It was a very thought provoking presentation but in the end, that's exactly what they were doing and it was actually the security guys who did the work if it wasn't something that had been automated and delegated. There has to be really a lot of process and testing wrapped around it. Of course this comes at a rather high cost because of the amount of work it takes to test and develop all that process. I asked him what they did if something went awry on a DC and the AD folks had to work on it and in that environment if it wasn't something that could be fixed extremely easily by a pre-defined process, they just did a flatten and reinstall. Since that process was all automated it took about 2 hrs from bare metal to a prod DC.
He said they had just over 400 DCs and of them, ~140 were prod and all the rest were for all the testing that had to take place to make it all work. From: Brian Desmond [mailto:[email protected]] Sent: Thursday, March 26, 2009 11:12 AM To: NT System Admin Issues Subject: RE: How many domain admins do you have? Didn't see that one but I have worked with customers where they have a process to add and remove accounts on a temporary basis from those groups as needed. Thanks, Brian Desmond [email protected] c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ <http://www.briandesmond.com/ad4/> Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian <https://mvp.support.microsoft.com/profile/Brian> From: Free, Bob [mailto:[email protected]] Sent: Thursday, March 26, 2009 1:01 PM To: NT System Admin Issues Subject: RE: How many domain admins do you have? Saw a presentation yesterday at TEC by a fellow who went from an environment like that to 0 for a very large financial org. 0 people in DA/EA/SA, that was very eye-opening for me as I thought we had done well to get down to less than 4. From: James Rankin [mailto:[email protected]] Sent: Thursday, March 26, 2009 7:08 AM To: NT System Admin Issues Subject: Re: How many domain admins do you have? At one of my previous (outsourcing) jobs we had a policy of revoking all Domain Admin access and seeing who screamed. I would estimate less than 10% of them, on average, could justify the need. On one account, we reduced 157 Domain Admin accounts to 13, and that was in the NT4 days where delegating authority for certain tasks was a lot harder. 2009/3/26 David Lum <[email protected]> In our case six would be plenty - with delegation I don't even see us needing even that many, but we do have some folks whose egos would have a hard time having that permission removed, never mind the fact I could probably remove 90% of them from the group and they'd never notice... David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Brian Desmond [mailto:[email protected]] Sent: Thursday, March 26, 2009 1:52 AM To: NT System Admin Issues Subject: RE: How many domain admins do you have? I usually go with a magic number of 6 as what I tell larger customers to keep it <=. Not sure what your org looks like though so kind of shooting in the dark. Thanks, Brian Desmond [email protected] c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ <http://www.briandesmond.com/ad4/> Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian <https://mvp.support.microsoft.com/profile/Brian> From: David Lum [mailto:[email protected]] Sent: Monday, March 23, 2009 10:47 AM To: NT System Admin Issues Subject: How many domain admins do you have? General poll: How many Systems Engineers do you guys have and how many of them are domain administrators? If you don't want to divulge specifics then percentages would work. For us we're at about 13 DA's / 13 SE's, although I think we should be closer to say, 4/13. Comments? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
