I was working on a book chapter this afternoon and something I was reading made me stop and think for a moment. How many people are members of your domain admins group – or even worse the enterprise admins or schema admins groups.
Many of the organisations where I’ve reviewed their AD have 15, 20, 50 or even 70 people in the domain admins group – this is for a single domain!
Is this necessary?
Most often the answer is no, no and no again.
Way back in NT times you had to be a domain admin to do practically any administration. Now things are different.
You can be much more granular in assigning permissions -remember the principal of least privilege – there a a whole raft of groups for administering facets of your environment.
You can use tools like JEA and PowerShell to delegate permissions rather than lumping everyone in domain admins
In this day and age there is no excuse for having a domain admins group with huge numbers of members unless you prescribe to the “that’s how we’ve always done it” school of thought. If you do then expect problems sooner rather than later