Sysadmin rights

I have full access to everything on the company’s server.

Yet I don’t abuse that - as I don’t want to read some documents pertaining to $company_finances (or the such) and be cursed with that knowledge. (Besides, foreknowledge of something can be very, very dangerous).

So… do you have full access to everything, and do you abuse that right? Or not? :smile:

Not to the server, but I have admin access to my laptop, which is not the standard for the company - everything’s pretty locked down. I need it because apparently one of the HR applications I use requires it.

I don’t abuse it - the only thing I’ve installed on the laptop is a “take a break” program that reminds me to get up and stretch every hour. :slight_smile:

I have access to everything. I really don’t care what is out there, unless it shouldn’t be on my servers.

I actually worked one place where I was doing some financial report writing for our year end and the Controller didn’t want me to have access to the data so that I could verify that the report worked correctly. She was shocked that I had access to the data already, and wanted my access removed. The CFO put the kibosh on that one.

Domain admin in my environment. Granted I’m only one of about 6 accounts with that level but as I’m in charge of keeping it up, I kind of need it. That’s a separate account from what I use normally. My normal account is pretty high though.

I broke from the corporate domain a while ago for my laptop because I needed my admin rights and the pushed software they send down was interfering with some projects I was working on. I’m up to date with the company specs for security though.

I used to have access to everything, and I have to say in my younger days I occasionally looked up things I wanted to know. It quickly turned out that A) knowing where to stop peeking is hard and B) peeking is addictive. Mostly on termed people’s files, since I was the one asked to find some obscure document someone had God knows where. Looking in a user’s directory they hadn’t cleaned in 5 years for a Word document they don’t remember naming could be another trigger event.

So for 1 out of 5 years with admin access I would say I got a B-, and the rest I was pretty good about not poking around. Only things that really stood out, like internet access records, viruses, file sizes, and other things would get me looking, but at that point it was professional peeking.

I stayed out of HR, Finance, and those sorts of files as much as I could. There are somethings I just didn’t want to know. But in some cases when you are working on a file cleanup and someone has a file named “salaries” at 24 that was hard to resist.

Domain admin access here, but usually if I want/need to poke around in the gaping chasm that is our fileserver, I’ll do it under the admin account on the server itself.

Full access on all our boxes, both here and at my previous employer. At my previous employer i often also had access on boxes i shouldn’t have had, because they didn’t bother keeping up with Best Practices or training or anything else relevant to keeping the bad guys out. i did, which means a lot of people got annoyed when they couldn’t just bum around my fileshare. The only times i went through any of it was to make space, since the morons didn’t seem to understand that putting their personal photos on a government machine made them public property. So i would help them out and delete them all do we’d have enough room for our reports and such. At my current job, i’m the only admin, but since i’m still rebuilding from my predecessor’s crash, i don’t have as much access as i will have in a bit.

Good to see that most didn’t “abuse” their admin privileges the wrong way…

Or at least don’t admit to it. :wink:

Am I voted off the island now?

I never did abuse my admin privs, and I had pretty much had access to everything. I did play a little fast and loose with some other rules, but never those. Mind you, it helped that if I had and had been caught standard policy was instant dismissal. That kind of penalty keeps you pretty focused :wink:

“Good to see that most didn’t “abuse” their admin privileges the wrong way…”

What an intriguing comment. So there’s a right way to abuse them?!

Well, we didn’t have any policy, or standards. The network was only 6 months old when I came on. And we made it all up as we went along.

I have mostly gotten my curiosity for other peoples data killed. Sure, if I’m looking for something, I will check everything and then some, but aside from that, I have learned not to care. How? Well, it only takes that many pictures of nude cow-orkers or customers to kill curiosity.

My domain account has admin rights on my workstation(s) and a bunch of dev servers. As well as 2 production boxen, one of which is on the road to being decommissioned and the other is its replacement - I really need to put in the ticket to get my access revoked on the new box.

Although, since I’ve got admin rights, I suppose I could just revoke them myself.

I prefer the way we handled this at Boeing: sysadmins have normal, unprivileged user accounts like everyone else. If they need to do something sysadmin-y, they have to log in with (or at least authenticate with, depending on the system and share) their second privileged account.

Every admin had their normal account and their privileged account, and you were expected to not use your privileged account except when necessary. Having that separation worked surprisingly well—instead of just having all the doors unlock at your touch, you had to go get your keys out of the lockbox, so to speak.

We also didn’t have anything approaching domain admin privilege, but that was because we had a pretty complex Active Directory structure (at one time in the early 2000s, it was the 2nd largest in the world). There was one nos.boeing.com forest, with the separate geos all broken up into different OUs. We were se.nos.boeing.com, for southeast; there was also nw, ne, sw, and mw for the US domains and eu, as, au, and at least one other that I can’t remember for international domains.

All of us Houston admins were sub-OU admins only, and so our privileged accounts only got us access to stuff that involved the Houston site. We had two senior folks who were full OU admins, which meant they had a third privileged account that had rights to do everything in se.nos.boeing.com.

No one had total god access at the nos.boeing.com level; instead, there were two service accounts (named, hilariously, “skipper” and “gilligan”) that were used on the extremely rare occasions that something needed to be changed at the forest level.

1 Like

This is vaguely how the entire Army’s structure is set up, as well. It mostly works the same. Though us admins usually wound up just logging in as admin all the time anyway, because it’s impossible to get any work done as a normal. /shrugs Sub-ideal, sure, and technically a violation to boot, but there’s that fine line between supporting the mission and tripping over the rules…

There’s one admin account here which I use all the time to add/remove/reset passwords for users, and said account do have admin privileges, but cannot connect to all the shared drives/folders/etc on the server, just to the DC and that’s it.

Just one level of safety.

Also I have two other “backdoor” admin accounts, in case the main admin account’s password got changed or something like that, and we’re unable to access the system.