How many domain admins do you need?

I was working on a book chapter this afternoon and  something I was reading made me  stop and think for a moment. How many people are members of your domain admins group – or even worse the enterprise admins or schema admins groups.

Many of the organisations where I’ve reviewed their AD have 15, 20, 50 or even 70 people in the domain admins group – this is for a single domain!

Is this necessary?

Most often the answer is no, no and no again.

Way back in NT times you had to be a domain admin to do practically any administration. Now things are different.

You can be much more granular in assigning permissions  -remember the principal of least privilege – there a a whole raft of groups for administering facets of your environment.

You can use tools like JEA and PowerShell to delegate permissions rather than lumping everyone in domain admins

  In this day and age there is no excuse for having a domain admins group with huge numbers of members unless you prescribe to the “that’s how we’ve always done it” school of thought. If you do then expect problems sooner rather than later

This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s