active directory real defense for domain admins
Ambarishrh last edited by Ambarishrh
Good stuff. I'm typical of a small shop IT manager in that I'm a Domain Admin but am totally unqualified to have such powers and tend to avoid doing anything for fear of breaking something.
I have one question. He recommends setting Domain Admin logon restrictions to Domain Controllers only. So the DA is unable to logon to any other servers or workstations. This makes sense, I guess. However, if not Domain Admin, what kind of other domain account has local admin rights across the domain? For example, if I want to do something on a local workstation that requires admin rights, I currently logon as a DA. If I'm prevented from doing that, what should I logon as?
Ambarishrh last edited by
@Carnival-Boy Having a Domain administrator account for the regular support tasks is not generally recommended. what I suggest is to create a normal account for these tasks and you can create a GPO targeted to all Computer Objects (excluding your servers) in your AD and add this account to the Restricted Group then this account will have admin access to all machines.
For more details about the Restricted Group: http://www.windowsecurity.com/articles-tutorials/windows_os_security/Using-Restricted-Groups.html
Thanks. I will do that.
scottalanmiller last edited by
NTG has a "technician" group for local admin access to workstations.
Two minute job and I'm all sorted.