I am looking to limit the use of our domain admin default administrator account. I understand that the best practice is to create individual accounts and delegate necessary authorization to these accounts - this will provide for the most accountability if something goes wrong - provides a better audit trail.
I currently have my own personal admin account, and I have it delegated so that it makes me a local admin on all machines in the domain - however there are still times that I don't have authorization to do things that my domain administrator account can.
My own admin account is a member of a group called AD Admin, which is a member of the Domain Admins group. Shouldn't this make my user a domain admin?
Have you dealt with this? If so, how did you handle it?
Thanks,
sb