jmichaelpalermo4
asked on
Best Method to Restrict Admins and Audit Active Directory
Hello Experts!
I currently run a single domain environment across multiple sites. I'm looking to hire some new technicians, but don't want to give them the "keys to the kingdom."
What is the best method to restrict admin accounts? Do I have to go through and create security groups, etc.?
Also, what are your recommendations on auditing changes made across the domain?
Thank you for your time!
J
I currently run a single domain environment across multiple sites. I'm looking to hire some new technicians, but don't want to give them the "keys to the kingdom."
What is the best method to restrict admin accounts? Do I have to go through and create security groups, etc.?
Also, what are your recommendations on auditing changes made across the domain?
Thank you for your time!
J
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hey, wouldn't log on to a user's workstation with Domain Admin credentials of any kind. You should use Group Policy restricted groups to gin up another administrative group for workstation use. Using a member of Domain Admins local to a workstation could hand the keys to your entire network to everyone in the world.
As for what you're asking for, limited control of cmd.exe, I can't off the top of my head think of a way to do that.
If you're already making your users local admins, what problem are you trying to solve or avoid?
Moreover you can go for an third party application also. Please click on the given link for the same.
Thanks.
As for what you're asking for, limited control of cmd.exe, I can't off the top of my head think of a way to do that.
If you're already making your users local admins, what problem are you trying to solve or avoid?
Moreover you can go for an third party application also. Please click on the given link for the same.
Thanks.
ASKER
Thank you!
Yes you can create groups and delegate permissions. You an also use some of the builtin groups (account operators for example).
Do you have any third party auditing tools or using native tools?
Thanks
Mike