Windows AD Accounts for Network

I am seeking recommendations on the best way to manage AD accounts required for network services. Currently, we have the following accounts:

1. Domain admin account used for server administration
2. Backup Exec account used for backups
3. Blackberry Enterprise account used for BES
4. General network administrator account/mailbox
5. Windows NT service account so we can change passwords for domain admin and BES admin and not impact services. Not everyone on the team has this account.

I'm looking to consolidate our accounts for security and licensing costs.. I want to know what the best practice is in this arena. I'm considering consolidating everything (services, backup, bes) into the network admin account. Under this plan we'll have 2 accounts, general admin and netadmin used for services and such. We don't need the entire team to know the netadmin password; but we still need our team to login to the server (and I don't want to change service passwords everytime we change the domain admin password!)

Who is Participating?
woolnoirConnect With a Mentor Commented:
Best practise (if there is such a think) for Active driectory is to use delegation to delegate the minimum of permissions required for a admin or a service account to do the job its intended for. The way you are suggesting it for example you would give every admin the schema admin ability which is potentially very dangerous as it allows them to install software which modifies the structure of AD - an operation that is potentially non reversable (without editing AD).

DO you have a specific reason for the consolidation as i'm not aware of any licensing implications for user accounts in the manner that you indicate ?
You havent provided info as to how big your environment is in terms of servers, domains and trees ? In addition what level of security does your environment need, any regulatory issues we need to be aware of ?
pitchfordAuthor Commented:
My admins are Domain Admins, we have all of our servers presently logged in using a standard admin account (not the default administrator). My admins know the standard admin password so they can unlock the servers as needed. I don't want them logging in directly to the server because I don't want multiple unnecessary profiles on the server. I know this is a security risk, and I'll cross that bridge later.

We license our Windows CALs based on user. I'm working to consolidate our users; even though we're going to save about 5 user accounts doing it this way.

I've spent the past day doing a lot of clean up from the previous admin and found we've actually had multiple accounts seving the same function!
woolnoirConnect With a Mentor Commented:
Then you should consider one account with the domain and schema admin rights which I guess you should keep to as minimum people as possible. One account for general administrative tasks and one 'service' account. You could also depending on how you want to do things have a backupservice and service users - maybe they can be the same, it depends on what rights you want to grant the service user.

At my employer we have a backup user which has file system access to EVERYTHING in our organisation together with login rights for exchange info stores and SQL DB's. We have a service account for anything that needs service rights. And we have a domain admin generic account. THis has been recently changed though due to a audit i conducted - and the rights for this delegated to a number of admin accounts.

You have a requirement which goes against 'best practise' but your need is real so go for a compromise. What you are suggesting sounds like a ideal middle ground between how you NEED it and how it SHOULD be.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.