We are looking at using ActiveRoles to manage temporary access to sensitive groups such as Domain Admins, it appears this is simple enough to do but wanted to get some feedback before we lock ourselves out entirely!
The plan is we allow our admins to add themselves to groups such as Domain Admins, Quest Admins and Enterprise Admins. We will have a policy in place that forces temporary access of one hour if they don't select anything. There will be a limit of 8 hours (these times are being debated).
We decided to include the Quest Admins group as that's just as important as Domain Admins etc.
There will be a scheduled workflow that checks for members of Domains Admins and alerts for any unauthorised members, ideally the workflow would delete them, but we are a little scare of automating the deletion. We already have similar alerts from Change Auditor as well.
Has anyone done this before, does is sound reasonable?
Is there anything else we should consider when it comes to locking down domain admin access?