Exactly the layout we had except we had to give a supervisor EA rights as well so there was a total of 4 people with rights with 250k users and about 400 DCs. He was really good about not changing things though. I have a great story where one time he actually did add something and within a few hours I stumbled upon it and yelled out across the office (he was about 3 cubes over, we were all within that space for one easy grenade shot) something like "Vern, did you create such and such an object at such and such a point in the AD?". Response back was something like.... "umm yeah, what did I do wrong?"
Generally the smaller the company, I think the less need for Enterprise Admins in a daily or even weekly capacity. You get down to really small companies say 1000 people or less and how much core AD infrastructure changes that require ent admins are there and so maybe there is more and more reason to lock up the Ent Admin ID entirely. The larger companies tend to constantly be folding up locations or adding new locations so the overall AD Infrastructure is always in a state of flux. These changes can be delegated off, but the question comes down to... Do you really want to? Changes in this area can have dramatic impact on your replication. I liked the fact that every site and subnet that needed to be created came through our group so we could review it to make sure it made sense. There were often times when someone wanted to define 50-60 subnets for a site when a couple of subnets would actually do, simply because they didn't understand that the masking of the clients didn't have to be followed in AD. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gilbert, Daniel L Mr ANOSC/FCBS Sent: Friday, February 25, 2005 3:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts.... Who are you calling "good corporate citizen"? We only have three (3) people with EA rights for an Enterprise with over 300,000 user accounts and 200 plus DCs. Schema Admins is empty. Have to make a concentrated effort to populate that group. Saves us from Schema SNAFUs. So far (3 years) this plan has worked for us. Dan -----Original Message----- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Friday, February 25, 2005 1:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts.... I wouldn't give those rights to a group... Just one or two people in the group, and only after proper vetting. Vetting would include the usual background checks and "good corporate citizen"-type evaluations, as well as AD technical knowledge. Would you want them fixing an AD disaster in the middle of the night while you're asleep? Will they do the right thing, even when you're not looking? It really comes down to a matter of trust. -gil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Friday, February 25, 2005 1:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts.... What do you do when you have an AD support group than need access to Enterprise Admin privs if you only have one Enterprise Admin? I know I wouldn't want to be the only guy with those privs in the middle of the night on a weekend when I'm not on call ;) Phil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts.... " Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment). " So I'm assuming that you have more than 1 Enterprise admin in your root domain? Isn't that agains't all the white papers out there stating that you shouldn't have more than one ent. admin. in your forest and all other admins should be domain admins in their own respective domain? Or did you use enterprise admin as a generic term? Thanks, Francis ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Some thoughts on securing sensitive accounts.... Hi folks, I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had "carte blanche" to secure sensitive accounts in an enterprise directory? First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pins....Any other thoughts? Thanks! Francis Ouellet List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/