Domain Admin Permissions

Posted on 2009-02-16
Last Modified: 2012-05-06
I am trying to find something on best practice for domain admin permissions. We have a lot of domain admin's and they have more permissions then they need sometimes. I believe they should have just enough to do what they need to do but I am looking for a best practice guide.
Question by:TylerTreat
    LVL 58

    Expert Comment


    The best practice is to give users as little permissions as they need. There is no need to give them more permissions than is required, because this causes a security risk.

    Also as a best practice, your Domain Admin users should use a standard user account for logging in to the network and for day-to-day use. They should then have a second account which has the Domain Admin privileges assigned. They would only log in with this account when they need to use the Domain Admin privileges - or, even better, they can simply use the 'Run As' feature of any application to start it with the domain admin rights.

    No user apart from a select few should have access to the domain 'Administrator' account. If users have access to this, they can make changes which would go unaudited and untraceable, which could cause an issue. However if users are forced to use their privileges on their own dedicated Domain Admin account, and with the correct auditing, a malicious change can easily be traced.


    Author Comment

    Is there any whitepages from Microsoft or anybody on this?
    LVL 57

    Expert Comment

    by:Mike Kline
    Matt is right on, you should try and limit domain admins....although that can be more political than anything else.
    I have been at places where we tried to limit DA's and people thought we were trying to get rid of them or reduce staff but really we were just trying to make things secure.
    Here are a couple of good links.  The first is a recent blog from top AD MVP Joe Richards
    Off the cuff comments for a new Domain Admin
    This second link backs up Matt's suggestion for two accounts
    LVL 30

    Accepted Solution

    Best Practices for AD Delegation:

    Membership in Domain Admins should be kept to a minimum; define what actions your administrators need to perform, and delegate the rights to perform only those actions.
    LVL 58

    Expert Comment

    Would like to have seen points split here.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    At least once a month I see a Question in one of the Windows Server related Zones asking about Best Practices for GPO Security.  I have been in IT for 20 years, and a Sys Ad for over 15.  I know this will sound cliché, but this is mostly a preferenc…
    Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now