I heard the second best answer to this when in Seattle chomping on a burger with ~Eric, Brett, and Brian Desmond. Brian said and I sort of quote "When someone adds someone else to an admin group that they aren't supposed to, I remove the person they added and the person who did it".
The best answer is that there should only be about 5 Domain Admins tops and they shouldn't be different based on what domain in a forest, the same 5 people should be DAs and EAs in the forest. The number 5 is only needed for coverage in case someone is sick or gone. There really shouldn't be enough true Domain Admin type work to justify 5 DAs just for workload. Consider, you are a domain admin because you need to make domain level configurations. How much of that needs to be done after initial deployment? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Thursday, October 06, 2005 1:00 PM To: [email protected] Subject: [ActiveDir] Modifying Domain Admins & Administrators Group Hi, We have about 7 domain administrators in a particular child domain. I just found out someone added the DBA Group to part of the Administrators group in this domain. Not necessary, not required nor is it a policy. Event logs have obviously been overwritten therefore I would like to know the simplest method to avoid this scenario from ever happening again. What are my options? Thank you so much. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
