Totally agree, but in very large environments that group of trusted admins is going to have to be more than just one guy. I think 2 or 3 guys (depending on the size of the environment) is a pretty reasonable number provided that they are admins you can trust with that level of access.
And to answer Francis' next comment, I would never create a generic account with EA privs. I want to be able to track who did what if I have to comb through the logs after something happened and when you have a generic account how do you know for sure that Bob Smith was the one that logged in if 3 or 4 people all have access to the same username/password? If you are going to have more than one person with that level of access then create an ID for each of them (separate from their general AD login). Phil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, February 25, 2005 3:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts.... I wouldn't give those rights to a group... Just one or two people in the group, and only after proper vetting. Vetting would include the usual background checks and "good corporate citizen"-type evaluations, as well as AD technical knowledge. Would you want them fixing an AD disaster in the middle of the night while you're asleep? Will they do the right thing, even when you're not looking? It really comes down to a matter of trust. -gil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Friday, February 25, 2005 1:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts.... What do you do when you have an AD support group than need access to Enterprise Admin privs if you only have one Enterprise Admin? I know I wouldn't want to be the only guy with those privs in the middle of the night on a weekend when I'm not on call ;) Phil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts.... " Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment). " So I'm assuming that you have more than 1 Enterprise admin in your root domain? Isn't that agains't all the white papers out there stating that you shouldn't have more than one ent. admin. in your forest and all other admins should be domain admins in their own respective domain? Or did you use enterprise admin as a generic term? Thanks, Francis ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Some thoughts on securing sensitive accounts.... Hi folks, I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had "carte blanche" to secure sensitive accounts in an enterprise directory? First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pins....Any other thoughts? Thanks! Francis Ouellet List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
