University research office I managed and my current place of employment both maintain separate accounts for DA/EA's and our "normal" account. EA account at the research office was kept on a piece of paper in a sealed envelope locked in the office of the office admin. User ID was on the outside of the envelop and the password was on the inside. Our EA group only held one user ID. I saw nothing in what we did that needed the EA account. We had to do enough work fixing issues remotely to need DA account but there were only 2 of us in that group. I had the same thing pushed at me on more than one occasion (I used to have this access so I need it back) and just turned a deaf ear to their noise. I put in writing to my direct report my reasons for stripping people of the DA and was able to get enough documentation from the web of how bad it was to have a user with ANY admin rights to do that at the University office. My current job does things differently and I am not in the security loop so only have limited direct knowledge of it. I do know DA's have separate accounts from their routine/normal accounts. I suspect the EA is handled the same and much more limited.
Merry Christmas everyone thank you for a great year! Jon -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Heaton, Joseph@Wildlife Sent: Thursday, December 24, 2015 12:59 PM To: NT System Admin Issues Discussion list Subject: [NTSysADM] Admin account best practices I've been approached recently to put one of my admins into the Enterprise Admins group, because he used to have it, and thought he needed it for a specific task. We recently cleaned up this group, and I'm hesitant to re-add another admin, especially on the basis of "I used to have it". We currently are down to 3 users in the group, myself and two others. The accounts used are our admin accounts, which are Domain Admins in addition to Enterprise Admins. What I was wondering is this: Should we actually be using unique accounts just for the Enterprise Admin role, or is the way we have it ok? Should we instead have a service account placeholder in the Enterprise Admin group, and use that to either do whatever work needs done, or to add ourselves as needed? I'd love to hear what everyone out there is doing. Thanks, Joe Heaton Information Technology Operations Branch Data and Technology Division CA Department of Fish and Wildlife 1700 9th Street, 3rd Floor Sacramento, CA 95811 Desk: (916) 323-1284 Every Californian should conserve water.
