When I walked in the door there were on a multimaster NT4 domain setup and
they had something like 75 domain admins across the world and about 6
generic Domain Admin IDs that were known to an unknown number of people
but guessed to be greater than 200 people. They had a terrific issue with
change control and things were just broken that no one could figure out
why they were broken.
Within 3 months I had removed all but one generic ID though the password
of that account was changed[1] so no one knew it but me. The 75 domain
admins were dropped to 12 and 15 others were changed to ServOps. As I got
to learn more about what they all did, the servops were dropped completely
and the domain admins got dropped to 5 which was the size of the official
domain admin team at the time. That took about a year to accomplish but
mostly because I wasn't familiar with the environment and what things
people were supposed to be doing and the fact that it was NT4 which can't
be delegated like AD can. You can guess I wasn't very popular and had
people known where I sat, what I looked like, and what vehicle I drove I
may not be here to type this. However, I was very devious and sneaky and
no one really knew who I was. Eventually people started noticing that the
environment had gotten considerably more and more stable as it got locked
down to the point where it simply just ran and had very very few issues.
At this point, people who said they couldn't do their jobs still could and
things were just changing in the environment causing other things to
break.
When we moved to 2K we started with 5 DAs, no serv ops. There was limited
AD delegation to thousands of local site admins for creation/deletion of
workstation accounts (not server accounts) and the ability to update
membership and description on groups. All user admin was proxied through a
provisioning system so the local site admins did not have native rights in
the directory for users.
I took a 6 month summer sabbatical from being the tech lead for the
company (I was fired by the consulting firm I was working for) and the
Fortune 5 company brought me back in through another company and had me
insource the support of the Active Directory and be the technical lead
again. At that point, the DA list had grown to about 10 or so again. I
took over the directory and we went to 3 Engineer DA's and one manager
with DA rights. That occurred overnight when we took it over.
It isn't necessarily easy but you have to make the decision to do it and
stick to it. I haven't heard many if any good reasons for people to have
domain admin rights. In fact my team didn't normally run with domain
admins rights. They did most troubleshooting with normal user ids and only
used domain admin when they knew they were going to go in and change
something or if there was something that absolutely couldn't be viewed as
a non-DA which was very few items. So few I can't even remember them.
A lot of it though comes down to actually understanding how security and
Windows works so you can push back when someone says they need some level
of access rights. There was more than one occasion where I wrote some
software to prove to a vendor they didn't know what they were talking
about.
Make sure every person who says they need that access explains exactly why
they need it. What does the program do that requires that access and how
come it isn't done in a better way? The biggest pain in the butt issues
were around monitoring, software delivery, and AV. In the end, I said if
our team didn't run those components for the domain controllers, they
wouldn't be run on the domain controllers and they weren't. AV isn't
needed if the people with write access to the DCs are intelligent about
how they use their IDs. Software delivery and monitoring can be handled in
different ways, you don't need agents on the domain controllers running in
DA or localsystem. If you do, anyone controlling those tools are also
domain admins so you might as well give them that access up front and be
honest about it.
As you run into issues. Feel free to post them here and get ideas or
possible join the activedir.org list and post them there.
joe
[1] It was changed every time I had to give it out which was for new DC
installs because there was a very interesting DC install process that was
followed. The DCs came from Dell as DCs that were built from a copy of the
domain we had in production.
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Don't get me wrong, I'd like to get there. But how long did it take you?
I guess it would help to start off that way.
I think I need a guide specifically targeting all of the resistance that
I'm about to hit. I can't seem to find the right one.
