Windows AD Accounts for Network

Posted on 2011-03-01
Medium Priority
Last Modified: 2012-05-11
I am seeking recommendations on the best way to manage AD accounts required for network services. Currently, we have the following accounts:

1. Domain admin account used for server administration
2. Backup Exec account used for backups
3. Blackberry Enterprise account used for BES
4. General network administrator account/mailbox
5. Windows NT service account so we can change passwords for domain admin and BES admin and not impact services. Not everyone on the team has this account.

I'm looking to consolidate our accounts for security and licensing costs.. I want to know what the best practice is in this arena. I'm considering consolidating everything (services, backup, bes) into the network admin account. Under this plan we'll have 2 accounts, general admin and netadmin used for services and such. We don't need the entire team to know the netadmin password; but we still need our team to login to the server (and I don't want to change service passwords everytime we change the domain admin password!)

Question by:pitchford
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 20

Accepted Solution

woolnoir earned 2000 total points
ID: 35006956
Best practise (if there is such a think) for Active driectory is to use delegation to delegate the minimum of permissions required for a admin or a service account to do the job its intended for. The way you are suggesting it for example you would give every admin the schema admin ability which is potentially very dangerous as it allows them to install software which modifies the structure of AD - an operation that is potentially non reversable (without editing AD).

DO you have a specific reason for the consolidation as i'm not aware of any licensing implications for user accounts in the manner that you indicate ?
LVL 20

Expert Comment

ID: 35006967
You havent provided info as to how big your environment is in terms of servers, domains and trees ? In addition what level of security does your environment need, any regulatory issues we need to be aware of ?

Author Comment

ID: 35007013
My admins are Domain Admins, we have all of our servers presently logged in using a standard admin account (not the default administrator). My admins know the standard admin password so they can unlock the servers as needed. I don't want them logging in directly to the server because I don't want multiple unnecessary profiles on the server. I know this is a security risk, and I'll cross that bridge later.

We license our Windows CALs based on user. I'm working to consolidate our users; even though we're going to save about 5 user accounts doing it this way.

I've spent the past day doing a lot of clean up from the previous admin and found we've actually had multiple accounts seving the same function!
LVL 20

Assisted Solution

woolnoir earned 2000 total points
ID: 35007072
Then you should consider one account with the domain and schema admin rights which I guess you should keep to as minimum people as possible. One account for general administrative tasks and one 'service' account. You could also depending on how you want to do things have a backupservice and service users - maybe they can be the same, it depends on what rights you want to grant the service user.

At my employer we have a backup user which has file system access to EVERYTHING in our organisation together with login rights for exchange info stores and SQL DB's. We have a service account for anything that needs service rights. And we have a domain admin generic account. THis has been recently changed though due to a audit i conducted - and the rights for this delegated to a number of admin accounts.

You have a requirement which goes against 'best practise' but your need is real so go for a compromise. What you are suggesting sounds like a ideal middle ground between how you NEED it and how it SHOULD be.

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question