Re: Accountability of Domain Admins
From: Robert Moir (bofh_at_mvps.org)
Date: 01/25/04
- Previous message: Krish Shenoy[MSFT]: "Re: User password List"
- In reply to: Joe Richards [MVP]: "Re: Accountability of Domain Admins"
- Next in thread: Roger Abell: "Re: Accountability of Domain Admins"
- Reply: Roger Abell: "Re: Accountability of Domain Admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 25 Jan 2004 22:01:39 -0000
Joe Richards [MVP] wrote:
> And another response I thought of after the first...
>
> Make your domains more like a single deity or a holy trinity setup,
> not like a Greek or Roman deity set up.
>
> As an aside to support Roger and Robert's posts. I am part of a team
> of three domain admins that run an AD composed of 9 domains and
> 250,000 users and about 400 domain controllers globally located...
> Yes, we have three domain admins... holy trinity. It can be done and
> it works very well. All major day to day admin work is delegated to
> beings with lesser power. :op
It all depends on the mind-set the network is set up with. I've come from a
background working with mainframes and suchlike where you just didn't have
the root type accounts logged in no matter what.
I've known some setups where the root level admin accounts had 2 passwords
and people could only ever know one of the two, but that really is going too
far for the average SME business' network.
It can take time to set something like that up, and if people don't
appreciate that mind-set then they won't see it as time well spent. It's a
shame.
Rob
- Previous message: Krish Shenoy[MSFT]: "Re: User password List"
- In reply to: Joe Richards [MVP]: "Re: Accountability of Domain Admins"
- Next in thread: Roger Abell: "Re: Accountability of Domain Admins"
- Reply: Roger Abell: "Re: Accountability of Domain Admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
