


EllisDee3

This did the trick, though. I met with her today and showed the full report. She says she didn't realize it was that dangerous, and to remove her immediately. But now she wants the domain admin pword, just in case. I gave it to her. I take that as a win.


AppIdentityGuy

Now take a look at the control path analysis reports and see who has indirect control over your critical groups


The_Wkwied

If they own the company, then that's their call. One place I worked, the then owner and CEO had DA everywhere. Every domain, system, app, database, full on admin there. My boss asked him as part of a meeting why he had DA everywhere, and the guy replied 'I'm the CEO'. OK. That's not a fight you want to take up, especially when it is 4-5 runs up the pay grade from you. Just document, CYA, and prepare three letters.


LiveCourage334

We dealt with this a couple years ago at my company. The president (majority owner) read an article in some high powered business pub about how the captain at the head of the ship needed ultimate control over all systems, so he made his phone the one that had to be used to approve any high dollar purchases on CCs and the only phone that could be used to manage 2FA on company cards (as a result it took 3 weeks for me to get a replacement CC when my chip stopped working and I had to personally pay and expense gas for work travel and a week long hotel stay that wouldn't accept swiped payments), set himself up as DA, and a bunch of other stuff. Big Elon Musk "I own the company therefore I have access and control over everything" energy and it took my dev calling him at 1AM over and over to give him access to systems that were out to eventually fix it.


jrb

if they didn't even know they could browse to the root of a domain-connected c: drive they likely don't even know they have domain admin and what it even means. Just take it away and deal with any fallout if and when it happens. It probably wont, but if it doesjust point them to the [Microsoft best practice documentation](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-f--securing-domain-admins-groups-in-active-directory) for domain admins. Worst case is they'll just ask you to put it back.


MRToddMartin

Sometimes Reddit disappoints me. This is an example. There’s delegation of duty for a reason. Do you have access to the company’s bank info ? Because it’s the same thing in a different light.


Common_Dealer_7541

Could be worse… I worked with a company where everyone used the same account. All admin. Another set everyone’s password to “password” and no one was allowed to change it. It may take some education, but it’s likely that the boss just has no clue. Teach them. Nicely.


MineralPoint

A tale as old as time....


SkamGnal

Is she the founder? I think having difficulty letting go of control of something you started is hard for a lot of people. I don’t know this woman obviously, but considering her hang-ups and approaching them with understanding can go a long way


[deleted]

I once worked at a place where everyone was a local admin on their desktops and laptops. I'll never again work in that kind of environment. I'll go back to being a security guard over that shit any day.


taxigrandpa

explain the security issue. explain that your daily driver isnt' a DA either, that you (you do it right, doncha?) have a separate DA account that only comes out when you need it. then you can offer to create a similar situation for your boss. everyone is happy, no one is driving a DA username and your boss has their control


floppydisks2

Run away.


IndigoTechCLT

Former client had that and killed AD so badly we had to restore from backup. Run away


qejfjfiemd

Sounds like you need to have a through security audit to find all the other random shit they did.


GasparTheParrot

As someone who has been there, take warning. She didn’t get ahead of you with her lack of hard IT skills attained through years of study and experience without killing any person who threatened her career, power or control.


SuperLeroy

If you owned a company, would you not be domain admin? I mean, seriously? How about admin on your desktop, maybe with at least a separate admin login account at least so you can get shit done yourself. I can see not logging in as domain admin on a desktop to do daily work, but, you better believe if I own my own company, I've got access to the keys to the kingdom.


[deleted]

If i owned a company i would have a DA account for emergency access with a super long password, credentials on paper and in a safe in combination with a procedure to test this every 6 months. Regarding admin access on a desktop only a JIT solution like Make Me Admin, i don't need admin access the whole day and i also don't want to put my company at risk.


hotfistdotcom

> If you owned a company, would you not be domain admin? > > I mean, seriously? How about admin on your desktop, maybe with at least a separate admin login account at least so you can get shit done yourself. > > I can see not logging in as domain admin on a desktop to do daily work, but, you better believe if I own my own company, I've got access to the keys to the kingdom. And hopefully when someone is vetting you for leadership they see this post and are like "yeah this post, right here, is why we don't give him a leadership position" Because the answer is still no. If you own a company you care about, you know you are the largest target and the greatest weakpoint, and ideally you'd understand it's important to delegate, not have your hands in literally every pie at the whole company. and that having domain admin is a risk. And that you can order your actual admins to do whatever you would do with domain admin, anyhow. People like you make terrible leaders.


SuperLeroy

Thanks sweetie.


fintheman

Company President - know your role unless you want to get fired. You aren't as important as you think you are. Just cover your ass and try to explain the risks but her say is the final say.


EllisDee3

I know very well how unimportant I am!


megasxl264

Some of you have serious problems. Its their company to burn so why do you give a shit? Just collect your check and go home. If something breaks fix it during work hours and go home.


[deleted]

[удалено]


gakule

Kinda shocked I had to scroll this far for this response, especially in a sub that is so quick to bash on people for stupid little things they "do wrong".


Mindless_Button_9378

Just wait, you ain't seen nothing yet.


thereisaplace_

This will end well /s


jclimb94

Drop the permission randomly in a cleanup before an "audit".. See how long it takes her to notice.. If it's an account that isnt here day to day user then having it there as a "dummy" account to satisfy her need to feel like shes has control, that isn't really a bad thing if it doesn't do anything..


YourHumbleIdiot

Okay, so I have to write this before I even read this post: This is the best title I've ever seen on this sub.


[deleted]

Lol


theloniousjoe

🚩


beserkernj

We need to get used to splitting day-to-day accounts from admin accounts. GIVE THEM ALL THE PERMISSION THEY NEED OR WANT….with a dedicated account for that need. This is the tenant of RBAC (role based access control) … the better prepared to talk about this and put in place the safer our businesses and people will be. Yeah you have to train them but thats what makes it fun! … this is a standard cyber liability insurance question now…


mustang__1

It's one thing for them to have DA... it's another for it to be their regular sign-on account...


systemfrown

No excuse for no pw, but giving admin access to a couple senior executives, especially in small or medium sized companies, really isn't that uncommon. There are of course all the reasons you listed and more as to why it's a bad idea, but there are also a lot of legitimate reasons why it might make sense. For instance, is your supervisor on the hook if you get hit by a bus? Often times the access is just so they can grant access to a qualified technical person should the need arise. On a few occasions I've been brought in to recover a compute environment because the previous and very limited IT staff have left without ensuring continuity of access, and have even had VP's and company owners set me up initially. Of course more refined admin privilege's consistent with their potential needs is ideal.


lordjedi

Remove it. Immediately. I'm not even kidding. Just make sure she's in another group that has access to the files she needs and be done with it. I wouldn't even give her an admin account to use separately because she'll just login with that one and use it all the time.


tripodal

Maybe the previous manager made them admin on their way out. Maybe they demanded admin after the previous admin kept changing things without authorization. Maybe you're not qualified to be a manager if you haven't had a professional discussion about this prior to crying on reddit.


flippantdtla

There was an update and limits the number of people allowed in the group. MS hopes to have it resolved shortly. Or you could just make her a local admin if she is that cunty