Absolutely, and in fact, the only Ent Admin IDs were in the
root domain. I didn't add IDs from other domains. In all other domains the
Enterprise Admins had only Domain Admin rights.
The ent admins are the same people with dom admins in all
of the domains. That is right, the same 3 Analysts and one supervisor are the
only ones holding DA and EA rights and in fact any rights to make direct changes
on the DCs. There was AD delegation but it was limited to what local admins
needed to do and even if they rebooted a DC without being told to they got
chewed out.
Basically the IDs were laid out like so (this isn't all of
it but the main part)
5 regional account domains (2xna, sa, ap, and eu) and an
empty root (company.org). The admins were all located in one of the NA
regional domains. Their normal userid was kept in that domain. In every domain
they had a domain admin ID. The root domain ID also had enterprise admin rights.
The NA domain admins group was placed in the admins group of every account
domain so that most of the daily work that required admin rights (read that as
changes) were done from their NA admin ID. Most of their troubleshooting was
done from their normal NA user ID. The root IDs were only used when they needed
to make enterprise level changes such as sites/subnets, etc.
I don't care what white paper says that it is safe to have
different domain admins but only having rights in their own domain but they are
all in the same forest, they are wrong. Lucent put out a paper like that a long
time ago and we beat the crap out of them over it.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet
Sent: Friday, February 25, 2005 3:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts....
" Then you have your actual
Enterprise Admins and that should be a small group, maybe 2-5 people depending
on your size (I worked on a team of 3 people and supervisor for a 250,000 user
deployment). "
So I'm assuming that
you have more than 1 Enterprise admin in your root domain? Isn't that agains't
all the white papers out there stating that you shouldn't have more than one
ent. admin. in your forest and all other admins should be domain
admins in their own respective domain? Or did you use enterprise admin as a
generic term?
Thanks,
Francis
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet
Sent: Friday, February 25, 2005 1:45 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Some thoughts on securing sensitive accounts....
Hi
folks,
I'm was thinking the
other day of the best way to secure schema and enterprise admin accounts. What
would you do if you had "carte blanche" to secure sensitive accounts in an
enterprise directory?
First things that
came to mind were using mandatory smart cards for SA and EA accounts kept in a
safe where only designated employes knew the pins....Any other
thoughts?
Thanks!
Francis
Ouellet
