I have a customer who has an internal domain, with no sub domains. The customer wants to heighten the security and have asked for the below scenario.
The customer wants the following:
1. Every administrator on the system must have it's own administrative account, because the customer wants the main administrator account credentials to be known only by a few people, and not everybody. But still some administrative accounts needs local administrator on the servers, so fx. I will have one called administrator1 and I will add this user as a local admin to each server, or is there another way?
2. No other users than Administrator, must be able to change Administrator password, memberships and so on. As far as I know, you cannot grand a user local admin rights on a DC, without making them Domain Admin aswell?
3. Some administrator users still need the ability to add, remove, change users, but without the ability to change the administrator account, how to, if possible?
4. I need a system(3rd party is okay) that can log EVERY change made in AD and on each server. I have been looking on some software from Netwrix, but what do you propose?
I hope this is clear enough, otherwise I will try to be more specific :)
Thank you in advance for your time