Domain Admin Permissions
I am trying to find something on best practice for domain admin permissions. We have a lot of domain admin's and they have more permissions then they need sometimes. I believe they should have just enough to do what they need to do but I am looking for a best practice guide.
ASKER
Is there any whitepages from Microsoft or anybody on this?
Matt is right on, you should try and limit domain admins....although that can be more political than anything else.
I have been at places where we tried to limit DA's and people thought we were trying to get rid of them or reduce staff but really we were just trying to make things secure.
Here are a couple of good links. The first is a recent blog from top AD MVP Joe Richards
http://blog.joeware.net/2009/02/1
Off the cuff comments for a new Domain Admin
This second link backs up Matt's suggestion for two accounts
http://technet.microsoft.c
Thanks
MMIke
I have been at places where we tried to limit DA's and people thought we were trying to get rid of them or reduce staff but really we were just trying to make things secure.
Here are a couple of good links. The first is a recent blog from top AD MVP Joe Richards
http://blog.joeware.net/2009/02/1
Off the cuff comments for a new Domain Admin
This second link backs up Matt's suggestion for two accounts
http://technet.microsoft.c
Thanks
MMIke
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Would like to have seen points split here.
The best practice is to give users as little permissions as they need. There is no need to give them more permissions than is required, because this causes a security risk.
Also as a best practice, your Domain Admin users should use a standard user account for logging in to the network and for day-to-day use. They should then have a second account which has the Domain Admin privileges assigned. They would only log in with this account when they need to use the Domain Admin privileges - or, even better, they can simply use the 'Run As' feature of any application to start it with the domain admin rights.
No user apart from a select few should have access to the domain 'Administrator' account. If users have access to this, they can make changes which would go unaudited and untraceable, which could cause an issue. However if users are forced to use their privileges on their own dedicated Domain Admin account, and with the correct auditing, a malicious change can easily be traced.
-Matt