Oh, I had a fight as I am sure most people that stripped Admin rights off of users have had. I just got together all the articles on admins or users with admin getting viruses and then taking down the entire domain together. We had a couple people at the main campus, I currently work for one of them at my current job, that assisted in getting together evidence to make my claims hold water. He actually was the one that pushed the idea of DA and normal user being different. I did not think of that. I later saw others did the same thing so it was easier to keep me on track, Thank you Andrew!
Jon -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Heaton, Joseph@Wildlife Sent: Thursday, December 24, 2015 2:52 PM To: '[email protected]' Subject: RE: [NTSysADM] Admin account best practices That's an interesting approach, and I kind of like it. There was a need for EA during our deployment of Lync. It was needed to make some change within the Lync configuration, but I wasn't in my current position at that time, so wasn't completely in the loop on that. But, I do like the one account idea. Not sure I can make that fly, but I might just try it out. If not that, then definitely push for separate accounts to be used for any EA activity. Same type of idea with Schema Admins. I noticed that all the EAs are members of Schema Admins as well, and I don't think that's a good idea. Put yourself in it if you need it, then remove afterwards. > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of J Harris > Sent: Thursday, December 24, 2015 11:18 AM > To: [email protected] > Subject: RE: [NTSysADM] Admin account best practices > > University research office I managed and my current place of > employment both maintain separate accounts for DA/EA's and our > "normal" account. EA account at the research office was kept on a > piece of paper in a sealed envelope locked in the office of the office > admin. User ID was on the outside of the envelop and the password was > on the inside. Our EA group only held one user ID. I saw nothing in > what we did that needed the EA account. We had to do enough work > fixing issues remotely to need DA account but there were only 2 of us > in that group. I had the same thing pushed at me on more than one > occasion (I used to have this access so I need it back) and just > turned a deaf ear to their noise. I put in writing to my direct > report my reasons for stripping people of the DA and was able to get > enough documentation from the web of how bad it was to have a user > with ANY admin rights to do that at the University office. My current > job does things differently and I am not in the security loop so only > have limited direct knowledge of it. I do know DA's have separate > accounts from their routine/normal accounts. I suspect the EA is handled the same and much more limited. > > Merry Christmas everyone thank you for a great year! > > Jon > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] > On Behalf Of Heaton, Joseph@Wildlife > Sent: Thursday, December 24, 2015 12:59 PM > To: NT System Admin Issues Discussion list > Subject: [NTSysADM] Admin account best practices > > I've been approached recently to put one of my admins into the > Enterprise Admins group, because he used to have it, and thought he > needed it for a specific task. We recently cleaned up this group, and > I'm hesitant to re-add another admin, especially on the basis of "I > used to have it". We currently are down to 3 users in the group, > myself and two others. The accounts used are our admin accounts, > which are Domain Admins in addition to Enterprise Admins. What I was wondering is this: > > > > Should we actually be using unique accounts just for the Enterprise > Admin role, or is the way we have it ok? Should we instead have a > service account placeholder in the Enterprise Admin group, and use > that to either do whatever work needs done, or to add ourselves as > needed? I'd love to hear what everyone out there is doing. > > > > Thanks, > > > > Joe Heaton > > Information Technology Operations Branch > > Data and Technology Division > > CA Department of Fish and Wildlife > > 1700 9th Street, 3rd Floor > > Sacramento, CA 95811 > > Desk: (916) 323-1284 > > > > Every Californian should conserve water. > > >
