Re: Domain Admins Group -- Trying to trim membership
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Tue, 20 Jun 2006 22:35:13 -0700
"Tom Glasser" <TomGlasser@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7E31AF20-C60D-49F6-ABE6-F910B0A6E584@xxxxxxxxxxxxxxxx
I am being requested to analyze the current 15 - 20 members of the
Domain Admins group with the goal of reducing membership in this
group to an absolute minimum. But it seems at first blush that mem-
bership in this group is necessary to maintain various functionalities.
Is this a common problem in the Windows Server world? Anyone have
similar experiences to share or any advice on attacking this issue?
IMO it is an all too common problem in the world of the administration
of Windows Server. It is not inherent in Windows Server nor AD, but
in the ineffective use of the available capabilities.
Have each justify as to what the account is used for that requires
Domain Admin. Then, you will likely find 90% of that can be
accomplished with account that are not admin but have delegations,
and/or membership in custom groups that are used to receive other
grants (admin on client machine). If you really want to drive the
point home, then have each outline what else is done with the
account (beyond what they said as justification for its being a
Domain Admin) and then show the risks from those uses of the
accounts
.
- Prev by Date: Re: Domain Admins Group -- Trying to trim membership
- Next by Date: Re: Domain Admins Group -- Trying to trim membership
- Previous by thread: Re: Domain Admins Group -- Trying to trim membership
- Next by thread: Re: Windows update
- Index(es):
Relevant Pages
|
