• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 640
  • Last Modified:

domain admins account case

What kind of questions should be asked when determining whether there is a valid business case for an AD account to be added into the domain admins group? Or on the flip side what kind of valid business cases are there for putting a user in a domain admins group, i.e. for what purposes is it necessary. Which of your accounts/staff of are domain admins and why?

Also is there anyway to see when an account became a member of the domain admins group? i.e. whether this was part of the account creation (keep hearing about a “primary group”) or at a later date, elevation of privilege etc.
4 Solutions
Krzysztof PytkoActive Directory EngineerCommented:
This is really difficult question as each company has its own regulations :)
However, my answer is NEVER :]

You can always use task delegation in domain to allow user administer its tasks

Domain Admin should be granted only for temporary projects like domain trust creation, raising domain functional level or promoting new DC/decommissioning old DC

The only one place to get know when user got that membership is visiting and reviewing security log on each DC :]

Mike KlineCommented:
Another one is if there is a service/app that claims it needs DA rights.  There are still some out there, ask the vendor why the account needs rights.

Where I am we have way too many domain admins.  I have tried to reduce them but it is a big federal government agency and a lot of managers that don't know technology think their people should be DAs....it can be very political.


Our policy is that if a user needs to manage the domain at some level, then they are placed in the group. In our company that means all IT people (we are a small shop where all IT people can at some time manage AD) and our help desk. We have on occasion given a consultant that for a short period of time, but then we limit which servers they have access to. Even this may be overkill, but it's easier than trying to deal with it at a micro level deciding which IT person needs which access on which server.
Sarang TinguriaSr EngineerCommented:
Agree with above posters it really not required for someone to have alltime domain Admin
You can delegate task for daily activity
You can give temp domain admin rights when going through a major Activity like migration etc given by iSeik Secondaly it depends upon the Technology awareness of Management and expertise of the techs in organisation that How they are confident if there delegation is perfect or not
Sometimes while working on small issues people thinks that it might be due to rights as we are not domain admin though it is not

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now