RE: [ActiveDir] Sarbannes Oxley compliance

[Fugleberg, David A]

We try to maintain a least privilege model, and are in the process of tightening down further.  'Best practices' that you often read about suggest each admin have a 'break glass' kind of administrative account seperate from their 'day-to-day user' account.  We're moving in that direction.  One of the issues there seems to be that admins are used to managing files and setting NTFS permissions via Explorer...as far as I know, you can't just start up a new explorer with Runas.  I suppose they could use CACLS from a command prompt, but most want a GUI.   So I'll add that to Mark's original question...how do y'all approach that if you use seperate 'admin' accounts for your admins ? Dave -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Creamer, Mark Sent: Wednesday, June 23, 2004 12:21 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Sarbannes Oxley compliance I’m curious what, if any, changes to everyday administration the folks on this list are making in preparation for Sarbannes Oxley compliance. Specifically, is anyone making a conscious effort to remove daily admin rights from people whose job it is to do domain administration, in favor of a “break the glass when needed” type of philosophy? I’m just starting to look into this, but I’m getting the feeling some companies are going overboard. Any observation from the group is always welcome…   Mark Creamer