We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Restricting Privileges to Administrators

ISS_Expert
ISS_Expert asked
on
Medium Priority
726 Views
Last Modified: 2013-11-05
Hi All,

Currently we have over 25 domain administrators in our network.  Some of them (e.g.  Service desk) have been granted this privilege for the purpose of resetting passwords, unlocking users etc.  The Network Manager claims that their access cannot be restricted and that they are planning to implement a web based solution that would provide an interface with limited menu items.  I would like to confirm with the experts here that it is not possible to create various roles for different users.

Thanks
ISS
Comment
Watch Question

Commented:
You pretty much have the door wide open if you are a Domain Admin.  No doubt about that.  And you do need to be a domain admin in order to reset passwords and unlock users, so I don't see a way around this.
Site Reliability Engineer
CERTIFIED EXPERT
Most Valuable Expert 2011
Commented:

I'm afraid both you and the previous poster have been mis-informed. There is no reason why you should have users in the Help Desk as Domain Admins. That pretty much annihilates any type of security you try to implement on your network, since those users with Domain Admin privileges can log in and access pretty much anything they wanted to.

Active Directory is specifically designed so that you can elevate a certain user or group of users' privileges to give them the ability to make changes to certain users, such as resetting passwords, unlocking user accounts and so on. You can use the Delegation of Control wizard for this. On the OU(s) which the Help Desk users would need to have access to, you right-click the OU and choose 'Delegation of Control'. You can then step through the wizard and assign the appropriate permissions.

By delegating control, they can still use the usual AD Users and Computers tool to manage the users, but they don't need Domain Admin rights. They can be standard users. Plus, they don't have access to the whole domain - only the OUs you permit them to control.

-Matt

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018
Commented:
Of course you can delegate tasks in AD, especially common ones like resetting a password or nulocking an account. You can delegate permissions for every single attribute in AD, from root/site/ou down to the last object. You can even delegate permissions so that the Helpdesk can reset passwords of regular users, but only unlock an administrator account.
Helpedesk certainly doesn't need and shouldn't have domain admin permissions.
Some random links for starters:

Default security concerns in Active Directory delegation
http://support.microsoft.com/kb/235531

How to Delegate Mailbox Access in Active Directory
http://support.microsoft.com/kb/262399

Minimum permissions are needed for a delegated administrator to force password change at next logon procedure
http://support.microsoft.com/kb/296999

How To Delegate the Unlock Account Right
http://support.microsoft.com/kb/294952
CERTIFIED EXPERT
Commented:
Domain admins basically hold all the keys to the kingdom. This is not a good thing to have and this is the reason why microsoft came up with the delegation of control wizard. This lets you give only the permissions necessary to certain groups. Take a read here

http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html

What I would do is use DSrevoke to remove unnecessary access that users have and then redelegate control to them properly.

DSrevoke: http://www.microsoft.com/downloads/details.aspx?familyid=77744807-c403-4bda-b0e4-c2093b8d6383&displaylang=en

I did this on my domain and it worked out great, just make sure you have a backout plan which in your case would be adding users back into the domain admins group.

The syntax i used for dsrevoke was this

dsrevoke /report /domain:domain domain\username or group

it will return the report of all the access that user or group has been granted.


ACE #1
Object: DC=domain,DC=com
Security Principal: domain\user
 
Permissions: 
  READ PROPERTY
  WRITE PROPERTY
ACE Type: ALLOW
 
ACE does not apply to this object
ACE inherited by all child objects of class Group
 
 
ACE #2
Object: DC=Domain,DC=com
Security Principal: domain\user
 
Permissions: 
  CREATE CHILD
  DELETE CHILD
ACE Type: ALLOW
 
ACE inherited by all child objects

Open in new window

Author

Commented:
Thank you all.  Appreciate it.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.