Windows AD Accounts for Network

Posted on 2011-03-01
Last Modified: 2012-05-11
I am seeking recommendations on the best way to manage AD accounts required for network services. Currently, we have the following accounts:

1. Domain admin account used for server administration
2. Backup Exec account used for backups
3. Blackberry Enterprise account used for BES
4. General network administrator account/mailbox
5. Windows NT service account so we can change passwords for domain admin and BES admin and not impact services. Not everyone on the team has this account.

I'm looking to consolidate our accounts for security and licensing costs.. I want to know what the best practice is in this arena. I'm considering consolidating everything (services, backup, bes) into the network admin account. Under this plan we'll have 2 accounts, general admin and netadmin used for services and such. We don't need the entire team to know the netadmin password; but we still need our team to login to the server (and I don't want to change service passwords everytime we change the domain admin password!)

Question by:pitchford
  • 3
LVL 20

Accepted Solution

woolnoir earned 500 total points
Comment Utility
Best practise (if there is such a think) for Active driectory is to use delegation to delegate the minimum of permissions required for a admin or a service account to do the job its intended for. The way you are suggesting it for example you would give every admin the schema admin ability which is potentially very dangerous as it allows them to install software which modifies the structure of AD - an operation that is potentially non reversable (without editing AD).

DO you have a specific reason for the consolidation as i'm not aware of any licensing implications for user accounts in the manner that you indicate ?
LVL 20

Expert Comment

Comment Utility
You havent provided info as to how big your environment is in terms of servers, domains and trees ? In addition what level of security does your environment need, any regulatory issues we need to be aware of ?

Author Comment

Comment Utility
My admins are Domain Admins, we have all of our servers presently logged in using a standard admin account (not the default administrator). My admins know the standard admin password so they can unlock the servers as needed. I don't want them logging in directly to the server because I don't want multiple unnecessary profiles on the server. I know this is a security risk, and I'll cross that bridge later.

We license our Windows CALs based on user. I'm working to consolidate our users; even though we're going to save about 5 user accounts doing it this way.

I've spent the past day doing a lot of clean up from the previous admin and found we've actually had multiple accounts seving the same function!
LVL 20

Assisted Solution

woolnoir earned 500 total points
Comment Utility
Then you should consider one account with the domain and schema admin rights which I guess you should keep to as minimum people as possible. One account for general administrative tasks and one 'service' account. You could also depending on how you want to do things have a backupservice and service users - maybe they can be the same, it depends on what rights you want to grant the service user.

At my employer we have a backup user which has file system access to EVERYTHING in our organisation together with login rights for exchange info stores and SQL DB's. We have a service account for anything that needs service rights. And we have a domain admin generic account. THis has been recently changed though due to a audit i conducted - and the rights for this delegated to a number of admin accounts.

You have a requirement which goes against 'best practise' but your need is real so go for a compromise. What you are suggesting sounds like a ideal middle ground between how you NEED it and how it SHOULD be.

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now