The only people I give it to are the guys who actually own the AD service. That would be the people that support your domain controllers. Everything else gets delegated. Sometimes a team manage gets it depending on the organizational structure but it varies by organization.
There's a really good post on Joe Richards' blog actually about his pre-requisites to giving it to someone when he owned AD for a big corp. I'm on the plane right now so I can't find it. In general though I'd expect the person to have a solid understanding of the environment before they got the keys to the kingdom plus a solid understanding of the service they're going to support (AD) and the risks that come along with their new access. Thanks, Brian Desmond [email protected] c - 312.731.3132 From: David Lum [mailto:[email protected]] Sent: Thursday, May 27, 2010 1:39 PM To: NT System Admin Issues Subject: What's your requirement to allow a user DA? What are your guy's prerequisites on someone having a Domain Admin account - assume a medium or large company and 4-5+ Systems Engineers. Previously here they've just had every new SE hire be domain admin, I'm thinking it's time to change that practice but I'll need some ammo and a plan before I have any hope of changing this. My thinking is along the line of "need to know what's going in this AD structure" as well as being proficient in all things AD, etc. Thoughts comments? I'm thinking there should only be 2-3 DA accounts max per domain max. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
