I had a talk with the other admin, and now the Enterprise Admin and Schema Admin groups are empty. Thanks all!
From: [email protected] [mailto:[email protected]] On Behalf Of Richard Stovall Sent: Wednesday, June 29, 2016 2:49 PM To: [email protected] Subject: RE: [NTSysADM] Enterprise Admin best practice That's what I recall the recommendation to be. On Jun 29, 2016 10:29 AM, "Charles F Sullivan" <[email protected]<mailto:[email protected]>> wrote: That’s more generous than what we do. The Enterprise and Schema Admins groups are empty, enforced by a Restricted Groups GPO setting. There is another one of these that limits membership in Domain Admins to just the 5 of us who are supposed to be. In the rare case where something needs Enterprise or Schema Admin rights, we temporarily add one of the domain admins via the respective Restricted Group setting. We only have one large domain, which makes this quite feasible. Possibly a more complex forest wouldn’t be. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Heaton, Joseph@Wildlife Sent: Tuesday, June 28, 2016 5:49 PM To: 'NT System Admin Issues Discussion list' <[email protected]<mailto:[email protected]>> Subject: [NTSysADM] Enterprise Admin best practice I remember hearing, I believe on this list, that the best practice for the Enterprise Admin role was to only have a service account in that role, with a very complex password, that is written down and locked in a file cabinet. I’ve just implemented that, but now I’m getting blowback. Does anyone have anything in writing that talks about this process, and that yes, this is best practice? Thanks, Joe Heaton
