Restrict Domain Administrator to workstations only

Experts, I need to figure out a way to give our computer technician full access to our workstations. Some programs require a domain admins credentials to override the permissions to allow the installation of new programs.
Problem is...
By giving him a domain admin, he now can remote into any of our servers. How can I block his server access, but still allow him to have admin access over the workstations?
dheinmillerAsked:
Who is Participating?
 
McKnifeCommented:
1 setup a domain account "support1" with a secure password
2 create a GPO and use the restricted group as shown in the picture
ScreenshotApply that GPO to all client machines in question but NOT the servers.
0
 
McKnifeCommented:
Sorry, there's no program that requires domain admin credentials - that's simply impossible. If you administer the domain, use a domain admin. if you administer local programs, don't use a domain admin.
You should setup a support user and have that one added to the local admins group using the restricted groups feauteur e inside GPOs. Then apply that GPO to workstations only.
0
 
dheinmillerAuthor Commented:
McKnife, Thanks for the clarification, can you provide more details on exactly how to implement your recommendation?
Thank you!
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
dheinmillerAuthor Commented:
McKnife - You're the Best!!!!
I set it up, and it works exactly how we want.
I appreciate you taking the time to create the diagrams.
Thank you,
dheinmiller
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
I'll suggest a different approach.

1. Create a "Workstation Admins" user group in AD.  Add that group to the local administrator's group of all workstations (should be possible with Group Policy).  Then you can add your technicians to that group which will give them all the rights they need to install just about anything on the workstations but prevents them from logging in to the servers.
2. Same as 1, except create separate workstation admin accounts for each technician to maintain accountability and prevent potential issues if a technician ever does something stupid and gets themselves infected with a worm.  (To be clear, you still create a Workstations Admin group and assign it to the local workstations, but then, instead of using the technician's existing account (example, "John"), you create an account called "John-WA" which the technician must use for administration of the workstations - that John-WA account is the one that gets placed in the Workstation Admins group and is used by the technician).
0
 
McKnifeCommented:
To expand even further:

We use an altogether different concept for security reasons.
I might publish an article soon as a step-by-step.

The main idea is to use single admins, one per supported workstation, so that if one of those accounts gets compromised (using mimikatz or the like), the attacker would only gain admin access to one workstation and not all. Apart from that, the account is only activated for the time of the support incident, so it will be very hard to exploit that.
All is managed by a script and not complicated at all.

As soon as I have completed my article, I will link it here.
0
 
dheinmillerAuthor Commented:
Thanks Guys!
I look forward to seeing the article...
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
McKnife's environment may well need that level of security.  If you do, fine.  Keep in mind that Security is balance - you cannot limit productivity too much - and what happens when the machine in question is off the domain for any reason or can't communicate with the machine that runs the script to activate the account.  My solutions don't fully address that issue either, but USUALLY, where you have a small number of technicians, they will have cached accounts making that aspect less important.
0
 
dheinmillerAuthor Commented:
Lee,  I will keep that in mind.
Thanks for the info!
0
 
dheinmillerAuthor Commented:
Thanks McKnife!
Very Interesting and useful article!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.