Amen. I have a DA account myself just so even I'm not a DA per se. I wish I could get it across to the SE team that they should follow suit, but nobody pushing them and I don't have enough clout.
"As usual, the boss of the helpdesk (and his golf buddies) think that change = interruptions to support" Oh good GOD!! I swear this is how 90% of my org is - including the IS management! We postponed outsourcing Exchange (we've even signed the contract and paid money) to JANUARY because of this very thinking!! Dude, it's a WEEKEND CUTOVER with professionals on either side of the fence. ...this is also why SE's are reluctant to fix their own Domain Admin roles, or even roll out a 2008 DC, or 2008 server OS for that matter. Oh wait, that's just because it's change and they aren't driven to learn a new server OS. While it's true that many times change is responsible for downtime, I'll trade a short amount of scheduled downtime with pros already "at the ready" over the potential of security risks or "there might be downtime...or not". Dave From: Alan Davies [mailto:[email protected]] Sent: Thursday, September 30, 2010 7:03 AM To: NT System Admin Issues Subject: RE: Restricting groups in Active Directory Except for DCs ... but hopefully that can be managed with a secondary account for a couple of staff only! ;o) +1000 for having under 5 DAs in any domain! Ridiculous power trip on every occasion with even non-operations managers wanting to be in there as a sign of "seniority"! a ________________________________ From: David Lum [mailto:[email protected]] Sent: 30 September 2010 14:23 To: NT System Admin Issues Subject: RE: Restricting groups in Active Directory Ask why they need to be domain admins and not just have the necessary permissions delegated. My Service Desk guys were domain admins from the day they started (in some cases years) and they insisted they needed to be domain admins to do x,y and z. Oddly, I was able to delegate the necessary functions and they haven't been domain admins for many months now. The Win2K servers was sticky since it doesn't have a "Remote Desktop User" group, but restricted groups helped me out there - they local admins on Win2K Servers boxes but not domain admins. You can make them local admins of server w/out them being domain admins, and using GPO's you'll be able to track who is admin on what instead of going to each machine one by one. No clue if this would help what you're fighting though.... Dave ************************************************************************************ WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. "CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE" ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
