Administering without Administrator

  • Thread starter Thread starter dp
  • Start date Start date
D

dp

My fellow ITers...

I'm stuck in a peculiar situation- I am supposed to run, and support a
Windows2003 server and 5 accompanying workstaitons. This server is to be
under the umbrella of the domain "ABC". The person who is supposed to be
administering this for us has our addresses set up as (e-mail address removed),
(e-mail address removed), etc. and the servers are accessed like \\abc3.abc.org Where
abc3 is my server. The person who installed this, created me a user
account, and then granted that user administrator (some administrator?)
functions. I can't tell exactly what I can, and cannot do. There are also
5 workstations in my group, which this guy has installed, however he hasn't
told me, or any of the people using the 5 workstations what the admin
password is for their workstations either.

What gives here? This doesn't sound like good IT policy- When *I* am god,
if someone doesn't need Administrator, then I don't give it to them, but if
they DO need administrator, I don't fiddle around, I let them have access,
and tell them to be careful what they do.

A layperson asked me "Well exactly what is it that you need the
administrator account for?" I was at a loss really to come up with a clear
concise answer, I mean, I know what sorts of things I do with the
administrator account, looking at print queues, setting up workstations,
administering other things on the server.

Is it really possible to administer without the Administrator account? I'm
I justified in thinking that I ought to have the administrator password for
the server I'm administering? At least to the administrator account on that
server..

What is a good lay person response to why we need to have the administrator
account for the servers and the workstations? My first reaction would be,
"BECAUSE WE CAN'T GET ANYTHING DONE!" But I suppose that is too general.
Anyone got anything else?

-Brian
 
dp said:
My fellow ITers...

I'm stuck in a peculiar situation- I am supposed to run, and support a
Windows2003 server and 5 accompanying workstaitons. This server is to be
under the umbrella of the domain "ABC". The person who is supposed to be
administering this for us has our addresses set up as (e-mail address removed),
(e-mail address removed), etc. and the servers are accessed like \\abc3.abc.org Where
abc3 is my server. The person who installed this, created me a user
account, and then granted that user administrator (some administrator?)
functions. I can't tell exactly what I can, and cannot do. There are also
5 workstations in my group, which this guy has installed, however he hasn't
told me, or any of the people using the 5 workstations what the admin
password is for their workstations either.

What gives here? This doesn't sound like good IT policy- When *I* am god,
if someone doesn't need Administrator, then I don't give it to them, but if
they DO need administrator, I don't fiddle around, I let them have access,
and tell them to be careful what they do.

A layperson asked me "Well exactly what is it that you need the
administrator account for?" I was at a loss really to come up with a clear
concise answer, I mean, I know what sorts of things I do with the
administrator account, looking at print queues, setting up workstations,
administering other things on the server.

Is it really possible to administer without the Administrator account? I'm
I justified in thinking that I ought to have the administrator password for
the server I'm administering? At least to the administrator account on that
server..

What is a good lay person response to why we need to have the administrator
account for the servers and the workstations? My first reaction would be,
"BECAUSE WE CAN'T GET ANYTHING DONE!" But I suppose that is too general.
Anyone got anything else?

-Brian
Click to expand...

The answer to your questions depend on who you talk to and what is required.
By and large, one needs an administrator account to install drivers, install
applications and perform other administrative procedures.

A general misconception is that the administrator is "God". He is not. Then
the question arises about which administrator is responsible for what. A
server's admin is not the same as a domain's admin. Same goes for a client
station's local admin. To put the whole issue in perspective, consider the
following: create a share on Server and configure its NTFS permissions to
deny domain users. Result: no user (not even domain admin) can access the
share. Why? Domain administrator is a member of domain users.

If a virus infects your network, the virus can only run as the interactive
user at the desktop. In other words, you limit the security implications
that a user account entails. If the user can install anything they want, you
face failed audits as far as software license restrictions. If a user is
allowed to install drivers, you'll end up with what looks like strange
hardware failures. All of sudden, supporting the clients becomes a nightmare
for you.

Although i too am a contractor and therefore have a biased opinion, i can
say this with certainty, the guy who installed your network did a good job.
Compared to the amateur installations of W2K i have witnessed where a
reinstallation of an entire domain were required, you should concentrate on
your part of the deal. Chances are you'll end up with a contractor that will
trust you enough to start delegating some tasks. Lets not forget that he's
binded by contract here.
 
Back
Top