" Then you have your actual
Enterprise Admins and that should be a small group, maybe 2-5 people depending
on your size (I worked on a team of 3 people and supervisor for a 250,000 user
deployment). "
So I'm assuming that
you have more than 1 Enterprise admin in your root domain? Isn't that agains't
all the white papers out there stating that you shouldn't have more than one
ent. admin. in your forest and all other admins should be domain
admins in their own respective domain? Or did you use enterprise admin as a
generic term?
Thanks,
Francis
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet
Sent: Friday, February 25, 2005 1:45 PM
To: [email protected]
Subject: [ActiveDir] Some thoughts on securing sensitive accounts....
Hi
folks,
I'm was thinking the
other day of the best way to secure schema and enterprise admin accounts. What
would you do if you had "carte blanche" to secure sensitive accounts in an
enterprise directory?
First things that
came to mind were using mandatory smart cards for SA and EA accounts kept in a
safe where only designated employes knew the pins....Any other
thoughts?
Thanks!
Francis
Ouellet
