+1 Effectively this: Domain Admins Local Administrator Desktop Support Group David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764
From: James Rankin [mailto:[email protected]] Sent: Tuesday, March 24, 2009 7:51 AM To: NT System Admin Issues Subject: Re: How many domain admins do you have? They replace the contents completely - we simply have Domain Admins, the local admin account and the relevant server admin group specified in the GPO 2009/3/24 Eisenberg, Wayne <[email protected]<mailto:[email protected]>> So Restricted Groups add to the local group, not replace the entire contents of the local group? ________________________________ From: James Rankin [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, March 24, 2009 4:40 AM To: NT System Admin Issues Subject: Re: How many domain admins do you have? Group your servers into GPOs such as Citrix Servers, Exchange Servers, etc. , create a group called Citrix Server Admins or whatever, and use Restricted Groups to add that group to local Administrators for the servers in that OU. Users are then added to the relevant server admin group and inherit admin rights to the group of servers. 2009/3/23 Eisenberg, Wayne <[email protected]<mailto:[email protected]>> I'm curious - how do you do that with GPOs? Wayne ________________________________ From: James Rankin [mailto:[email protected]<mailto:[email protected]>] Sent: Monday, March 23, 2009 11:57 AM To: NT System Admin Issues Subject: Re: How many domain admins do you have? Only those who require Domain Administrator rights get them (those who work extensively on AD). Everyone else has their server admin rights limited via GPO to subsets of machines. We have custom groups for Exchange Server Admins, Citrix Admins, VirtualCenter admins, SQL admins, WebSense admins - on and on it goes. Even the high-level guys have an ordinary account for normal work and an elevated admin account to be used when needed. I would guess that most Domain Admin access in our AD is held by service accounts, rather sadly, although these accounts can not log on interactively, so their use is limited that way. 2009/3/23 David Lum <[email protected]<mailto:[email protected]>> General poll: How many Systems Engineers do you guys have and how many of them are domain administrators? If you don't want to divulge specifics then percentages would work. For us we're at about 13 DA's / 13 SE's, although I think we should be closer to say, 4/13. Comments? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
