Karl
Sun Jan 11 07:02:50 CST 2004
You shouldn't have just one domain admin account. What if that account gets
locked out or the password changed or forgotten? There should also be more
than one domain admin person, for instances when the admin is out of the
office, and to be sure that no one admin starts abusing her powers or doing
unethical things without fear of being discovered. [On the other hand, you
don't want too many unnecessary people with domain admin privileges either.]
Also, each domain admin may need to have at least two accounts... one
admin-level account and one lower-privileged account for day to day use.
This is optional and is up to you.
Avoid using accounts shared by multiple people. There's no accountability,
no way to know who did what.
All passwords should be changed regularly. This somewhat contradicts the
idea of sticking the password in the safe.
You're right though that someone will probably need domain admin privileges
from time to time. If the idea is to make sure no one in the company knows
the admin password including the admins, I'm not sure doing so is a very
common security practice.
"Philip Wang" <anonymous@discussions.microsoft.com> wrote in message
news:00b301c3d812$2e4635b0$a001280a@phx.gbl...
> Hi guys, I would like to have some opinion on this.
> Recently we are doing some security audit and my boss
> said that we should surrender our Domain Administrator ID
> and keep the password in a safe.
>
> Other than using Domain Administrator to join PC /servers
> to domain, performing administrative tasks, etc, how can
> I convince my boss that it is essential for System
> Administrator like us to be responsible and keep the
> Domain Adminstrator account and password to ourselves?
>
> Hear from you guys soon!
>
> Best Regards.