http://blogs.technet.com/jesper_johansson/archive/2006/04/19/425748.aspxSeveral times in the past year someone has brought up an issue where they needed to "temporarily" grant someone administrative privilege to a system or a domain. Each time my answer has been the same: "why not just put them in the Administrators groupen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.technet.com/jesper_johansson/archive/2006/04/19/425748.aspx#425751Thu, 20 Apr 2006 04:43:12 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:425751The Daily Ramblings of an SMS EngineerI don't agree with this 100%, and I think the word trust may need defining. &nbsp;Do I trust them to do something...http://blogs.technet.com/jesper_johansson/archive/2006/04/19/425748.aspx#425755Thu, 20 Apr 2006 06:01:04 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:425755PatrickI actually think what Jesper is saying that if you have to define your trust in the person .. <br> <br>&quot;I trust them to do X but not Y&quot; <br> <br>means you should like at other ways of solving the problem. <br> <br>An Admin has a position of absolute trust within a system and if you place caveats on that trust then perhaps you should look at other solutions.http://blogs.technet.com/jesper_johansson/archive/2006/04/19/425748.aspx#425762Thu, 20 Apr 2006 09:23:29 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:425762verminI would go with what Patrick says - sometimes users are granted temporary admin rights just because admin is too overwhelmed with other tasks, (not to say lazy). <br> <br>So with security aware admins this situation should not happen, because there are possibly no situations where admin should allow granting rights domain-wide. Because of some stupid apps, it is to consider granting rights on local workstation, (if those dev-people are physically in their own zone or their network is monitored...), but otherwise? <br> <br>BTW, &nbsp;admin as a position of trust - if the system is monitored/logged, and some alarms are set, when the audit logs changing ownership on dedicated nodes, then I wouldn't say, that admin has &quot;a position of absolute trust&quot;. It would be absurd, if an admin in a network would have an easy and absolute access to, let's say financial data...http://blogs.technet.com/jesper_johansson/archive/2006/04/19/425748.aspx#425784Thu, 20 Apr 2006 13:47:18 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:425784Jason Haleyhttp://blogs.technet.com/jesper_johansson/archive/2006/04/19/425748.aspx#425821Fri, 21 Apr 2006 01:41:26 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:425821Bernd EckenfelsI totally agree, that you have to trust a person if you make it (Domain) Admin, because you cannot &quot;revoke&quot; that right. However it makes perfectly good reasons to use least priveledged accounts for daily work. So if somebody does not need to be admin anymore, she should not be admin.http://blogs.technet.com/jesper_johansson/archive/2006/04/19/425748.aspx#425860Fri, 21 Apr 2006 10:45:24 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:425860LouisUNIX/Linux systems have the sudo command to grant privileges to execute a specific command. &nbsp; It works quite well in providing the needed fine grain control to allow a specific user the needed access to proform a specific task. &nbsp;Perhaps MS could create an equivalent Windows based interface. http://blogs.technet.com/jesper_johansson/archive/2006/04/19/425748.aspx#425941Fri, 21 Apr 2006 20:30:52 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:425941JesperLouis, we already have a very similar command in &quot;Run As...&quot; (runas.exe). The problem is not that. The problem is the perception that if I make someone an admin for just a short period of time I do not need to trust them as much as if they are permanently an admin. I am absolutely not advocating against least privilege. I am simply saying that if you do not trust someone to be an admin permanently then trusting them to be one for a short period of time is a bad idea. <br> <br>That being said, you definitely should make people several accounts so they can be an admin when they need to but not all the time. In XP that is doable for many people, but hard for some. In Vista it will be a lot easier.http://blogs.technet.com/jesper_johansson/archive/2006/04/19/425748.aspx#427220Thu, 04 May 2006 03:20:38 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:427220JBI agree with the risk both from the threat of a malicious user and making systems more vulnerable to malicious activity such as rootkits. <br> <br>Thankfully, I have been able to root out all the users running as local administrators on my network, but there has definitely been some cleanup regarding malware after the fact, since once that stuff has a foothold, your &quot;rootkit removal tool&quot; is almost always the final solution.http://blogs.technet.com/jesper_johansson/archive/2006/04/19/425748.aspx#427289Thu, 04 May 2006 22:15:33 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:427289Jay Kimble -- The Dev TheologianIn case you missed it, I&amp;amp;rsquo;ve had a pretty cool conversation with Steve Maine in the comments portion...http://blogs.technet.com/jesper_johansson/archive/2006/04/19/425748.aspx#628715Wed, 07 Feb 2007 18:00:30 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:628715Jay Kimble -- The Dev Theologian<p>[out of date post... this deals with MS Atlas CTP... which has been change drastically and is now MS</p>