Solved

Best Method to Restrict Admins and Audit Active Directory

Posted on 2013-12-10
5
357 Views
Last Modified: 2014-01-06
Hello Experts!

I currently run a single domain environment across multiple sites. I'm looking to hire some new technicians, but don't want to give them the "keys to the kingdom."

What is the best method to restrict admin accounts? Do I have to go through and create security groups, etc.?

Also, what are your recommendations on auditing changes made across the domain?


Thank you for your time!
J
0
Comment
Question by:jmichaelpalermo4
5 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39708921
Best method is to first talk to them and your team and see what tasks they will need to perform?   Then you start your delegation plan from there.

Yes you can create groups and delegate permissions.   You an also use some of the builtin groups (account operators for example).

Do you have any third party auditing tools or using native tools?

Thanks

Mike
0
 
LVL 9

Accepted Solution

by:
VirastaR earned 250 total points
ID: 39708958
Hi,

You can simply achieve it my using "Delegation Control" wizard using ADUC and you get more granular you want and user can do just what you define nothing less or more, this applies even to auditing the AD.

Using GUI Tools:

Active Directory rights delegation – overview
&
Using the Delegation of Control Wizard to Assign Permissions in Server 2008

Using Powershell:

Checking Permission/Delegation of an OU/Domain-Quest PowerShell

Hope that helps :)
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 250 total points
ID: 39709062
As mentioned above Delegation of Control is a huge part to lock down what your helpdesk/systems admins can do.

I would recommend creating new Security Groups giving them a meaningful name for Each Job function i.e.
AD_Password_Admin (this account can reset and unlock users accounts in AD) AD_User_Admin (this group can modify user attributes and create new Users) AD_Computer_Admin (this group can modify computer attributes/objects) etc...

From there you will have a clear indication of what the users specific account has access to do just by looking at the Membership Tab.

For Auditing ADAudit Plus is the software i recommend for auditing changes being done in your AD environment. Not free but not expensive. They have a fully featured free trail.

AD Audit Plus - http://www.manageengine.com/products/active-directory-audit/

Will.
0
 
LVL 3

Expert Comment

by:Detlef001
ID: 39711468
Hey, wouldn't log on to a user's workstation with Domain Admin credentials of any kind. You should use Group Policy restricted groups to gin up another administrative group for workstation use. Using a member of Domain Admins local to a workstation could hand the keys to your entire network to everyone in the world.

As for what you're asking for, limited control of cmd.exe, I can't off the top of my head think of a way to do that.

If you're already making your users local admins, what problem are you trying to solve or avoid?

Moreover you can go for an third party application also. Please click on the given link for the same.

Thanks.
0
 
LVL 3

Author Closing Comment

by:jmichaelpalermo4
ID: 39759884
Thank you!
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know what services you can and cannot, should and should not combine on your server.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now