Solved

Creating a Domain Admin like group, WITHOUT Actual Domain admin rights?

Posted on 2010-11-18
4
341 Views
Last Modified: 2012-05-10
Hello,

 I'm in the process of securing our domain, and I've discovered a few "issues" :

1) A bunch of users have Domain Admin accounts that SHOULD NOT.
2) Several accounts that are used for code compilation are set as domain admins.

 So, I don't want to cause problems for people, but I don't see a need for these people to have full domain admin rights.

 Does anybody have information on how to setup a "quasi" domain admin group... ie :

 They can RDP to any server (excluding the DC's(2), and possibly the exchange server, but have basically full read/write permissions to most locations in the network ?

 I've looked a the existing groups in the domain, and from what I understand, there isn't really any difference between administrators group and the domain administrators group (both have full access to domain management).

 The other reason for this, is because by default all domain admin accounts have full access to all mailbox's on our exchange server, and that's a major security risk.

 Any suggestions / ideas are greatly apreciated...

0
Comment
Question by:privasoft
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 125 total points
ID: 34163905
>>They can RDP to any server (excluding the DC's(2), and possibly the exchange server, but have basically full read/write permissions to most locations in the network


In a roundabout way - first put tham in the backup operators group - that lets them have file read/write access
then create a new security group (code admins or something) then grand THAT group logon access on the RDP connectors of the servers they require access to,
1. Using an admin account open a remote admin session to the server in question.
2. Click Start >Programs >Administrative Tools >Terminal Services Configuration
3. Click Connections
4. In the right hand pane RIGHT CLICK the RDP-TCP connector and select properties
5. On the permissions tab click "ADD"
6. Add your code monkeys group in here and select the appropriate level of access.
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 125 total points
ID: 34163918
For the servers you can setup restrices group through GPO. You may not want to give them local admin rights, maybe just remote desk users, that would be something you need to decide. For everything else it will be hard to answer. It will all depend on the application you are using and how your permissions are setup. If you exclusivly assign perms to "Domain Admins" then removing them from the group will remove their accees. If you are using other groups to assing perms then they should not loose the access.

http://www.frickelsoft.net/blog/?p=13
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35171033
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question