?
Solved

who needs domain admin rights

Posted on 2016-09-26
8
Medium Priority
?
100 Views
Last Modified: 2016-10-15
We are doing a review of members of powerful AD groups, e.g domain admins. Can you provide some examples into the types of admin/management tasks whereby a user requires domain admin permissions? I.e. what tasks require the use of domain admin rights. Seeing some examples of the types of task that would require domain admin permissions, would help us identify whether some on our list of members are valid or should be removed.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 

Assisted Solution

by:sXmont1j6
sXmont1j6 earned 220 total points (awarded by participants)
ID: 41815889
Domain admin's have the ability to do pretty much everything on a network.  More than likely, those users can be Removed, especially if they are using those accounts for everyday activities
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 220 total points (awarded by participants)
ID: 41815892
Domain administrators administer the whole domain. They are local admins on all systems. They can administer all AD objects, GPO, certificates, passwords. Anything. So only make someone domain admin if he should have unlimited access. As simple as that.

And sorry, but such a question reads almost like "we have nuclear weapons and we are reviewing the groups of persons that have access to those - what can we do with nuclear weapons, please advise" ;-)
0
 
LVL 36

Assisted Solution

by:Kimputer
Kimputer earned 220 total points (awarded by participants)
ID: 41815897
Usually, ONLY the highest IT member/team has domain admin rights. That's because even the CEO/CTO/COO of any big companies, has nothing to do with it (they may have the admin/password at all times, archived somewhere, or locked in a safe, because it's their environment after all, but usually they should do NOTHING with it except for in emergencies).
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 64

Assisted Solution

by:btan
btan earned 540 total points (awarded by participants)
ID: 41815914
Back to the definition of domain admin before taking a snapshot. But do review the other Administrators groups too - Limiting Administrator Rights to Those Rights That Are Actually Required e.g.

- Avoid using the Account Operators group for strictly delegating a "data administration" task, such as account management
- Membership in the Backup Operators group in Active Directory should be limited to those individuals who back up and restore domain controllers.
- Data administrators have no control over the configuration and delivery of the directory service itself; they control subsets of objects in the directory. Using permissions on objects that are stored in the directory, it is possible to limit the control of a given administrator account to very specific areas of the directory
-  Take additional steps to enforce strong administrative credentials, such as requiring smart cards for administrative logon, or requiring two forms of identification, with each form held by a different administrator
This group is automatically added to the corresponding Administrators group in every domain in the forest. It has complete control over all domain controllers and all directory content stored in the domain and it can modify the membership of all administrative accounts in the domain.
https://technet.microsoft.com/en-us/library/cc700835.aspx
AD-permissions:
 create/delete AD leaf objects (users, groups, workstation-computers, server-computers)
 modify attributes of AD leaf objects (eg user object details like phone, address)
 AD services (sites, subnets, SCPs, trusts, etc)
 GP admins (including Central Store admin)

Not-AD-permissions:
 Exchange objects (mailboxes, smtp addresses, etc)
 DFS admin

member computer admin rights (eg administer workstations including rejoin to domain, remote control, remote-manage, access logs, access volumes on workstations)

DNS admin

DHCP admin

member server admin (not DC's)
 https://social.technet.microsoft.com/Forums/en-US/2cf50f71-c4c0-49b6-b052-f22b64b0ce73/list-of-all-rights-and-privileges-assigned-to-domain-admins?forum=winserverDS

Another is try EnumAccess and AccessChk (Sysinternal) of an actual Domain admin user to see the list of rights it is given by default and that give some sensing of the default permission which can be further limited based on the role of the user.
- to quickly view user accesses to a tree of directories or registry keys in helping you for security holes and lock down permissions where necessary.
- to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services.
0
 
LVL 3

Author Comment

by:pma111
ID: 41815971
And sorry, but such a question reads almost like "we have nuclear weapons and we are reviewing the groups of persons that have access to those - what can we do with nuclear weapons, please advise" ;-)

erm.. no it doesn't. I appreciate domain admins have full unrestricted access, but felt it useful to see what kind of administrators get that access in other companies, as surely you could argue nobody really needs domain admin access and could be granted more granular access - but I didn't know if there were specific events whereby someone does need domain admins perhaps for certain types of major incidents to your AD.
0
 
LVL 6

Accepted Solution

by:
sAMAccountName earned 800 total points (awarded by participants)
ID: 41816248
Just adding my $.02 to this question.

"Who needs to be in Domain Administrators?"
Short answer:
Only those one or two people who understand Active Directory and the impact their actions can have to the business

Longer answer:
Think of AD as having 2 components;
1. The underlying platform and topology (Domain Controllers, Policies, Schema, Replication configuration etc)
2. Directory Data (Logical containers and objects like OUs, Groups, Users, Computers, Printers etc.)

Domain Admins can CRUD (Create/Read/Update/Delete) everything, including configuration, policies, topology and security.  The list of people who actually need to do this will be very small.  In contrast, the list of people who need to manipulate the data inside the directory may be much larger and include Helpdesk, Deskside, different subgroups of IT, plain old users etc.  Allowing these people to complete tasks related to their role should never depend on adding them to Domain Admins.

As a domain admin, you can delegate abilities to security groups so they can exact change on the data in very specific areas of AD - For instance, you can create a security group and grant that group the ability to unlock user accounts which exist in a specific OU.  You can create a security group which allows Deskside or Helpdesk personnel to add an unlimited number of workstations to the domain.  You can create a group which allows an infrastructure IT team to CRUD DNS records etc.

Using delegation to grant ONLY THOSE PERMISSIONS needed to accomplish something will go a long way in keeping your domain/forest secure

Also, dont just focus on Domain Admins.  There are several builtin groups which should be used sparingly, if at all...  Here is an article about security groups which lists all the default builtin groups in AD and what they are capable of.
AD Security Groups
1
 
LVL 64

Assisted Solution

by:btan
btan earned 540 total points (awarded by participants)
ID: 41816302
Instead of the going for whitelist - knowing what domain admin is able to do, maybe start off the user in a limited user and role based grouping instead and domain admin is the group you should avoid at the default start or minimally restrict to one party instead a blanket to all admin. That is why RBAC will avoid now the exercise you are going thru .. just my few cents worth..
0
 
LVL 64

Expert Comment

by:btan
ID: 41844852
As per advised.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out the latest tech news, community articles, and expert highlights in August's newsletter.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question