Network Admins: Would you give the boss the domain admin password?

That is, if the head guy actually owns all the hardware and software you use, do you feel like he’s entitled to a domain admin password for all that? Even if he’s not network-savvy enough to NOT completely screw up system?

I had a friend (and it really is a friend…I’m a programmer) who had to run around trying to dodge the one of his company’s investors who wanted the domain admin password. Talking to other network admins, I’m assured that they would never give out the domain admin password because its given on a strictly need to know basis. But I figure that an owner has the right to access of this sort. Its his stuff. I would think that that owner should be told exactly how much damage he can do with it though.

Is this a serious question? Network admins refusing to give the password to their boss on demand? A nosey investor I could understand, but if the guy that owns the hardware wants the password it’s generally time to stand and deliver or else be polishing your resume.

An owner? Yes. An investor? No. If he has the right to fire the net tech on the spot, then the net tech should give it up.

No employee has the right to keep such information from an employer.

From an employer’s perspective, it is important that an employee can be replaced without causing too much disruption. That means not permitting any person to be the only one to have the key password.

I have always created a spreadsheet, with application passwords and accounts and protected the sheet with another password and delivered it to the boss.

He has the password to open the spreadsheet; if they can not get ahold of me and they need certain passwords to troubleshoot. I am 24/7 so there has never been a time my boss has ever needed to fall back on the spreadsheet, but out of respect, it is always there if I am ever hit by a bus.

That’s close to how we do it as well. I’m the CIO (a/k/a the boss in this thread), and I have a policy that no critical password can be changed until the list is updated and I have possession of it. (Emergency exceptions if I’m out of town, etc., of course…)

My experience is that there are a lot of network administrators who need to get over themselves. The Boss has ultimate fiduciary responsibility for the protection of the company’s computer assets and data, and has to be therefore be able to take whatever steps are necessary to live up to that responsibility. On rare occassions, that means being able to fire a network administrator, and at the minimum it means protecting the company from the possibility that the network administrator gets hit by a bus.

Exactly. I am merely an employee of the company. The company OWNS the equipment, software and application. They have every right to those passwords incase of emergency regardless how vague or broad their knowledge is. I forget how it is worded but it is also federal violation if you cause a company to lose critical business data, or in anyway obstruct their normal business practices.

Given the proper information, it is possible to regain control over a locked down server. The only thing you gain as an admin by withholding passwords from your employer is a possible stint in a federal prison. To me, that isn’t a gain but a really stupid move.

Are you kidding?, having the admin password securely documented (which may men the bosses desk) and known by one other person is an essential part of disaster recovery.

I can’t tell you how many times when I consulted I went into a company that paid me big bucks to hack into the system because they had to fire the server admin - and now a days it a LOT tougher.

One way of handling it is to write the password down on a piece of paper and then seal it in an envelope that is stored in a secure place. This also works with safe combinations. The information is available in case of an emergency without giving it to people who don’t need it on a routine basis.

Well, it’s their stuff, they have the right to it. But they shouldn’t need it – so I’d be worried if they intended to use it (assuming they’re non-techie), because either the admin hasn’t set things up right, or someone’s going to mess around with something they don’t understand entirely possibly creating security holes, etc.

Depends on the environment. In a small, privately-owned company…sure, I’ll give the owner the password, if it makes him feel better.

In my current situation (local network admin for a business unit of a much larger corporate family, all in the same AD forest), the rough equivalent would be to give the domain admin password to the president of my company…and that ain’t gonna happen. There are, however, others who have the password in case of emergency (my immediate superior, for instance), and the administrators at the forest root can always get access.

I would give him his own personal domain admin account. If you are auditing like you should, you can keep an eye on what he is doing. Also, if there is a major screw-up, you can show who was responsible.

Each admin should have their own account and only the absolute minimum number of admins should have THE domain admin password.