+1 on the separate accounts. We try to keep Domain Admins to as small a number as possible and we don't allow anyone to use their Domain Admin account to do "regular work" (such as email, web browsing, etc.).
Keeping the number of DAs to a minimum also minimizes the number of people able to screw things up for everyone (not that any of us or our coworkers would do that) and the number of people who have full access to everyone's data, both on workstations and servers, including sensitive stuff that IT doesn't need to see. -Malcolm -----Original Message----- From: Salvador Manzo [mailto:[email protected]] Sent: Thursday, May 27, 2010 14:02 To: NT System Admin Issues Subject: RE: What's your requirement to allow a user DA? In addition, use Restricted Group GPOs as much as possible if distributed local administration of machines is required. Personally, I would go a step further and separate admin level accounts of any kind from the normal, day-to-day logins. So, for example, at a minimum Joe Employee Jemployee (normal login, same user rights as everyone else on the network) Jemployee_admin (elevated account, either Domain Admin or what have you) This will reduce your exposure when doing things daily, but does require that people not circumvent it in the name of "ease of use" (or, what I would call laziness.) -----Original Message----- From: Phil Brutsche [mailto:[email protected]] Sent: Thursday, May 27, 2010 11:55 AM To: NT System Admin Issues Subject: Re: What's your requirement to allow a user DA? My thoughts: No domain admins unless there is no other way to do what you need to. If they need to do AD administration, use LDAP OU ACLs aka delegation. They should only get permissions delegated to them if AD management is part of their duties. On 5/27/2010 1:39 PM, David Lum wrote: > What are your guy's prerequisites on someone having a Domain Admin > account - assume a medium or large company and 4-5+ Systems Engineers. > Previously here they've just had every new SE hire be domain admin, I'm > thinking it's time to change that practice but I'll need some ammo and a > plan before I have any hope of changing this. > > My thinking is along the line of "need to know what's going in this AD > structure" as well as being proficient in all things AD, etc. > > Thoughts comments? I'm thinking there should only be 2-3 DA accounts max > per domain max. -- Phil Brutsche [email protected] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
