I take the following approach: 1. Assign admins a secondary account. Primary accounts are used to perform day to day stuff - admin accounts are used to perform priv operations. This allows for audit trails to be created, as you state, which help identify who made what change, when and how etc etc
2. Monitor and manage the memberships of the priv groups. Create a committee or similar who manage the AD from a strategic perspective. They own the priv groups and are responsible for vetting new admins and approving change to the memberships of priv groups. Run regular reports showing who has membership of these groups and action any anomalies. neil ___________________________ Neil Ruston Global Technology Infrastructure Nomura International plc Telephone: +44 (0) 20 7521 3481 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: 10 March 2006 14:19 To: [email protected] Subject: [ActiveDir] Individual admin accounts vs Generic admin account. Dear collective, In your esteemed opinions, is it better to have one central admin account which every member of the sysadmin team should use, or is it better to give ever member of the team their own admin account? I'm inclined towards giving people their own admin accounts, purely from an audit point of view, but I'm being told that it's better to have one central admin account, as it is easier to track which accounts have admin rights. I would have thought that NET GROUP would make that fairly obvious. Am I missing something here? -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
