Restricting Domain Admin rights on HR Server

Posted on 2006-03-24
Last Modified: 2013-12-04
Here's the Scenario - we have a Windows 2003 Server on our domain on which is our HR system with SQL 2005 as the backend database also on the same server.

Question from the HR people - How can we stop Domain Admins having access to the server.

We intend to put the server in a security box where only the HR department has the key and domain admins have no physical access.  

Please can you give me some ideas to put this into practice and any considerations there may be

Many thanks

Question by:rentonc
    LVL 23

    Accepted Solution

    You can simply remove Domain Admins from the administrators group, that would do it "essentially".  Course you'd need to make sure the HR people had rights, and that no group policy gave domain admins back the rights.

    However, I would STRONGLY be opposed to removing domain admins from rights to the server.

    There is good reason why domain admins have rights to servers, because they have to administer them, and things will go wrong, and when they do HR will call IT.

    If you want the server to be really "separate" then I would suggest putting it on it's own HR subdomain.
    LVL 51

    Assisted Solution

    by:Keith Alabaster
    This is not a good move.

    1. The system backup that runs normally uses a service account that is part of the Domain Admins group as it needs to be able to access all areas regardless of whether it is agent-based or not. If you were to remove these rights, this will need to be addressed.
    2. Disk space, event logs, and all other such items including server management is hooked together through rights. The purpose of the domain admins is to carry out this work. If you remove the administrative access, you begin moving to a reactive position rather than having a pro-active state. ie you can only deal with issues when they let you know there is a problem rather than admins checking through the status as part of daily routines.
    3. If you have monitoring tools such as Openview etc, these need administrative access.

    I would suggest that a better approach would be to enable the use of the server auditing functions so a track can be kept on which files/areas have been accessed, when and by whom rather than removing the admn rights.

    just my view
    LVL 52

    Assisted Solution

    In addition, if you were really deciding to remove the domain administrators from the local admin group, you will have to make sure that the domain admin does not know the local admin password as well as any other local admins, if applicable, as well.
    I think, auditing would be best. Audit logs can be manipulated, but that again will be logged :)
    LVL 12

    Expert Comment

    The concern HR has is probably related to the database running on the server, but it's easier to restrict a domain admin from accessing the database, or the database files, than handling the quirks that arise from removing them from the Administrators group.

    The problem lies in the definition of a Windows domain: it's the basic boundary of administrative access.

    TheCleaner is right: if you don't trust your own administrators, then create a separate resource domain.
    LVL 51

    Expert Comment

    by:Keith Alabaster
    The problem is that this would not really help either in the long run. Whether it be Oracle, SQL, even MSDE, I would assume you have some one who acts as a database administrator and it is unlikely to be a member of the HR team. However you wish to cut it, admin access is exactly that. The auditing tools are to provide an audit of who has done what and when.

    Your call at the end of the day, but if I was the IT Manager on your site with responsibility for the IT environment and Service Levels to meet, I would be standing my ground. the alternative is to follow Rant's suggestion but gain agreement that you cannot be responsible for the performance, housekeeping and general health of that system/server/database.

    LVL 12

    Expert Comment

    If the server is in a separate domain, then the administrative access to it can be controlled by someone on the HR team.

    - The Administrator account from the forest root domain (also the Enterprise Admin) is kept confidential. You don't need the Administrator account for housekeeping and maintenance. There should be no other Enterprise Admins.
    - After setting up a special HR resource domain, there are no administrators from the other (account) domain that have access to the domain. The Administrator account from the HR domain is kept confidential as well.
    - Create an OU in the HR department that has an account that is a domain admin for the HR domain. Delegate permissions for that OU to a member of the  HR department.
    - The HR department (users that have permissions on the OU) is/are responsible for the administrative access to the domain. The HR-Admin account can be enabled when necessary.

    You won't like it (like Keith says, it's reactive administration) but it can be done.
    LVL 12

    Assisted Solution

    Shortly summarized: what do you think is more important?

    A well-maintained server that has its log-files, backup-logs and performance checked regularly?

    Or a system that is completely isolated from the administrators maintaining it?

    Other question: is the front-end application you're using as secure as an unreachable server in a security box??
    LVL 16

    Expert Comment

    HR may be happier if you enable auditing so that *if* the admins do something they shouldn't, then that will be captured in a log.
    LVL 4

    Author Comment

    Thanks you all for your suggestions - they all araise valid points for/against which we will be considering, I like the idea of a Resource domain but am not sure how easy it will be (the HR server is already set up and on our domain).  We'll look into the suggestions above, as this is an open ended question (no 1 answer is entirley suitable) I'll accept the one that we decide upon and give assited to the other valid points
    Points to be awarded shorty...............

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
    In a recent article here at Experts Exchange (, I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now