Read Only Access to ADUC

I have been asked to do security aduits for my firm. As security officer I
am not suppose to have admin rights on the network. However, it would be
very help if I could still have read only vision into AD through ADUC. Is
this possible? If so, how?

I am trying to understand the statement
> As security officer I am not supposed
> to have admin rights on the network.
Now, I can see how that is necessary for the
account(s) you would use when doing any
penetration or privacy failure testing.
However, when auditing to determine the
overall security posture of the infrastructure
I just cannot see how that is so, and can see
how it is counter-productive.

Can you cast some light on the thinking here?

--
Roger Abell
Microsoft MVP (Windows Security)

"Longhorn" <Longhorn@discussions.microsoft.com> wrote in message
news:6A8E28FB-0056-41DB-A1C5-E544534001A6@microsoft.com...
> I have been asked to do security aduits for my firm. As security officer
I
> am not suppose to have admin rights on the network. However, it would be
> very help if I could still have read only vision into AD through ADUC. Is
> this possible? If so, how?

I have to review user accounts for correct rights and privilages and access
based on their job descriptions. However, I should not have the ability to
add, change or remove accounts or the access they have been granted. That is
the job of the Network Administrator. It is know as seperation of duties.

"Roger Abell" wrote:

> I am trying to understand the statement
> > As security officer I am not supposed
> > to have admin rights on the network.
> Now, I can see how that is necessary for the
> account(s) you would use when doing any
> penetration or privacy failure testing.
> However, when auditing to determine the
> overall security posture of the infrastructure
> I just cannot see how that is so, and can see
> how it is counter-productive.
>
> Can you cast some light on the thinking here?
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
>
> "Longhorn" <Longhorn@discussions.microsoft.com> wrote in message
> news:6A8E28FB-0056-41DB-A1C5-E544534001A6@microsoft.com...
> > I have been asked to do security aduits for my firm. As security officer
> I
> > am not suppose to have admin rights on the network. However, it would be
> > very help if I could still have read only vision into AD through ADUC. Is
> > this possible? If so, how?
>
>
>

Basically they (the admins) only need to grant you read on the
objects to which you find you have none.

What I see as the problem with this approach is that you have
to go through this multiple times as you determine new object
types to which you have insufficient access, and they have to
go through this with amplification to all instances of those types
(hopefully usually by inheritance from containing object).

On the other hand, with Domain Admin access you would not
be impeded in profiling the deployment's posture, you would
not have your work vulnerable to what they have successfully
hidden from you, etc.. And, there are some things you should
be concerned with that simply may not be "grantable" to an
examination by a non-admin.

Finally, you should be considered inherently trustable, so any
changes would be inadvertent, and anyway, anything you do
when auditing with is auditable, and I would assume would be
audited under the current policy - they (the network admins)
should know how to effect and use that event logging, as after
all, it is their job.

--
Roger Abell
Microsoft MVP (Windows Security)

"Longhorn" <Longhorn@discussions.microsoft.com> wrote in message
news:0B887BD6-6162-4A54-A70D-762557C4A662@microsoft.com...
> I have to review user accounts for correct rights and privilages and
access
> based on their job descriptions. However, I should not have the ability
to
> add, change or remove accounts or the access they have been granted. That
is
> the job of the Network Administrator. It is know as seperation of duties.
>
> "Roger Abell" wrote:
>
> > I am trying to understand the statement
> > > As security officer I am not supposed
> > > to have admin rights on the network.
> > Now, I can see how that is necessary for the
> > account(s) you would use when doing any
> > penetration or privacy failure testing.
> > However, when auditing to determine the
> > overall security posture of the infrastructure
> > I just cannot see how that is so, and can see
> > how it is counter-productive.
> >
> > Can you cast some light on the thinking here?
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> >
> > "Longhorn" <Longhorn@discussions.microsoft.com> wrote in message
> > news:6A8E28FB-0056-41DB-A1C5-E544534001A6@microsoft.com...
> > > I have been asked to do security aduits for my firm. As security
officer
> > I
> > > am not suppose to have admin rights on the network. However, it would
be
> > > very help if I could still have read only vision into AD through ADUC.
Is
> > > this possible? If so, how?
> >
> >
> >