[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 161
  • Last Modified:

who needs domain admin rights

We are doing a review of members of powerful AD groups, e.g domain admins. Can you provide some examples into the types of admin/management tasks whereby a user requires domain admin permissions? I.e. what tasks require the use of domain admin rights. Seeing some examples of the types of task that would require domain admin permissions, would help us identify whether some on our list of members are valid or should be removed.
6 Solutions
Domain admin's have the ability to do pretty much everything on a network.  More than likely, those users can be Removed, especially if they are using those accounts for everyday activities
Domain administrators administer the whole domain. They are local admins on all systems. They can administer all AD objects, GPO, certificates, passwords. Anything. So only make someone domain admin if he should have unlimited access. As simple as that.

And sorry, but such a question reads almost like "we have nuclear weapons and we are reviewing the groups of persons that have access to those - what can we do with nuclear weapons, please advise" ;-)
Usually, ONLY the highest IT member/team has domain admin rights. That's because even the CEO/CTO/COO of any big companies, has nothing to do with it (they may have the admin/password at all times, archived somewhere, or locked in a safe, because it's their environment after all, but usually they should do NOTHING with it except for in emergencies).
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

btanExec ConsultantCommented:
Back to the definition of domain admin before taking a snapshot. But do review the other Administrators groups too - Limiting Administrator Rights to Those Rights That Are Actually Required e.g.

- Avoid using the Account Operators group for strictly delegating a "data administration" task, such as account management
- Membership in the Backup Operators group in Active Directory should be limited to those individuals who back up and restore domain controllers.
- Data administrators have no control over the configuration and delivery of the directory service itself; they control subsets of objects in the directory. Using permissions on objects that are stored in the directory, it is possible to limit the control of a given administrator account to very specific areas of the directory
-  Take additional steps to enforce strong administrative credentials, such as requiring smart cards for administrative logon, or requiring two forms of identification, with each form held by a different administrator
This group is automatically added to the corresponding Administrators group in every domain in the forest. It has complete control over all domain controllers and all directory content stored in the domain and it can modify the membership of all administrative accounts in the domain.
 create/delete AD leaf objects (users, groups, workstation-computers, server-computers)
 modify attributes of AD leaf objects (eg user object details like phone, address)
 AD services (sites, subnets, SCPs, trusts, etc)
 GP admins (including Central Store admin)

 Exchange objects (mailboxes, smtp addresses, etc)
 DFS admin

member computer admin rights (eg administer workstations including rejoin to domain, remote control, remote-manage, access logs, access volumes on workstations)

DNS admin

DHCP admin

member server admin (not DC's)

Another is try EnumAccess and AccessChk (Sysinternal) of an actual Domain admin user to see the list of rights it is given by default and that give some sensing of the default permission which can be further limited based on the role of the user.
- to quickly view user accesses to a tree of directories or registry keys in helping you for security holes and lock down permissions where necessary.
- to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services.
pma111Author Commented:
And sorry, but such a question reads almost like "we have nuclear weapons and we are reviewing the groups of persons that have access to those - what can we do with nuclear weapons, please advise" ;-)

erm.. no it doesn't. I appreciate domain admins have full unrestricted access, but felt it useful to see what kind of administrators get that access in other companies, as surely you could argue nobody really needs domain admin access and could be granted more granular access - but I didn't know if there were specific events whereby someone does need domain admins perhaps for certain types of major incidents to your AD.
sAMAccountNameSr. Systems EngineerCommented:
Just adding my $.02 to this question.

"Who needs to be in Domain Administrators?"
Short answer:
Only those one or two people who understand Active Directory and the impact their actions can have to the business

Longer answer:
Think of AD as having 2 components;
1. The underlying platform and topology (Domain Controllers, Policies, Schema, Replication configuration etc)
2. Directory Data (Logical containers and objects like OUs, Groups, Users, Computers, Printers etc.)

Domain Admins can CRUD (Create/Read/Update/Delete) everything, including configuration, policies, topology and security.  The list of people who actually need to do this will be very small.  In contrast, the list of people who need to manipulate the data inside the directory may be much larger and include Helpdesk, Deskside, different subgroups of IT, plain old users etc.  Allowing these people to complete tasks related to their role should never depend on adding them to Domain Admins.

As a domain admin, you can delegate abilities to security groups so they can exact change on the data in very specific areas of AD - For instance, you can create a security group and grant that group the ability to unlock user accounts which exist in a specific OU.  You can create a security group which allows Deskside or Helpdesk personnel to add an unlimited number of workstations to the domain.  You can create a group which allows an infrastructure IT team to CRUD DNS records etc.

Using delegation to grant ONLY THOSE PERMISSIONS needed to accomplish something will go a long way in keeping your domain/forest secure

Also, dont just focus on Domain Admins.  There are several builtin groups which should be used sparingly, if at all...  Here is an article about security groups which lists all the default builtin groups in AD and what they are capable of.
AD Security Groups
btanExec ConsultantCommented:
Instead of the going for whitelist - knowing what domain admin is able to do, maybe start off the user in a limited user and role based grouping instead and domain admin is the group you should avoid at the default start or minimally restrict to one party instead a blanket to all admin. That is why RBAC will avoid now the exercise you are going thru .. just my few cents worth..
btanExec ConsultantCommented:
As per advised.

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now