We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Restricting Domain Admin rights on HR Server

rentonc asked
Medium Priority
Last Modified: 2013-12-04
Here's the Scenario - we have a Windows 2003 Server on our domain on which is our HR system with SQL 2005 as the backend database also on the same server.

Question from the HR people - How can we stop Domain Admins having access to the server.

We intend to put the server in a security box where only the HR department has the key and domain admins have no physical access.  

Please can you give me some ideas to put this into practice and any considerations there may be

Many thanks

Watch Question

You can simply remove Domain Admins from the administrators group, that would do it "essentially".  Course you'd need to make sure the HR people had rights, and that no group policy gave domain admins back the rights.

However, I would STRONGLY be opposed to removing domain admins from rights to the server.

There is good reason why domain admins have rights to servers, because they have to administer them, and things will go wrong, and when they do HR will call IT.

If you want the server to be really "separate" then I would suggest putting it on it's own HR subdomain.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Keith AlabasterEnterprise Architect
Top Expert 2008
This is not a good move.

1. The system backup that runs normally uses a service account that is part of the Domain Admins group as it needs to be able to access all areas regardless of whether it is agent-based or not. If you were to remove these rights, this will need to be addressed.
2. Disk space, event logs, and all other such items including server management is hooked together through rights. The purpose of the domain admins is to carry out this work. If you remove the administrative access, you begin moving to a reactive position rather than having a pro-active state. ie you can only deal with issues when they let you know there is a problem rather than admins checking through the status as part of daily routines.
3. If you have monitoring tools such as Openview etc, these need administrative access.

I would suggest that a better approach would be to enable the use of the server auditing functions so a track can be kept on which files/areas have been accessed, when and by whom rather than removing the admn rights.

just my view
Distinguished Expert 2019
In addition, if you were really deciding to remove the domain administrators from the local admin group, you will have to make sure that the domain admin does not know the local admin password as well as any other local admins, if applicable, as well.
I think, auditing would be best. Audit logs can be manipulated, but that again will be logged :)

The concern HR has is probably related to the database running on the server, but it's easier to restrict a domain admin from accessing the database, or the database files, than handling the quirks that arise from removing them from the Administrators group.

The problem lies in the definition of a Windows domain: it's the basic boundary of administrative access.

TheCleaner is right: if you don't trust your own administrators, then create a separate resource domain.
Keith AlabasterEnterprise Architect
Top Expert 2008

The problem is that this would not really help either in the long run. Whether it be Oracle, SQL, even MSDE, I would assume you have some one who acts as a database administrator and it is unlikely to be a member of the HR team. However you wish to cut it, admin access is exactly that. The auditing tools are to provide an audit of who has done what and when.

Your call at the end of the day, but if I was the IT Manager on your site with responsibility for the IT environment and Service Levels to meet, I would be standing my ground. the alternative is to follow Rant's suggestion but gain agreement that you cannot be responsible for the performance, housekeeping and general health of that system/server/database.

If the server is in a separate domain, then the administrative access to it can be controlled by someone on the HR team.

- The Administrator account from the forest root domain (also the Enterprise Admin) is kept confidential. You don't need the Administrator account for housekeeping and maintenance. There should be no other Enterprise Admins.
- After setting up a special HR resource domain, there are no administrators from the other (account) domain that have access to the domain. The Administrator account from the HR domain is kept confidential as well.
- Create an OU in the HR department that has an account that is a domain admin for the HR domain. Delegate permissions for that OU to a member of the  HR department.
- The HR department (users that have permissions on the OU) is/are responsible for the administrative access to the domain. The HR-Admin account can be enabled when necessary.

You won't like it (like Keith says, it's reactive administration) but it can be done.
Shortly summarized: what do you think is more important?

A well-maintained server that has its log-files, backup-logs and performance checked regularly?

Or a system that is completely isolated from the administrators maintaining it?

Other question: is the front-end application you're using as secure as an unreachable server in a security box??

HR may be happier if you enable auditing so that *if* the admins do something they shouldn't, then that will be captured in a log.


Thanks you all for your suggestions - they all araise valid points for/against which we will be considering, I like the idea of a Resource domain but am not sure how easy it will be (the HR server is already set up and on our domain).  We'll look into the suggestions above, as this is an open ended question (no 1 answer is entirley suitable) I'll accept the one that we decide upon and give assited to the other valid points
Points to be awarded shorty...............
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.