This is very similar to where we are with elevated privilege accounts. You only have the privileges if you need them, and they won't be attached to your normal login account. We even have the same service account issue :-(
There aren't that many normal operational tasks that actually require domain admin privileges. -Malcolm From: James Rankin [mailto:[email protected]] Sent: Monday, March 23, 2009 10:57 AM To: NT System Admin Issues Subject: Re: How many domain admins do you have? Only those who require Domain Administrator rights get them (those who work extensively on AD). Everyone else has their server admin rights limited via GPO to subsets of machines. We have custom groups for Exchange Server Admins, Citrix Admins, VirtualCenter admins, SQL admins, WebSense admins - on and on it goes. Even the high-level guys have an ordinary account for normal work and an elevated admin account to be used when needed. I would guess that most Domain Admin access in our AD is held by service accounts, rather sadly, although these accounts can not log on interactively, so their use is limited that way. 2009/3/23 David Lum <[email protected]> General poll: How many Systems Engineers do you guys have and how many of them are domain administrators? If you don't want to divulge specifics then percentages would work. For us we're at about 13 DA's / 13 SE's, although I think we should be closer to say, 4/13. Comments? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
