That's an interesting approach, and I kind of like it. There was a need for EA during our deployment of Lync. It was needed to make some change within the Lync configuration, but I wasn't in my current position at that time, so wasn't completely in the loop on that. But, I do like the one account idea. Not sure I can make that fly, but I might just try it out. If not that, then definitely push for separate accounts to be used for any EA activity. Same type of idea with Schema Admins. I noticed that all the EAs are members of Schema Admins as well, and I don't think that's a good idea. Put yourself in it if you need it, then remove afterwards.
> -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of J Harris > Sent: Thursday, December 24, 2015 11:18 AM > To: [email protected] > Subject: RE: [NTSysADM] Admin account best practices > > University research office I managed and my current place of employment > both maintain separate accounts for DA/EA's and our "normal" account. EA > account at the research office was kept on a piece of paper in a sealed > envelope locked in the office of the office admin. User ID was on the outside > of the envelop and the password was on the inside. Our EA group only held > one user ID. I saw nothing in what we did that needed the EA account. We > had to do enough work fixing issues remotely to need DA account but there > were only 2 of us in that group. I had the same thing pushed at me on more > than one occasion (I used to have this access so I need it back) and just > turned a deaf ear to their noise. I put in writing to my direct report my > reasons for stripping people of the DA and was able to get enough > documentation from the web of how bad it was to have a user with ANY > admin rights to do that at the University office. My current job does things > differently and I am not in the security loop so only have limited direct > knowledge of it. I do know DA's have separate accounts from their > routine/normal accounts. I suspect the EA is handled the same and much > more limited. > > Merry Christmas everyone thank you for a great year! > > Jon > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] > On Behalf Of Heaton, Joseph@Wildlife > Sent: Thursday, December 24, 2015 12:59 PM > To: NT System Admin Issues Discussion list > Subject: [NTSysADM] Admin account best practices > > I've been approached recently to put one of my admins into the Enterprise > Admins group, because he used to have it, and thought he needed it for a > specific task. We recently cleaned up this group, and I'm hesitant to re-add > another admin, especially on the basis of "I used to have it". We currently > are down to 3 users in the group, myself and two others. The accounts used > are our admin accounts, which are Domain Admins in addition to Enterprise > Admins. What I was wondering is this: > > > > Should we actually be using unique accounts just for the Enterprise Admin > role, or is the way we have it ok? Should we instead have a service account > placeholder in the Enterprise Admin group, and use that to either do > whatever work needs done, or to add ourselves as needed? I'd love to hear > what everyone out there is doing. > > > > Thanks, > > > > Joe Heaton > > Information Technology Operations Branch > > Data and Technology Division > > CA Department of Fish and Wildlife > > 1700 9th Street, 3rd Floor > > Sacramento, CA 95811 > > Desk: (916) 323-1284 > > > > Every Californian should conserve water. > > >
