Didn't see that one but I have worked with customers where they have a process to add and remove accounts on a temporary basis from those groups as needed.
Thanks, Brian Desmond [email protected] c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian From: Free, Bob [mailto:[email protected]] Sent: Thursday, March 26, 2009 1:01 PM To: NT System Admin Issues Subject: RE: How many domain admins do you have? Saw a presentation yesterday at TEC by a fellow who went from an environment like that to 0 for a very large financial org. 0 people in DA/EA/SA, that was very eye-opening for me as I thought we had done well to get down to less than 4. From: James Rankin [mailto:[email protected]] Sent: Thursday, March 26, 2009 7:08 AM To: NT System Admin Issues Subject: Re: How many domain admins do you have? At one of my previous (outsourcing) jobs we had a policy of revoking all Domain Admin access and seeing who screamed. I would estimate less than 10% of them, on average, could justify the need. On one account, we reduced 157 Domain Admin accounts to 13, and that was in the NT4 days where delegating authority for certain tasks was a lot harder. 2009/3/26 David Lum <[email protected]<mailto:[email protected]>> In our case six would be plenty - with delegation I don't even see us needing even that many, but we do have some folks whose egos would have a hard time having that permission removed, never mind the fact I could probably remove 90% of them from the group and they'd never notice... David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Brian Desmond [mailto:[email protected]<mailto:[email protected]>] Sent: Thursday, March 26, 2009 1:52 AM To: NT System Admin Issues Subject: RE: How many domain admins do you have? I usually go with a magic number of 6 as what I tell larger customers to keep it <=. Not sure what your org looks like though so kind of shooting in the dark. Thanks, Brian Desmond [email protected]<mailto:[email protected]> c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian From: David Lum [mailto:[email protected]<mailto:[email protected]>] Sent: Monday, March 23, 2009 10:47 AM To: NT System Admin Issues Subject: How many domain admins do you have? General poll: How many Systems Engineers do you guys have and how many of them are domain administrators? If you don't want to divulge specifics then percentages would work. For us we're at about 13 DA's / 13 SE's, although I think we should be closer to say, 4/13. Comments? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
