That's what I recall the recommendation to be. On Jun 29, 2016 10:29 AM, "Charles F Sullivan" <[email protected]> wrote:
> That’s more generous than what we do. > > > > The Enterprise and Schema Admins groups are empty, enforced by a > Restricted Groups GPO setting. There is another one of these that limits > membership in Domain Admins to just the 5 of us who are supposed to be. In > the rare case where something needs Enterprise or Schema Admin rights, we > temporarily add one of the domain admins via the respective Restricted > Group setting. > > > > We only have one large domain, which makes this quite feasible. Possibly a > more complex forest wouldn’t be. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Heaton, Joseph@Wildlife > *Sent:* Tuesday, June 28, 2016 5:49 PM > *To:* 'NT System Admin Issues Discussion list' < > [email protected]> > *Subject:* [NTSysADM] Enterprise Admin best practice > > > > I remember hearing, I believe on this list, that the best practice for the > Enterprise Admin role was to only have a service account in that role, with > a very complex password, that is written down and locked in a file > cabinet. I’ve just implemented that, but now I’m getting blowback. Does > anyone have anything in writing that talks about this process, and that > yes, this is best practice? > > > > Thanks, > > > > Joe Heaton >
