At one of my previous (outsourcing) jobs we had a policy of revoking all Domain Admin access and seeing who screamed. I would estimate less than 10% of them, on average, could justify the need. On one account, we reduced 157 Domain Admin accounts to 13, and that was in the NT4 days where delegating authority for certain tasks was a lot harder.
2009/3/26 David Lum <[email protected]> > In our case six would be plenty – with delegation I don’t even see us > needing even that many, but we do have some folks whose egos would have a > hard time having that permission removed, never mind the fact I could > probably remove 90% of them from the group and they’d never notice… > > *David Lum** **// *SYSTEMS ENGINEER > NORTHWEST EVALUATION ASSOCIATION > (Desk) 971.222.1025 *// *(Cell) 503.267.9764 > > *From:* Brian Desmond [mailto:[email protected]] > *Sent:* Thursday, March 26, 2009 1:52 AM > *To:* NT System Admin Issues > *Subject:* RE: How many domain admins do you have? > > > > *I usually go with a magic number of 6 as what I tell larger customers to > keep it <=. * > > * * > > *Not sure what your org looks like though so kind of shooting in the dark. > * > > * * > > *Thanks,* > > *Brian Desmond* > > *[email protected]* > > * * > > *c - 312.731.3132* > > * * > > *Active Directory, 4th Ed - http://www.briandesmond.com/ad4/* > > *Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian* > > * * > > *From:* David Lum [mailto:[email protected]] > *Sent:* Monday, March 23, 2009 10:47 AM > *To:* NT System Admin Issues > *Subject:* How many domain admins do you have? > > > > General poll: How many Systems Engineers do you guys have and how many of > them are domain administrators? If you don’t want to divulge specifics then > percentages would work. For us we’re at about 13 DA’s / 13 SE’s, although I > think we should be closer to say, 4/13. > > > > Comments? > > *David Lum** **// *SYSTEMS ENGINEER > NORTHWEST EVALUATION ASSOCIATION > (Desk) 971.222.1025 *// *(Cell) 503.267.9764 > > > > > > > > > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
