who needs domain admin rights

Posted on 2016-09-26
Last Modified: 2016-10-15
We are doing a review of members of powerful AD groups, e.g domain admins. Can you provide some examples into the types of admin/management tasks whereby a user requires domain admin permissions? I.e. what tasks require the use of domain admin rights. Seeing some examples of the types of task that would require domain admin permissions, would help us identify whether some on our list of members are valid or should be removed.
Question by:pma111
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Assisted Solution

sXmont1j6 earned 55 total points (awarded by participants)
ID: 41815889
Domain admin's have the ability to do pretty much everything on a network.  More than likely, those users can be Removed, especially if they are using those accounts for everyday activities
LVL 54

Assisted Solution

McKnife earned 55 total points (awarded by participants)
ID: 41815892
Domain administrators administer the whole domain. They are local admins on all systems. They can administer all AD objects, GPO, certificates, passwords. Anything. So only make someone domain admin if he should have unlimited access. As simple as that.

And sorry, but such a question reads almost like "we have nuclear weapons and we are reviewing the groups of persons that have access to those - what can we do with nuclear weapons, please advise" ;-)
LVL 35

Assisted Solution

Kimputer earned 55 total points (awarded by participants)
ID: 41815897
Usually, ONLY the highest IT member/team has domain admin rights. That's because even the CEO/CTO/COO of any big companies, has nothing to do with it (they may have the admin/password at all times, archived somewhere, or locked in a safe, because it's their environment after all, but usually they should do NOTHING with it except for in emergencies).
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

LVL 63

Assisted Solution

btan earned 135 total points (awarded by participants)
ID: 41815914
Back to the definition of domain admin before taking a snapshot. But do review the other Administrators groups too - Limiting Administrator Rights to Those Rights That Are Actually Required e.g.

- Avoid using the Account Operators group for strictly delegating a "data administration" task, such as account management
- Membership in the Backup Operators group in Active Directory should be limited to those individuals who back up and restore domain controllers.
- Data administrators have no control over the configuration and delivery of the directory service itself; they control subsets of objects in the directory. Using permissions on objects that are stored in the directory, it is possible to limit the control of a given administrator account to very specific areas of the directory
-  Take additional steps to enforce strong administrative credentials, such as requiring smart cards for administrative logon, or requiring two forms of identification, with each form held by a different administrator
This group is automatically added to the corresponding Administrators group in every domain in the forest. It has complete control over all domain controllers and all directory content stored in the domain and it can modify the membership of all administrative accounts in the domain.
 create/delete AD leaf objects (users, groups, workstation-computers, server-computers)
 modify attributes of AD leaf objects (eg user object details like phone, address)
 AD services (sites, subnets, SCPs, trusts, etc)
 GP admins (including Central Store admin)

 Exchange objects (mailboxes, smtp addresses, etc)
 DFS admin

member computer admin rights (eg administer workstations including rejoin to domain, remote control, remote-manage, access logs, access volumes on workstations)

DNS admin

DHCP admin

member server admin (not DC's)

Another is try EnumAccess and AccessChk (Sysinternal) of an actual Domain admin user to see the list of rights it is given by default and that give some sensing of the default permission which can be further limited based on the role of the user.
- to quickly view user accesses to a tree of directories or registry keys in helping you for security holes and lock down permissions where necessary.
- to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services.

Author Comment

ID: 41815971
And sorry, but such a question reads almost like "we have nuclear weapons and we are reviewing the groups of persons that have access to those - what can we do with nuclear weapons, please advise" ;-)

erm.. no it doesn't. I appreciate domain admins have full unrestricted access, but felt it useful to see what kind of administrators get that access in other companies, as surely you could argue nobody really needs domain admin access and could be granted more granular access - but I didn't know if there were specific events whereby someone does need domain admins perhaps for certain types of major incidents to your AD.

Accepted Solution

sAMAccountName earned 200 total points (awarded by participants)
ID: 41816248
Just adding my $.02 to this question.

"Who needs to be in Domain Administrators?"
Short answer:
Only those one or two people who understand Active Directory and the impact their actions can have to the business

Longer answer:
Think of AD as having 2 components;
1. The underlying platform and topology (Domain Controllers, Policies, Schema, Replication configuration etc)
2. Directory Data (Logical containers and objects like OUs, Groups, Users, Computers, Printers etc.)

Domain Admins can CRUD (Create/Read/Update/Delete) everything, including configuration, policies, topology and security.  The list of people who actually need to do this will be very small.  In contrast, the list of people who need to manipulate the data inside the directory may be much larger and include Helpdesk, Deskside, different subgroups of IT, plain old users etc.  Allowing these people to complete tasks related to their role should never depend on adding them to Domain Admins.

As a domain admin, you can delegate abilities to security groups so they can exact change on the data in very specific areas of AD - For instance, you can create a security group and grant that group the ability to unlock user accounts which exist in a specific OU.  You can create a security group which allows Deskside or Helpdesk personnel to add an unlimited number of workstations to the domain.  You can create a group which allows an infrastructure IT team to CRUD DNS records etc.

Using delegation to grant ONLY THOSE PERMISSIONS needed to accomplish something will go a long way in keeping your domain/forest secure

Also, dont just focus on Domain Admins.  There are several builtin groups which should be used sparingly, if at all...  Here is an article about security groups which lists all the default builtin groups in AD and what they are capable of.
AD Security Groups
LVL 63

Assisted Solution

btan earned 135 total points (awarded by participants)
ID: 41816302
Instead of the going for whitelist - knowing what domain admin is able to do, maybe start off the user in a limited user and role based grouping instead and domain admin is the group you should avoid at the default start or minimally restrict to one party instead a blanket to all admin. That is why RBAC will avoid now the exercise you are going thru .. just my few cents worth..
LVL 63

Expert Comment

ID: 41844852
As per advised.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How ldap located a Domain controller? 22 77
Dell SonicWall Connection 18 56
bitlocker admin and monitoring 2 41
How do I protect myself from the latest Ransomware attack? 3 401
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question