Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: Multiple Domain Administrator Accounts

Multiple Domain Administrator Accounts 6 years 5 months ago #34872

  • skepticals
  • skepticals's Avatar
  • Offline
  • Expert Member
  • Posts: 783
  • Karma: 0
Just curious how others assign domain user accounts. Currently all the techs here share the domain administrator account and password. Our personal accounts also have domain admin rights.

This doesn't help me log who does what.
This doesn't seem right to have the users run with domain admin rights.

Would it make more sense to have each user given a UserAccount and a UserAccountAdmin?

What are the best practices?
The administrator has disabled public write access.

Re: Multiple Domain Administrator Accounts 6 years 5 months ago #34881

  • Bublitz
  • Bublitz's Avatar
  • Offline
  • Senior Member
  • Posts: 301
  • Thank you received: 3
  • Karma: 2
Personally I don't ever log in as domain administrator. If you want all the tech to have admin right just add their account to the domain admins group then you can see what going on.

So change the domain admin user and pass so only you and maybe 1 more person knows.

If i'm doing AD schema updates I add my user to enterprise admins and schema admins do my work then remove my self from those groups.

Were a small organization (3 IT staff total) but bigger ones probably don't allow everyone to be in that group. They have groups and roles setup for what ever task that tech does.

This can be done by having good AD OU structure. You can make "role groups" and add users to those groups. Then delegate controls and permissions by right clicking in AD users and computers and running the delegate control wizard. Then that tech can have certain permissions assigned by you over those objects whether they are users or computers or servers ect.
The Bublitz
Systems Admin
Hospice of the Red River Valley
The administrator has disabled public write access.

Re: Multiple Domain Administrator Accounts 6 years 5 months ago #34895

  • skepticals
  • skepticals's Avatar
  • Offline
  • Expert Member
  • Posts: 783
  • Karma: 0
Thanks for the information. I will probably go with adding them to the domain admin group.
The administrator has disabled public write access.

Re: Multiple Domain Administrator Accounts 6 years 5 months ago #34898

  • JamieP
  • JamieP's Avatar
  • Offline
  • Frequent Member
  • Posts: 60
  • Karma: 0
i've work as a Windows Admin on domains with 50000+ users, and IT departments of maybe 500+ so in that environment it is not a very good idea to have everyone as a domain admin, and in fact, there really isnt any need for everyone to have a DA account.

Microsoft recommend no more than 6 accounts should have Domain Admin access.

The way to go in regards to providing staff with access is RBA - Role Based Admin. It takes alot of setting up, but can be very powerfull in terms of granting different levels of access.

It is done by creating alot of security groups for each diffent type of access someone might need, i.e. you might create groups for;

exchange admin
file server admin
print server admin
user account admin
IT Accounts admin

etc... once you have created all you groups for the different levels of permissions you want, you can group them together in a nested group, i.e. 1st line, 2nd line, 3rd line, etc...

The great thing about this system is you can be as granular as you like, i.e. you could create a group called "file server admin" which has admin rights over all fileservers, or you could create an admin group for each server i.e. "filesvr001 admin" "filesvr002 admin".

You just have to be careful you do not take it tooo far and end up with 1000 different groups and forget what they all do, and end up giving people domain admin access because you cant work it all out.

hope that makes sense, give me a shout if you want any more info
Jamie Parks
Network Engineer, UK
The administrator has disabled public write access.

Re: Multiple Domain Administrator Accounts 6 years 4 months ago #35110

  • kanna84
  • kanna84's Avatar
  • Offline
  • New Member
  • Posts: 8
  • Karma: 0
How is this possible with one domain with multiple accounts?
The administrator has disabled public write access.

Re: Multiple Domain Administrator Accounts 6 years 4 months ago #35130

  • Bublitz
  • Bublitz's Avatar
  • Offline
  • Senior Member
  • Posts: 301
  • Thank you received: 3
  • Karma: 2
There is a domain admin user and a domain admin group. Add users to the domain admin group and you have multiple domain admins.
The Bublitz
Systems Admin
Hospice of the Red River Valley
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.082 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup