Hey guys,
I know this sounds crazy, but thought I would see if anyone has any ideas. We have around 20 Domain Admin accounts and we would like to reduce that to probably 3. Several are service accounts and our primary concern is not what permission issues they will have on other servers/computers, etc. We will handle that separately. Our primary concern is making sure that the Domain Admin accounts still have permissions to do what they need to do, within Active Directory, after we demote them. I really never have to audit AD, but I was thinking of auditing ADDS and if I see user objects created(5137) by CONTOSO\bsmith, etc. then I know that bsmith needs permissions to create user accounts, etc. We do have service accounts that do things like that and it is a long story. I thought some kind of discovery process like this might help, but what do you guys think? Any tips to help me complete this task, would be appreciated.
http://technet.microsoft.com/en-us/library/cc731607(v=WS.10).aspx
Dan
Dan Heim