Generally you shouldn't need a "schema admin" account.
During your normal running state, there should be no reason to have anyone in
that group. You definitely don't want to have some generic ID with that access
as I don't believe in managing the directory like that from generic "function
"Then you have your actual
Enterprise Admins and that should be a small group, maybe 2-5 people depending
on your size (I worked on a team of 3 people and supervisor for a 250,000 user
deployment)."
So I'm assuming that
you have more than 1 Enterprise admin in your root domain? Isn't that
: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet
Sent: Friday, February 25, 2005 3:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Some thoughts on securing sensitive
accounts
Then you have your actual Enterprise Admins and that should be a
small group
février 2005 15:21
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts
What do you do when you have an AD support group than need access to Enterprise
Admin privs if you only have one Enterprise Admin? I know I wouldn't want to be
the only guy
@mail.activedir.org
Subject: RE: [ActiveDir] Some thoughts on securing sensitive
accounts
What do you do when you have an AD support group than need access to
Enterprise Admin privs if you only have one Enterprise Admin? I know I
wouldn't want to be the only guy with those privs in the middle
OuelletSent: Friday, February 25, 2005 1:15 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Some thoughts on
securing sensitive accounts
"Then you have your actual
Enterprise Admins and that should be a small group, maybe 2-5 people depending
on your size (I worked on a team
thoughts on
securing sensitive accounts
"Then you have your actual
Enterprise Admins and that should be a small group, maybe 2-5 people depending
on your size (I worked on a team of 3 people and supervisor for a 250,000 user
deployment)."
So I'm assuming that
you have more than 1
of hours
automatically
mc
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Francis Ouellet
Sent: Friday, February 25, 2005 3:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts
How about a generic ent
, 2005 3:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts
How about a generic ent. Admin account? One with an obsure name and 10 foot
password? Only selected support/admin people have the password?
Just thinking out loud here
Kirkpatrick
Sent: Friday, February 25, 2005 3:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Some thoughts on securing sensitive
accounts
I wouldn't give those rights to a group... Just one or two people in the
group, and only after proper vetting. Vetting would include the usual
) this plan has worked for us.
Dan
-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]
Sent: Friday, February 25, 2005 1:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts
I wouldn't give those rights to a group... Just
2005 15:37
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts
Totally agree, but in very large environments that group of trusted admins is
going to have to be more than just one guy. I think 2 or 3 guys (depending on
the size
this.
Truly appreciated!
Francis
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gilbert, Daniel
L Mr ANOSC/FCBS
Sent: 25 février 2005 15:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts
Who are you
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts
Who are you calling good corporate citizen?
We only have three (3) people with EA rights for an Enterprise with over
300,000 user accounts and 200 plus DCs.
Schema Admins is empty. Have
@mail.activedir.org
Subject: RE: [ActiveDir] Some
thoughts on securing sensitive accounts
Some of that is symantics. If you have
only one Enterprise
admin account, and only one person who knows the credentials for that account,
then there are some large organizational risks if something happens
15 matches
Mail list logo
