domain admins account case

Posted on 2012-09-10
Last Modified: 2012-09-20
What kind of questions should be asked when determining whether there is a valid business case for an AD account to be added into the domain admins group? Or on the flip side what kind of valid business cases are there for putting a user in a domain admins group, i.e. for what purposes is it necessary. Which of your accounts/staff of are domain admins and why?

Also is there anyway to see when an account became a member of the domain admins group? i.e. whether this was part of the account creation (keep hearing about a “primary group”) or at a later date, elevation of privilege etc.
Question by:pma111
    LVL 39

    Accepted Solution

    This is really difficult question as each company has its own regulations :)
    However, my answer is NEVER :]

    You can always use task delegation in domain to allow user administer its tasks

    Domain Admin should be granted only for temporary projects like domain trust creation, raising domain functional level or promoting new DC/decommissioning old DC

    The only one place to get know when user got that membership is visiting and reviewing security log on each DC :]

    LVL 57

    Assisted Solution

    by:Mike Kline
    Another one is if there is a service/app that claims it needs DA rights.  There are still some out there, ask the vendor why the account needs rights.

    Where I am we have way too many domain admins.  I have tried to reduce them but it is a big federal government agency and a lot of managers that don't know technology think their people should be can be very political.


    LVL 28

    Assisted Solution

    Our policy is that if a user needs to manage the domain at some level, then they are placed in the group. In our company that means all IT people (we are a small shop where all IT people can at some time manage AD) and our help desk. We have on occasion given a consultant that for a short period of time, but then we limit which servers they have access to. Even this may be overkill, but it's easier than trying to deal with it at a micro level deciding which IT person needs which access on which server.
    LVL 18

    Assisted Solution

    Agree with above posters it really not required for someone to have alltime domain Admin
    You can delegate task for daily activity
    You can give temp domain admin rights when going through a major Activity like migration etc given by iSeik Secondaly it depends upon the Technology awareness of Management and expertise of the techs in organisation that How they are confident if there delegation is perfect or not
    Sometimes while working on small issues people thinks that it might be due to rights as we are not domain admin though it is not

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
    Know what services you can and cannot, should and should not combine on your server.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now