He is talking about each admin having a user account and an administrative account. So when you're checking email you don't also have privilege to delete every file on the network. When you need to do something administrative you use RunAs. It is called "The Principle of Least Intrusion."
As far as not making the accounts obvious - forget it. A normal user can enumerate users and groups on the network and members of groups. If a user can enumerate the members of "Domain Admins" then naming matters not. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Flanagan, Kevin Sent: Wednesday, January 09, 2002 1:16 PM To: NT 2000 Discussions Subject: RE: Use of administrative accounts I don't believe that special accounts solve anything. I have never worked anywhere that did that. We all have the rights that we need and use our own accounts for everything. Shared accounts are bad, IE Administrator, there's no auditing that can be done, not realistically anyways. I would bet that there are MANY things that you could do in that arena that would get you bigger payback. IE: When was the last time that service account passwords were changed? Most NT4 shops don't ever change them. While they may not be domain admins, I hope, they are likely to be local admins. This has come up from time to time, I've always been able to make it go away in favor of more useful work. +__________________________________________+ "There are two major products that come out of Berkeley: LSD and [Unix] BSD. We don't believe this to be a coincidence." -Jeremy S. Anderson Kevin M. Flanagan C/S Planning Engineer III IT Systems Implementation Branch Banking & Trust 3261 Atlantic Ave Suite 116 Raleigh, NC 27604 919-716-6209 > -----Original Message----- > From: Wes Owen [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 09, 2002 11:53 AM > To: NT 2000 Discussions > Subject: Use of administrative accounts > > > We are in the process of implementing separate administrative > accounts for all of our admins as part of a security project > and trying to put as many "best practices" in place as possible. > > Any one else out their doing such a thing? > > If so, how did you implement them from a naming perspective. > We started out adding a ADM designation on each account, but > doing that really makes them stick out. If someone was to > get a hold of an account list in some manner I am concerned > that they may immediately know what accounts to go after. > > > This e-mail and any files transmitted with it are > confidential and are intended solely for the use of the > individual or entity to whom they are addressed. If you are > NOT the intended recipient or the person responsible for > delivering the e-mail to the intended recipient, be advised > that you have received this e-mail in error and that any use, > dissemination, forwarding, printing, or copying of this > e-mail is strictly prohibited. > > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to [EMAIL PROTECTED] > ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED] ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
