Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Windows AD Accounts for Network

Posted on 2011-03-01
Medium Priority
Last Modified: 2012-05-11
I am seeking recommendations on the best way to manage AD accounts required for network services. Currently, we have the following accounts:

1. Domain admin account used for server administration
2. Backup Exec account used for backups
3. Blackberry Enterprise account used for BES
4. General network administrator account/mailbox
5. Windows NT service account so we can change passwords for domain admin and BES admin and not impact services. Not everyone on the team has this account.

I'm looking to consolidate our accounts for security and licensing costs.. I want to know what the best practice is in this arena. I'm considering consolidating everything (services, backup, bes) into the network admin account. Under this plan we'll have 2 accounts, general admin and netadmin used for services and such. We don't need the entire team to know the netadmin password; but we still need our team to login to the server (and I don't want to change service passwords everytime we change the domain admin password!)

Question by:pitchford
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 20

Accepted Solution

woolnoir earned 2000 total points
ID: 35006956
Best practise (if there is such a think) for Active driectory is to use delegation to delegate the minimum of permissions required for a admin or a service account to do the job its intended for. The way you are suggesting it for example you would give every admin the schema admin ability which is potentially very dangerous as it allows them to install software which modifies the structure of AD - an operation that is potentially non reversable (without editing AD).

DO you have a specific reason for the consolidation as i'm not aware of any licensing implications for user accounts in the manner that you indicate ?
LVL 20

Expert Comment

ID: 35006967
You havent provided info as to how big your environment is in terms of servers, domains and trees ? In addition what level of security does your environment need, any regulatory issues we need to be aware of ?

Author Comment

ID: 35007013
My admins are Domain Admins, we have all of our servers presently logged in using a standard admin account (not the default administrator). My admins know the standard admin password so they can unlock the servers as needed. I don't want them logging in directly to the server because I don't want multiple unnecessary profiles on the server. I know this is a security risk, and I'll cross that bridge later.

We license our Windows CALs based on user. I'm working to consolidate our users; even though we're going to save about 5 user accounts doing it this way.

I've spent the past day doing a lot of clean up from the previous admin and found we've actually had multiple accounts seving the same function!
LVL 20

Assisted Solution

woolnoir earned 2000 total points
ID: 35007072
Then you should consider one account with the domain and schema admin rights which I guess you should keep to as minimum people as possible. One account for general administrative tasks and one 'service' account. You could also depending on how you want to do things have a backupservice and service users - maybe they can be the same, it depends on what rights you want to grant the service user.

At my employer we have a backup user which has file system access to EVERYTHING in our organisation together with login rights for exchange info stores and SQL DB's. We have a service account for anything that needs service rights. And we have a domain admin generic account. THis has been recently changed though due to a audit i conducted - and the rights for this delegated to a number of admin accounts.

You have a requirement which goes against 'best practise' but your need is real so go for a compromise. What you are suggesting sounds like a ideal middle ground between how you NEED it and how it SHOULD be.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question