My thoughts: No domain admins unless there is no other way to do what you need to.
If they need to do AD administration, use LDAP OU ACLs aka delegation. They should only get permissions delegated to them if AD management is part of their duties. On 5/27/2010 1:39 PM, David Lum wrote: > What are your guy’s prerequisites on someone having a Domain Admin > account – assume a medium or large company and 4-5+ Systems Engineers. > Previously here they’ve just had every new SE hire be domain admin, I’m > thinking it’s time to change that practice but I’ll need some ammo and a > plan before I have any hope of changing this. > > My thinking is along the line of “need to know what’s going in this AD > structure” as well as being proficient in all things AD, etc. > > Thoughts comments? I’m thinking there should only be 2-3 DA accounts max > per domain max. -- Phil Brutsche [email protected] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
