That is, if the head guy actually owns all the hardware and software you use, do you feel like he’s entitled to a domain admin password for all that? Even if he’s not network-savvy enough to NOT completely screw up system?
I had a friend (and it really is a friend…I’m a programmer) who had to run around trying to dodge the one of his company’s investors who wanted the domain admin password. Talking to other network admins, I’m assured that they would never give out the domain admin password because its given on a strictly need to know basis. But I figure that an owner has the right to access of this sort. Its his stuff. I would think that that owner should be told exactly how much damage he can do with it though.
Is this a serious question? Network admins refusing to give the password to their boss on demand? A nosey investor I could understand, but if the guy that owns the hardware wants the password it’s generally time to stand and deliver or else be polishing your resume.
I have always created a spreadsheet, with application passwords and accounts and protected the sheet with another password and delivered it to the boss.
He has the password to open the spreadsheet; if they can not get ahold of me and they need certain passwords to troubleshoot. I am 24/7 so there has never been a time my boss has ever needed to fall back on the spreadsheet, but out of respect, it is always there if I am ever hit by a bus.
That’s close to how we do it as well. I’m the CIO (a/k/a the boss in this thread), and I have a policy that no critical password can be changed until the list is updated and I have possession of it. (Emergency exceptions if I’m out of town, etc., of course…)
My experience is that there are a lot of network administrators who need to get over themselves. The Boss has ultimate fiduciary responsibility for the protection of the company’s computer assets and data, and has to be therefore be able to take whatever steps are necessary to live up to that responsibility. On rare occassions, that means being able to fire a network administrator, and at the minimum it means protecting the company from the possibility that the network administrator gets hit by a bus.
Exactly. I am merely an employee of the company. The company OWNS the equipment, software and application. They have every right to those passwords incase of emergency regardless how vague or broad their knowledge is. I forget how it is worded but it is also federal violation if you cause a company to lose critical business data, or in anyway obstruct their normal business practices.
Given the proper information, it is possible to regain control over a locked down server. The only thing you gain as an admin by withholding passwords from your employer is a possible stint in a federal prison. To me, that isn’t a gain but a really stupid move.
One way of handling it is to write the password down on a piece of paper and then seal it in an envelope that is stored in a secure place. This also works with safe combinations. The information is available in case of an emergency without giving it to people who don’t need it on a routine basis.
Well, it’s their stuff, they have the right to it. But they shouldn’t need it – so I’d be worried if they intended to use it (assuming they’re non-techie), because either the admin hasn’t set things up right, or someone’s going to mess around with something they don’t understand entirely possibly creating security holes, etc.
Depends on the environment. In a small, privately-owned company…sure, I’ll give the owner the password, if it makes him feel better.
In my current situation (local network admin for a business unit of a much larger corporate family, all in the same AD forest), the rough equivalent would be to give the domain admin password to the president of my company…and that ain’t gonna happen. There are, however, others who have the password in case of emergency (my immediate superior, for instance), and the administrators at the forest root can always get access.
I would give him his own personal domain admin account. If you are auditing like you should, you can keep an eye on what he is doing. Also, if there is a major screw-up, you can show who was responsible.
Each admin should have their own account and only the absolute minimum number of admins should have THE domain admin password.