To add to what Eric has said ONLY allow admin access to what that person is expected to admin. Desktop support does not need access to DA accounts, DA accounts don't need access to desktops etc. Also your re-organization will highly depend on staffing and what and how you want things done. This is NOT a one size fits all question, never has been and most likely never will be.
Jon -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Erik Goldoff Sent: Sunday, January 1, 2017 3:26 PM To: [email protected] Subject: Re: [NTSysADM] IT Organization Design NEVER share accounts, especially admin. Everyone should have a regular user level account, and admins should have a second account for when privilege escalation is needed. Many have username and username-adm or similar to discern between normal and elevated accounts. Configure your auditing to flag use of the default 'administrator' and 'guest' accounts. On Sun, Jan 1, 2017 at 3:01 PM, CSSU NetAdmin <[email protected]> wrote: We are looking at re-organizing our IT department for our K-12 school district. Are there examples out there for how work is divided? Do IT staff focus on specific areas or is everyone more of a generalist? We have moved to Chromebooks in a big way and find how we are presently organized- school based- really doesn't work anymore. Finally, who uses the Least Privilege Administrative model? If you do, is there one domain admin account shared for people who need admin rights or do each IT staff person have two accounts? Thanks for any ideas. Happy New Year!
