Re: Domain Admins Group -- Trying to trim membership

What specific issues are you running into?

I took a DA group that had over 100 members and trimmed it to three analysts and a manager all sitting within 15 feet of each other with users and DCs all over the world. This was in a Fortune 5 company with ~375 DCs and 250,000 users, 100k or so groups, hundreds of thousands of machines, etc.

Trimming down is going to require processes to change and admins to become more knowledgeable about what they are doing. It may also mean that the folks who are DAs will pick up some additional responsibilities. However, it shouldn't be overwhelming though you may get death threats. I removed my address from the GAL for some time when I was doing it because people all over the world were telling me they couldn't do their job without that access. It was all crap of course and once I scoped that down to the 3 people our Domain Issues pretty much all disappeared and now that group does 99.99% requests and very rarely is actually fixing things.

The first question I ask when going into a location that has too many DAs is who are the 3-5 people who will be fixing the forest when *** really hits the fan? Those are the people who get the DA and EA accounts. Everyone else gets normal user accounts with delegated rights and no permissions to the DCs whatsoever. You work through the things that the no-Admins need to do and make sure it makes sense. For instance, if someone has to add drivers to a DC, make them an Enterprise Admin if you are going to allow it because regardless of what you give them, changing/adding core level system binaries means they can do whatever they want anyway. If there is something that absolutely must be done by a DA, the 3-5 people get the task and whoever used to do it requests it from them. This is generally a small pool of tasks and if you just left it at that, your 3-5 DAs wouldn't have much to do. And in fact, the DAs at the company I mentioned before are some of the calmest coolest most relaxed DAs I have met in the last 3 or so years of meeting big enterprise DAs. I go to lunch with them on a regular basis for lunches that go several hours and their pagers never go off. They VERY rarely have issues outside of 9-5 to deal with as well.


joe


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Tom Glasser wrote:
I am being requested to analyze the current 15 - 20 members of the
Domain Admins group with the goal of reducing membership in this
group to an absolute minimum. But it seems at first blush that mem-
bership in this group is necessary to maintain various functionalities.

Is this a common problem in the Windows Server world? Anyone have
similar experiences to share or any advice on attacking this issue?

Thanks!
Tom
.

Quantcast