[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 428
  • Last Modified:

Stop domain admins from changing group memberships?

In my domain, any employee who is a member of the Domain Admins group can go into their Outlook, which is connected to Exchange, and change the memberships of e-mail distribution groups.  One of my users was e-mailing the "sales" distribtuion group, and then wanted to add more people to send to, and did it wrong.  He accidently added members to the sales group, and then somebody got an e-mail they shouldn't have and stole somebody elses commission.  How do I prevent this from happening without removing people from the Domain Admins group?
0
judas2158
Asked:
judas2158
2 Solutions
 
Joseph DalyCommented:
To me it sounds like maybe these people shouldnt be members of the domain admins group? Maybe take away their access and add them to a lesser group.
0
 
RobinHumanCommented:
I would suggest either downgrading their permissions to a lower security group (this is the preferred option, as you should not allow free access as domain admins) or setting stricter exchange admin permissions
0
 
gupnitCommented:
Hi,
This is a classic case for Role Delegation and Segregation.
Why on earth are Domain Admins also Exchange Admins for your Organization. Remove their permissions, but make sure you do not screw up your Exchange server permissions while doing that. Some links to guide you:
Let me know
Thanks
Nitin
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
judas2158Author Commented:
The reason so far is because they need to have administrative access on their machines.  They are engineers and are constantly installing and uninstalling things.  I have a building full of engineers.  I did remove the Domain Admin memberships from the Administrators group, but if I take them out of Domain Admins, they really can't work.  Is there a better way?  I never made anyone an Exchange Admin, I only joined the Exchange server to the domain, yet the users have this ability.
0
 
Malli BoppeCommented:
Just use the group policy to make a local administrator on all the machines that they need to install applications.Move all the machines which need to administered by this engineers  to a OU and create a group policy  as below.
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html 
0
 
gupnitCommented:
Hi,
You do not need to give DOmain Admins the Exchange Admin Membership at all.
Also, you can delegate Normal Permissions and using GPO - Security OPtions - User Permissions - Restricted Groups - Make some other group a part of Local Admin group not the Domain Admin group if you want
Add those admins in the new group and make them local adin and control access to Domain Admin group
Cheers
Nitin
0
 
judas2158Author Commented:
This took me in the right direction, but I had to do more research to figure out how to make the restricted groups work correctly.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now