• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1199
  • Last Modified:

Domain Admin Permissions

I am trying to find something on best practice for domain admin permissions. We have a lot of domain admin's and they have more permissions then they need sometimes. I believe they should have just enough to do what they need to do but I am looking for a best practice guide.
1 Solution

The best practice is to give users as little permissions as they need. There is no need to give them more permissions than is required, because this causes a security risk.

Also as a best practice, your Domain Admin users should use a standard user account for logging in to the network and for day-to-day use. They should then have a second account which has the Domain Admin privileges assigned. They would only log in with this account when they need to use the Domain Admin privileges - or, even better, they can simply use the 'Run As' feature of any application to start it with the domain admin rights.

No user apart from a select few should have access to the domain 'Administrator' account. If users have access to this, they can make changes which would go unaudited and untraceable, which could cause an issue. However if users are forced to use their privileges on their own dedicated Domain Admin account, and with the correct auditing, a malicious change can easily be traced.

TylerTreatAuthor Commented:
Is there any whitepages from Microsoft or anybody on this?
Mike KlineCommented:
Matt is right on, you should try and limit domain admins....although that can be more political than anything else.
I have been at places where we tried to limit DA's and people thought we were trying to get rid of them or reduce staff but really we were just trying to make things secure.
Here are a couple of good links.  The first is a recent blog from top AD MVP Joe Richards
Off the cuff comments for a new Domain Admin
This second link backs up Matt's suggestion for two accounts
Best Practices for AD Delegation: http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-48fa-9730-dae7c0a1d6d3

Membership in Domain Admins should be kept to a minimum; define what actions your administrators need to perform, and delegate the rights to perform only those actions.
Would like to have seen points split here.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now