Re: Domain Admins Group -- Trying to trim membership
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 20 Jun 2006 14:32:09 -0500
Well hopefully Uncle Joe will reply also as he is one of the world experts
on this topic. My two cents is that the risk of a misconfiguration or
security breach rises almost exponentially with the number of domain admins
you have so it makes sense to have a rather small group of only the most
very trusted and competent people being domain admins.
In general almost all Active Directory management tasks can be delegated to
a qualified regular domain user by managing AD object permissions. Such
tasks could be creating and managing user and computers accounts, creating
and managing groups, creating and managing OUs, and editing Group Policy. Of
course there are things that only domain level administrators can do but
those tasks such as managing privileged users/group, fsmos, global catalog
servers, installing hardware/software on domain controllers, dcpromoing a
server, installing a Certificate Authority, etc. usually are not done every
day or even every week and domain admins need something to do. An existing
domain controller can also be dcpromoed to a regular server if you need non
domain admins to service it. In a larger network I would think that domain
controllers are only domain controllers running DNS and not also a print,
file, DHCP/wins, or remote access server which make it easier to not want to
allow other users to configure. There is a group called DNS administrators
you can add users to if you need them to manage DNS and not be a domain
level administrator. The white paper in the link below may be helpful. ---
Steve
http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
"Tom Glasser" <TomGlasser@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7E31AF20-C60D-49F6-ABE6-F910B0A6E584@xxxxxxxxxxxxxxxx
I am being requested to analyze the current 15 - 20 members of the
Domain Admins group with the goal of reducing membership in this
group to an absolute minimum. But it seems at first blush that mem-
bership in this group is necessary to maintain various functionalities.
Is this a common problem in the Windows Server world? Anyone have
similar experiences to share or any advice on attacking this issue?
Thanks!
Tom
.
- Follow-Ups:
- Re: Domain Admins Group -- Trying to trim membership
- From: Joe Richards [MVP]
- Re: Domain Admins Group -- Trying to trim membership
- Prev by Date: Event after Join
- Next by Date: Re: Windows update
- Previous by thread: Event after Join
- Next by thread: Re: Domain Admins Group -- Trying to trim membership
- Index(es):
Relevant Pages
|
|
