That would actually sound like a reason to make it happen instead of a reason
to avoid it. Seems like any files legitimately restricted to that group
shouldn't be accessed by anyone likely to bark about the change.
(removing glasses with strange pale reddish tint)
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
From: [email protected] [mailto:[email protected]] On
Behalf Of Heaton, Joseph@Wildlife
Sent: Tuesday, June 28, 2016 6:28 PM
To: [email protected]
Subject: [NTSysADM] RE: Enterprise Admin best practice
History, and come to find out the old team lead had used that group for file
access somewhere. Thanks for the link, I'm going to download that so I can
defend my position if it comes to that.
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Michael B. Smith
Sent: Tuesday, June 28, 2016 3:04 PM
To: [email protected]<mailto:[email protected]>
Subject: [NTSysADM] RE: Enterprise Admin best practice
What's the blowback?
There are very few things that require that level of permission. But there are
a few.
See Appendices B - H in this whitepaper:
https://technet.microsoft.com/en-us/library/dn487446.aspx
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Heaton, Joseph@Wildlife
Sent: Tuesday, June 28, 2016 5:49 PM
To: 'NT System Admin Issues Discussion list'
Subject: [NTSysADM] Enterprise Admin best practice
I remember hearing, I believe on this list, that the best practice for the
Enterprise Admin role was to only have a service account in that role, with a
very complex password, that is written down and locked in a file cabinet. I've
just implemented that, but now I'm getting blowback. Does anyone have anything
in writing that talks about this process, and that yes, this is best practice?
Thanks,
Joe Heaton
