Title: When and how often are EA rights needed?

That’s an ENTIRELY different question… but here’s MY two cents worth.  In 90-98% of enterprises, if you were to begin designing an AD forest today knowing everything that has been learned in ‘real world’ implementations of AD over the past 7 years, you would NOT end up with a dedicated forest root domain.  So the answer to your question is, “It depends, but there probably AREN’T three reasons.” 

 

There’s a LOT of background to that abrupt statement.  Read the Best Practices documents on AD security & delegation & design and you’ll begin to see.  It’s just too big of a topic to tackle in this forum.  Unfortunately, I really don’t have bandwidth right now to support the likely responses that this might generate in the group but, Rocky (or anyone), if you want to contact me directly we can chat about it… I just can’t monitor the group regularly right now.  You email me directly at dan dot holme at intelliem dot com.

 

Dan

 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Tuesday, March 14, 2006 10:28 AM
To: [email protected]
Subject: RE: [ActiveDir] When and how often are EA rights needed?

 

Dan,

 

Thanks for posting this.  Now ... could you spend just a minute giving us the top three reasons (if there are any at all) on why one would have a Dedicated Forest Root domain versus just a single domain.

 

I personally, would appreciate it ...

 

Thank you again.

 

RH

___________________________

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Dan Holme
Sent: Tuesday, March 14, 2006 11:51 AM
To: [email protected]
Subject: RE: [ActiveDir] When and how often are EA rights needed?

EA “rights”, once a forest is deployed and delegated, are needed only for “in case of emergency break glass” – i.e. pretty much never.  When you’re talking EA, you’re pretty much talking the Administrator account of the forest root domain (first domain installed), so think of them one and the same—you will be locking down that Administrator account to lock down EA.  Either it’s the ONLY account in the EA group (default) or any other account in EA should be locked down pretty much equivalently.

 

The “break glass” scenario is, particularly in a multi-domain forest, someone does some nasty delegation (ACL modification) that effectively “locks out” an OU.  Just like you could, theoretically, “lock yourself out” of an NTFS folder.  Just like an NTFS folder, the “owner” of the folder ALWAYS can change the ACL, and open it back up again.  In AD the “owner” is EA… it owns the forest.  So, one container at a time, EA will be able to dig down and unblock.

 

Case study: One client of mine (100k employees) has only three accounts in the EA group, which in their case is in a dedicated forest root.  I don’t believe they’ve used the accounts on over a year.  Another client (global financial services company) has ONLY the default Administrator account in EA, and that account has had a three-way password created:  three admins each entered PART of a password, the password “pieces” were put into an envelope in a physically secure location in Europe and another in N.America.  AFAIK they haven’t used it since they locked the account down.

 

Read the MS doc “Best practices for AD Delegation” to effectively delegate your forest, PARTICULARLY if you have more than one domain in your forest.  The things that tend to get “missed” that impact day-to-day or even occasional operations are things like delegating the creation of sites, subnets, and site links; the ability to kick off replication (not recommended but…); and authorize new DHCP Servers.  I’m sure that others on the list will have other tips as well.

 

Dan

 

 

 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, March 14, 2006 9:29 AM
To: [email protected]
Subject: [ActiveDir] When and how often are EA rights needed?

 

 

We're trying to understand when EA rights are needed within a multi domain forest, where each domain represents a fairly autonomous region.

Mgmt have suggested that the following is true :
 -  EA not needed on daily basis
 -  EA rights rarely needed after initial deployment

Can anyone please throw a few reasons at me why you would need EA rights on a daily basis? Troubleshooting? Diagnosis?

How would you be impacted if you had to request access to a EA account each time it was required?

I'd like to build a case whereby we have permanent EAs and would like some additional ammo from you guys :)

***Feel free to argue against my views and explain to me how/why you *could* manage a forest such as the above, without access to an EA account on a daily basis.

Thanks,
neil

PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments. NIplc

does not provide investment services to private customers. Authorised and

regulated by the Financial Services Authority. Registered in England

no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP. A member of the Nomura group of companies.

Reply via email to