In addition, use Restricted Group GPOs as much as possible if distributed local administration of machines is required. Personally, I would go a step further and separate admin level accounts of any kind from the normal, day-to-day logins. So, for example, at a minimum
Joe Employee Jemployee (normal login, same user rights as everyone else on the network) Jemployee_admin (elevated account, either Domain Admin or what have you) This will reduce your exposure when doing things daily, but does require that people not circumvent it in the name of "ease of use" (or, what I would call laziness.) -----Original Message----- From: Phil Brutsche [mailto:[email protected]] Sent: Thursday, May 27, 2010 11:55 AM To: NT System Admin Issues Subject: Re: What's your requirement to allow a user DA? My thoughts: No domain admins unless there is no other way to do what you need to. If they need to do AD administration, use LDAP OU ACLs aka delegation. They should only get permissions delegated to them if AD management is part of their duties. On 5/27/2010 1:39 PM, David Lum wrote: > What are your guy's prerequisites on someone having a Domain Admin > account - assume a medium or large company and 4-5+ Systems Engineers. > Previously here they've just had every new SE hire be domain admin, I'm > thinking it's time to change that practice but I'll need some ammo and a > plan before I have any hope of changing this. > > My thinking is along the line of "need to know what's going in this AD > structure" as well as being proficient in all things AD, etc. > > Thoughts comments? I'm thinking there should only be 2-3 DA accounts max > per domain max. -- Phil Brutsche [email protected] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
