New to Windows Active Directory and Group Security Management



  • Hello everyone,

    I am looking to get some info about windows networking, users, and how things play together. I have done some googling and was told about this forum so thought I would post here.

    We have a windows 2019 server domain controller that our client computers use for user credentials. When I set up a new client computer, I create a local administrator account. I then join the computer with the domain and log in with a domain user administrator account.

    If I need to make changes to the computer (say to change the UAC, change certain options, etc), I cannot use the domain administrator account and need to switch to the local user administrator account.

    Is this how it is suppose to work? If not, where should I look to change settings so that the domain administrator account can make changes on the client computer?

    Thanks so much.

    -S



  • @srdennis said in New to windows networking with questions.:

    If I need to make changes to the computer (say to change the UAC, change certain options, etc), I cannot use the domain administrator account and need to switch to the local user administrator account.

    That's not normal. Normally the domain admin account has local admin rights on the computer. Are you sure it is a standard domain admin user that you are using?

    If it doesn't do it itself, you can always add the domain admin account in question to the local administrators group on a workstation and that will do the trick.



  • Weird - no, that shouldn't be necessary. Typically by default, Domain admins are added to the local admin group on the PC.

    So I'd start there and make sure that the domain admin group is part of the local administrators group on the PC.



  • @srdennis I edited the title to reflect the question topic about users and permissions rather than about networking.



  • Using a local Administrator account is better than using a Domain Account on all workstations. You can add a GPO that will push a Local Administrator account to all machines using Restricted Groups. It's advised not keep using the domain account for privilege escalation for installing applications etc.



  • @StuartJordan said in New to Windows Active Directory and Group Security Management:

    Using a local Administrator account is better than using a Domain Account on all workstations. You can add a GPO that will push a Local Administrator account to all machines using Restricted Groups. It's advised not keep using the domain account for privilege escalation for installing applications etc.

    It is? since when? And the reasoning?

    Now granted, if your have a larger org, it's not uncommon to have a domain level account that would have workstation admin rights, but I don't see the harm in using a Domain Admin account for installing apps, unless that account somehow gets attached to the app - that could be bad.



  • @Dashrender Imagine using this Domain Admin account on workstations constantly. Imagine a 0 day RAT tool or Key Logger is on one of these machines. At least if it's just a local admin account they cannot do as much damage.



  • @StuartJordan said in New to Windows Active Directory and Group Security Management:

    @Dashrender Imagine using this Domain Admin account on workstations constantly. Imagine a 0 day RAT tool or Key Logger is on one of these machines. At least if it's just a local admin account they cannot do as much damage.

    Imagine a competent sysadmin that keeps that shit off the network.

    In practice, you'll never see a team using a local admin account, especially if it's pushed through gpo. BTW, that's a huge security flaw unless you're using MS LAPS. Your helpdesk team is more likely to use a superuser account, either shared or individually assigned, to handle elevated requests or work on 'what needs to be done.' The local administrator account should be disabled. See https://social.technet.microsoft.com/wiki/contents/articles/13217.best-practices-and-tricks-to-protect-local-admin-passwords-at-a-large-scale.aspx

    @srdennis said in New to Windows Active Directory and Group Security Management:

    We have a windows 2019 server domain controller that our client computers use for user credentials. When I set up a new client computer, I create a local administrator account. I then join the computer with the domain and log in with a domain user administrator account.

    Good so far. This verifies that your new box is domain joined. Don't forget to go to ADUC and move the system to a valid container.

    If I need to make changes to the computer (say to change the UAC, change certain options, etc), I cannot use the domain administrator account and need to switch to the local user administrator account.

    Is this how it is suppose to work? If not, where should I look to change settings so that the domain administrator account can make changes on the client computer?

    This sounds wonky. You should be fine to login to the system and make alterations if your AD is default settings. I would probably look at your group policy and see if any items were altered (FTLOG don't only alter the default domain policy, and then, only adjust the password settings if needed).



  • @Grey said in New to Windows Active Directory and Group Security Management:

    Imagine a competent sysadmin that keeps that shit off the network.

    Well you know that not everyone is a competent sysadmin though and things can happen. If you can reduce risk then why the hell not.

    Local acount would be using MS LAPS to make secure password and turn on for password expiry. My main point though was not using any Domain Admin account for escalation.



  • @StuartJordan said in New to Windows Active Directory and Group Security Management:

    @Grey said in New to Windows Active Directory and Group Security Management:

    Imagine a competent sysadmin that keeps that shit off the network.

    Well you know that not everyone is a competent sysadmin though and things can happen. If you can reduce risk then why the hell not.

    Local acount would be using MS LAPS to make secure password and turn on for password expiry. My main point though was not using any Domain Admin account for escalation.

    I'm glad there is no local admin or local administrators here on user devices. None of that stuff to worry about!



  • Make an AD group called workstation_admins and add that group to local administrators account on each desktop. This group does not need any AD rights and nobody's account should be in there except for IT admin accounts. Even those IT admin accounts should not be used on local desktops to login on a regular basis. Only when elevation is actually needed, and even then you should use run as.



  • @IRJ said in New to Windows Active Directory and Group Security Management:

    Make an AD group called workstation_admins and add that group to local administrators account on each desktop. This group does not need any AD rights and nobody's account should be in there except for IT admin accounts. Even those IT admin accounts should not be used on local desktops to login on a regular basis. Only when elevation is actually needed, and even then you should use run as.

    Here's a good example.
    http://www.yster.org/role-based-access-control/

    Create the Permission groups
    10f60cde-c746-40ff-88fe-42c9e60aa449-image.png

    Assign the relevant permissions/rights to the Permission groups
    aca01d11-fd9d-4bcd-abb2-6f161481f111-image.png



  • @IRJ said in New to Windows Active Directory and Group Security Management:

    Make an AD group called workstation_admins and add that group to local administrators account on each desktop. This group does not need any AD rights and nobody's account should be in there except for IT admin accounts. Even those IT admin accounts should not be used on local desktops to login on a regular basis. Only when elevation is actually needed, and even then you should use run as.

    I do this - Those who need it have a workstation admin account and a local non admin normal account.