I believe I once knew the answer to this basic question, but for the life of me, the answer is gone and the path to logical evaluation has been washed away. I am an AD guy, and after deployment of VAS / QAS lost access / interest in keeping access to a unix host to even test out such a question.
User A logs in to Unix host with unprivileged account.
Thanks to the magic of Unix RBAC/Sudo - customer su's to root.
What prevents root from su'ing to a unix enabled account in AD that also is a member of the domain administrators group and usurping their privilege without being prompted for a password? Same question - for su'ing to the builtin administrator account for the domain?
I know there must be a traffic-cop mechanism - that stops such a request, but what is IT DANGIT!
please and thank you...