Best practices would dictate that domain admins should not be logged into as such for daily tasks.
Ideally the user would have two accounts; Their "daily" account and their domain admin account.
How can one assure (through a technical control) that Bob doesn't use the same password for his domain admin account that he does for his daily account?
For this to work, I would assume there would need to be the ability to tie ownership of the 2 accounts to a specific entity and enforce password uniqueness between those two accounts and those two accounts only.
Otherwise, people could determine that someone else is using the same password as them if uniqueness was forced across all accounts.
Aucun commentaire:
Enregistrer un commentaire