Re: Automating Local Computer Admin Rights
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Thu, 23 Mar 2006 02:11:28 -0500
10 DAs would be about right if you had maybe 500,000+ employees and about 1000 DCs. I ran a 250k user environment with 3 Domain Admins and no "fake" domain admins by giving that many rights.
I would actually not try to skirt the intent of the audit because they may come back and bust you again, I have been through the external banking audits and the auditors aren't all stupid. You almost certainly don't need that many people with that many rights in the directory. Usually that is done only when people don't really know how to manage AD properly.
As for your last question, you want to look at Group Policies.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
xJayboyx wrote:
I work for a bank that currently has Six Banks under the holding company. So there is approximately 10 or so “Administrators” for our WAN. Now we have had examiners chewing us out for having to many users in the “Domain Admins” group. So we have went ahead and created a different group that basically has the same amount of right as the Domain Adims , but this way we don’t have the “Domain Admins” group full of users..
Now my Question Is: Is there a way in a Policy of some sort that I can make this new Group that was created a local Admin for each PC without me having to touch every single computer??
- Thanks for any input.
Jason
- Prev by Date: Re: R2 Install Key Code
- Next by Date: Re: Active Directory User Tools
- Previous by thread: Re: R2 Install Key Code
- Next by thread: RE: Automating Local Computer Admin Rights
- Index(es):
Relevant Pages
|
