Creating a Domain Admin like group, WITHOUT Actual Domain admin rights?
Posted on 2010-11-18
I'm in the process of securing our domain, and I've discovered a few "issues" :
1) A bunch of users have Domain Admin accounts that SHOULD NOT.
2) Several accounts that are used for code compilation are set as domain admins.
So, I don't want to cause problems for people, but I don't see a need for these people to have full domain admin rights.
Does anybody have information on how to setup a "quasi" domain admin group... ie :
They can RDP to any server (excluding the DC's(2), and possibly the exchange server, but have basically full read/write permissions to most locations in the network ?
I've looked a the existing groups in the domain, and from what I understand, there isn't really any difference between administrators group and the domain administrators group (both have full access to domain management).
The other reason for this, is because by default all domain admin accounts have full access to all mailbox's on our exchange server, and that's a major security risk.
Any suggestions / ideas are greatly apreciated...