Response: Tracking Admin Passwords

(For the original Open Call article on tracking Admin passwords, see

Geoff Carman

There are several issues here:

  • Issue 1: Keeping track of what the actual passwords are for the various and numerous privileged accounts that proliferate throughout the enterprise. There are commercial packages that centrally store and encrypt these passwords; some run on PDAs for better portability.

  • Issue 2: Tracking who HAS Admin rights, which is just as important. For each platform
    and application this is an issue. eDirectory seems most relevant for this discussion.

There are commercial tools that audit rights throughout the tree, but for a simple approach, you can check the Admin user object for "Security Equal to Me" rights. (You can see this in ConsoleOne, as the second item on the Group Membership tab). You can also see this in DSBrowse, as it is stored in an actual attribute - Equivalent To Me. So whatever tool you like to use, Dsbrowse, LDAP browsers, ConsoleOne, etc., you can see the DN of who is equal to Admin.

"Admin" gets the rights to administer the tree as an ACL of "S" (Supervisor) rights to the [Root] object in the tree. So check out the explicit trustees of [Root] (which looks like the name of the tree in ConsoleOne) and see who has explicit rights. The actual Attribute is
called ACL and will have multiple values, that look something like this:

2#subtree#cn=bob,o=acme#[All Attributes Rights]

Personally, I like to create a second account somewhere in the tree with explicit rights to [Root] so that is Admin ever gets accidentally deleted, it is easy to fix. On the other hand, an account that is "Security Equal To the Admin" would lose all rights if the Admin were accidentally deleted.

This works best in a small, simple management model tree. If you have set up distributed administration and have OU's that have local Admins, you just need to repeat all this for each boundary of rights.

The nice news is that these attributes are all exposed via LDAP, so if you like, you could use LDAP to get them, making it a cross-platform tool.

There are plenty of additional places to look, but this should give you an idea of where to start the process. Or, it may convince you that it is worth buying a product that does all the hard work for you.



How To-Best Practice
Comment List