There's no way you should use a single admin account. You have no way to track who did what. Managing admin accounts and their group memberships is not difficult, certainly not as difficult as trying to figure out who screwed something up when the audit logs all say "Administrator". You shouldn't have that many admins to worry about anyway. I know several very large AD installations (>100K users, 100s of sites, a few domains) and they have 2 or at most 3 domain admins per domain.
Most organizations I've worked with give admins two accounts, a regular everyday account and an admin account that they use only when they need the extra privs. The admin account doesn't have email, and in some envs is restricted to logging in on a handful of highly locked-down workstations. This reduces the possibility of malware running under admin privs. And I've worked with a couple of companies that use shared accounts (not just admin accounts), and it is a complete and utter nightmare from an administration and auditing standpoint. -gil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Friday, March 10, 2006 7:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Individual admin accounts vs Generic admin account. Dear collective, In your esteemed opinions, is it better to have one central admin account which every member of the sysadmin team should use, or is it better to give ever member of the team their own admin account? I'm inclined towards giving people their own admin accounts, purely from an audit point of view, but I'm being told that it's better to have one central admin account, as it is easier to track which accounts have admin rights. I would have thought that NET GROUP would make that fairly obvious. Am I missing something here? -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
