|
Posted by Joe Richards [MVP] on June 2, 2006, 11:13 pm
Please log in for more thread options LOL. 3-5 DAs was my usual stance with 3 being the one I felt the best
about. I find people whine less when I say 5 versus 3 though. :)
And when you really really get down to it you don't even need 3 full
time DAs.
I don't agree that the register analogy works here though. I think what
applies with DAs is that the more DAs you have the less each feels
ownership for the environment. In other words, more cooks in the
kitchen, all of them pay less attention and if there is a hair in your
soup you really don't know where it came from. The smaller the DA group,
the more careful each DA would be I think or at least from what I have
experienced.
Consulting has been interesting though I must say... I have gone from
doing support of one of the world's larger deployments with 3 DAs to
seeing lots and lots of deployments and just hoping that these smaller
deployments with only 100k or so users would cut down to less than 100
Domain Admins... Those that listen start running more and more stable
but man is it a fight trying to explain to people they don't need those
rights for most everything they are doing. The usual answer is that
people need them for troubleshooting, and when I say give me specifics
they almost never can give me something that really does require DA.
They give me examples of how they want to change something to see if it
fixes a problem... that isn't troubleshooting.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Roger Abell [MVP] wrote:
> You caught me by surprise Joe - seems you have become a little
> liberal ("no more than five domain admins") perhaps from seeing
> client practices in the field.
>
> So, devils advocate here, why five?
>
> I recall when I had to pass adv compiler construction, the prof
> observed, as soon as the proc has more than one register it really
> does not matter how many there, the complexity of object gen
> changes at the one/more-than-one boundary.
>
> It seems to me something similar holds true here. Domain admin
> accounts tightly held and used only when/if necessary, or accounts
> individually issued to the domain admins (letting the pig out of the
> barn).
>
> I case you didn't notice, I miss your prior hard line viewpoint.
> It was totally valid. It was also something no one was willing to
> say much as it went counter to the mainstream usage. However,
> in the long run (meeting today's and tomorrow's auditability,
> personal protection, etc.) it will proable become the dominant
> approach.
>
> Roger
>
>
| 
XML Sitemap