Solved

Windows AD Accounts for Network

Posted on 2011-03-01
4
346 Views
Last Modified: 2012-05-11
I am seeking recommendations on the best way to manage AD accounts required for network services. Currently, we have the following accounts:

1. Domain admin account used for server administration
2. Backup Exec account used for backups
3. Blackberry Enterprise account used for BES
4. General network administrator account/mailbox
5. Windows NT service account so we can change passwords for domain admin and BES admin and not impact services. Not everyone on the team has this account.

I'm looking to consolidate our accounts for security and licensing costs.. I want to know what the best practice is in this arena. I'm considering consolidating everything (services, backup, bes) into the network admin account. Under this plan we'll have 2 accounts, general admin and netadmin used for services and such. We don't need the entire team to know the netadmin password; but we still need our team to login to the server (and I don't want to change service passwords everytime we change the domain admin password!)

Thanks!
0
Comment
Question by:pitchford
  • 3
4 Comments
 
LVL 20

Accepted Solution

by:
woolnoir earned 500 total points
ID: 35006956
Best practise (if there is such a think) for Active driectory is to use delegation to delegate the minimum of permissions required for a admin or a service account to do the job its intended for. The way you are suggesting it for example you would give every admin the schema admin ability which is potentially very dangerous as it allows them to install software which modifies the structure of AD - an operation that is potentially non reversable (without editing AD).

DO you have a specific reason for the consolidation as i'm not aware of any licensing implications for user accounts in the manner that you indicate ?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 35006967
You havent provided info as to how big your environment is in terms of servers, domains and trees ? In addition what level of security does your environment need, any regulatory issues we need to be aware of ?
0
 
LVL 3

Author Comment

by:pitchford
ID: 35007013
My admins are Domain Admins, we have all of our servers presently logged in using a standard admin account (not the default administrator). My admins know the standard admin password so they can unlock the servers as needed. I don't want them logging in directly to the server because I don't want multiple unnecessary profiles on the server. I know this is a security risk, and I'll cross that bridge later.

We license our Windows CALs based on user. I'm working to consolidate our users; even though we're going to save about 5 user accounts doing it this way.

I've spent the past day doing a lot of clean up from the previous admin and found we've actually had multiple accounts seving the same function!
0
 
LVL 20

Assisted Solution

by:woolnoir
woolnoir earned 500 total points
ID: 35007072
Then you should consider one account with the domain and schema admin rights which I guess you should keep to as minimum people as possible. One account for general administrative tasks and one 'service' account. You could also depending on how you want to do things have a backupservice and service users - maybe they can be the same, it depends on what rights you want to grant the service user.

At my employer we have a backup user which has file system access to EVERYTHING in our organisation together with login rights for exchange info stores and SQL DB's. We have a service account for anything that needs service rights. And we have a domain admin generic account. THis has been recently changed though due to a audit i conducted - and the rights for this delegated to a number of admin accounts.

You have a requirement which goes against 'best practise' but your need is real so go for a compromise. What you are suggesting sounds like a ideal middle ground between how you NEED it and how it SHOULD be.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question