One person, multiple accounts, no shared accounts. And it's damned unlikely that he'd need EA for any task, unless he's extending the schema, which happens only very rarely. He's going to have to justify that he needs it for the task.
I can see having the DA account also be an EA, if only because in so many configurations it's just a matter of the DA adding the membership, but not vice versa. Kurt On Thu, Dec 24, 2015 at 9:59 AM, Heaton, Joseph@Wildlife <[email protected]> wrote: > I’ve been approached recently to put one of my admins into the Enterprise > Admins group, because he used to have it, and thought he needed it for a > specific task. We recently cleaned up this group, and I’m hesitant to > re-add another admin, especially on the basis of “I used to have it”. We > currently are down to 3 users in the group, myself and two others. The > accounts used are our admin accounts, which are Domain Admins in addition to > Enterprise Admins. What I was wondering is this: > > > > Should we actually be using unique accounts just for the Enterprise Admin > role, or is the way we have it ok? Should we instead have a service account > placeholder in the Enterprise Admin group, and use that to either do > whatever work needs done, or to add ourselves as needed? I’d love to hear > what everyone out there is doing. > > > > Thanks, > > > > Joe Heaton > > Information Technology Operations Branch > > Data and Technology Division > > CA Department of Fish and Wildlife > > 1700 9th Street, 3rd Floor > > Sacramento, CA 95811 > > Desk: (916) 323-1284 > > > > Every Californian should conserve water.
