That shouldn't even be on the table. You really want to have your domain admins and server admins thoroughly separated.
Not to say a person couldn't be both but you don't want every server admin being a domain admin and often, vice versa. Having to give up admin on all your servers is one thing, having to give it up on the entire domain is completely another. -----Original Message----- From: Joseph Heaton [mailto:[email protected]] Sent: Tuesday, August 03, 2010 11:49 AM To: NT System Admin Issues Subject: Re: WMI information gathering Exactly! Which is why we're trying to figure out if we can comply, by letting them get whatever info they need, without giving them the keys to our domain... >>> James Rankin <[email protected]> 8/3/2010 11:38 AM >>> Domain Admin access not a big deal? Morons. I wouldn't let any third parties near a Domain Admin account. On 3 August 2010 19:15, Joseph Heaton <[email protected]> wrote: > 1. Yes, we are required to do this. It's supposed to be for information > gathering only, but we're trying to cover our backsides, in case they mess > something up. > Yes, we can gain benefit, in that we can use this to get WMI access for > our Orion product. > 2. Documentation is a difficult thing. The wording of their message is > such that they feel it's not a big deal for us to just give them a domain > admin account to play with. > > >>> Steven Peck <[email protected]> 8/3/2010 10:49 AM >>> > To be honest the real questions are; > 1. Are you required to do this? (Usually yes) > - if yes, can you gain benefit? (Usually you can) > 2. Do they have documentation on least privilege necessary for their > tools to run? > > > > On Tue, Aug 3, 2010 at 10:26 AM, Free, Bob <[email protected]> wrote: > > My experience with WMI and CMDB or security scanner products tells me > > you are out of luck, at some point, the information they require is > > situated such that they require admin privs just to be able to read it. > > > > -----Original Message----- > > From: Joseph Heaton [mailto:[email protected]] > > Sent: Tuesday, August 03, 2010 10:18 AM > > To: NT System Admin Issues > > Subject: Re: WMI information gathering > > > > Anyone have any idea on this one? > > > >>>> Joseph Heaton <[email protected]> 8/2/2010 3:42 PM >>> > > We have a group that wants to come in, and "scan our servers" to gather > > information. We want to cooperate with this effort, but we don't want > > to give them access to be able to write back to the servers. Is this > > possible? Is there a tool that can be used without an admin account, in > > order to gather information from within WMI? Please contact offline for > > further details, if needed. As always, I sincerely appreciate any > > assistance any of you may be able to provide. > > > > Thanks, > > > > Joe > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
