Absolutely not. If you have multiple people that know the password to an admin account every single person has an out as to who screwed what up. You have no security when you do that. Plus, every additional person who knows a password on an account increases the chance of even more people learning it. If a password is specific to a single user they are much more guarded on letting others gets it because for all intents and purposes... It is them.
joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 3:29 PM To: [email protected] Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts.... How about a generic ent. Admin account? One with an obsure name and 10 foot password? Only "selected" support/admin people have the password? Just thinking out loud here..... ;-) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: 25 f�vrier 2005 15:21 To: [email protected] Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts.... What do you do when you have an AD support group than need access to Enterprise Admin privs if you only have one Enterprise Admin? I know I wouldn't want to be the only guy with those privs in the middle of the night on a weekend when I'm not on call ;) Phil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 3:15 PM To: [email protected] Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts.... " Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment). " So I'm assuming that you have more than 1 Enterprise admin in your root domain? Isn't that agains't all the white papers out there stating that you shouldn't have more than one ent. admin. in your forest and all other admins should be domain admins in their own respective domain? Or did you use enterprise admin as a generic term? Thanks, Francis ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 1:45 PM To: [email protected] Subject: [ActiveDir] Some thoughts on securing sensitive accounts.... Hi folks, I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had "carte blanche" to secure sensitive accounts in an enterprise directory? First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pins....Any other thoughts? Thanks! Francis Ouellet List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
