We help IT Professionals succeed at work.

Administrators on domain with different rights

Medium Priority
Last Modified: 2017-07-31
I have a customer who has an internal domain, with no sub domains. The customer wants to heighten the security and have asked for the below scenario.

The customer wants the following:
1. Every administrator on the system must have it's own administrative account, because the customer wants the main administrator account credentials to be known only by a few people, and not everybody. But still some administrative accounts needs local administrator on the servers, so fx. I will have one called administrator1 and I will add this user as a local admin to each server, or is there another way?

2. No other users than Administrator, must be able to change Administrator password, memberships and so on. As far as I know, you cannot grand a user local admin rights on a DC, without making them Domain Admin aswell?

3. Some administrator users still need the ability to add, remove, change users, but without the ability to change the administrator account, how to, if possible?

4. I need a system(3rd party is okay) that can log EVERY change made in AD and on each server. I have been looking on some software from Netwrix, but what do you propose?

I hope this is clear enough, otherwise I will try to be more specific :)

Thank you in advance for your time
Watch Question

Kash2nd Line Engineer

1. If you have an ADMIN, it will be able to do everything on every server unless you delegate which server.

2. That is the case anyway. Admins can make changes and no users. Only admin will be the people who should be logging on to servers. Disable log on locally right for all users but admins

3. If they are all admins with full rights then there is no stopping them from making changes to others. You should follow principle of LEAST PRIVELIDGE and give only enough permission to staff to perform their jobs.

4. Can you not enable auditing on the server objects/ ad objects.


Hello Kash

Thank you for your reply.

The problem Is that the other administrators still need to be able to restart services, install programs and even some need the right to install a role and configure it...

As far as I know, if I grant a user on a non DC local admin, they will have all rights on that server which is fine. But if I do the same on a DC, then when they login they will have domain admin rights. Of course one solution could be that we just don't allow them to login to the DC servers, and only trusted employees can do this. I don't know if I am totally wrong about this, but as far as I know, what the customer is asking, is not possible...

But could I grant a user fx. server oprerator and then they will be able to do some things, like restart services and so? If yes, how do I manage to get the server operator group as primary, as the domain user is primary and more restrictive than server operator, then (in my beleive) the server operator will be overruled by the domain user group?

Explore More ContentExplore courses, solutions, and other research materials related to this topic.