Who are you calling "good corporate citizen"? We only have three (3) people with EA rights for an Enterprise with over 300,000 user accounts and 200 plus DCs.
Schema Admins is empty. Have to make a concentrated effort to populate that group. Saves us from Schema SNAFUs. So far (3 years) this plan has worked for us. Dan -----Original Message----- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Friday, February 25, 2005 1:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts.... I wouldn't give those rights to a group... Just one or two people in the group, and only after proper vetting. Vetting would include the usual background checks and "good corporate citizen"-type evaluations, as well as AD technical knowledge. Would you want them fixing an AD disaster in the middle of the night while you're asleep? Will they do the right thing, even when you're not looking? It really comes down to a matter of trust. -gil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Friday, February 25, 2005 1:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts.... What do you do when you have an AD support group than need access to Enterprise Admin privs if you only have one Enterprise Admin? I know I wouldn't want to be the only guy with those privs in the middle of the night on a weekend when I'm not on call ;) Phil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts.... " Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment). " So I'm assuming that you have more than 1 Enterprise admin in your root domain? Isn't that agains't all the white papers out there stating that you shouldn't have more than one ent. admin. in your forest and all other admins should be domain admins in their own respective domain? Or did you use enterprise admin as a generic term? Thanks, Francis ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Some thoughts on securing sensitive accounts.... Hi folks, I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had "carte blanche" to secure sensitive accounts in an enterprise directory? First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pins....Any other thoughts? Thanks! Francis Ouellet List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
