In a SOX audit I would require verification from HR that every member of Domain Admins, Enterprise Admins and Schema Admins is a valid employee. You would probably not be surprised how many are not employed and have been gone for quite some time. Same process for off-site backup access (Iron Mountain, etc).
Service accounts that are members of one or more of those groups have to have CIO (or equivalent level) sign-off. Thanks Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com <http://www.carlwebster.com/> On 1/10/12 8:57 AM, "David Lum" <david....@nwea.org> wrote: >Yeah...I listed the DA accounts in question and the SE's didn't reply, >and my bet is 1/2 the accounts in question the don't even know what they >do. No security problem there "Yeah the dude has keys to the castle, but >I don't know who he is". > >Dave > >-----Original Message----- >From: Kurt Buff [mailto:kurt.b...@gmail.com] >Sent: Monday, January 09, 2012 4:11 PM >To: NT System Admin Issues >Subject: Re: Domain Admin accounts > >On Mon, Jan 9, 2012 at 09:41, David Lum <david....@nwea.org> wrote: >> We have several service accounts that are Domain Admin is there any >> way to test for what permissions these accounts actually need short of >> ³removing DA and see what happens?². I¹m guessing noŠ > >The big question will be exactly what jobs they are performing. You'll >need a complete understanding of what they're used for - or rather, what >you mean by "service account" > >Some service accounts are used for running services, and have a very >limited scope that is more or less traceable. Others are, for instance, >used in scheduled tasks, in which case you'll need to understand what the >task does > > >Kurt > >~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ ><http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >--- >To manage subscriptions click here: >http://lyris.sunbelt-software.com/read/my_forums/ >or send an email to listmana...@lyris.sunbeltsoftware.com >with the body: unsubscribe ntsysadmin > > >~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >--- >To manage subscriptions click here: >http://lyris.sunbelt-software.com/read/my_forums/ >or send an email to listmana...@lyris.sunbeltsoftware.com >with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
