who needs domain admin rights

Posted on 2016-09-26
Last Modified: 2016-10-15
We are doing a review of members of powerful AD groups, e.g domain admins. Can you provide some examples into the types of admin/management tasks whereby a user requires domain admin permissions? I.e. what tasks require the use of domain admin rights. Seeing some examples of the types of task that would require domain admin permissions, would help us identify whether some on our list of members are valid or should be removed.
Question by:pma111
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Assisted Solution

sXmont1j6 earned 55 total points (awarded by participants)
ID: 41815889
Domain admin's have the ability to do pretty much everything on a network.  More than likely, those users can be Removed, especially if they are using those accounts for everyday activities
LVL 55

Assisted Solution

McKnife earned 55 total points (awarded by participants)
ID: 41815892
Domain administrators administer the whole domain. They are local admins on all systems. They can administer all AD objects, GPO, certificates, passwords. Anything. So only make someone domain admin if he should have unlimited access. As simple as that.

And sorry, but such a question reads almost like "we have nuclear weapons and we are reviewing the groups of persons that have access to those - what can we do with nuclear weapons, please advise" ;-)
LVL 36

Assisted Solution

Kimputer earned 55 total points (awarded by participants)
ID: 41815897
Usually, ONLY the highest IT member/team has domain admin rights. That's because even the CEO/CTO/COO of any big companies, has nothing to do with it (they may have the admin/password at all times, archived somewhere, or locked in a safe, because it's their environment after all, but usually they should do NOTHING with it except for in emergencies).
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

LVL 64

Assisted Solution

btan earned 135 total points (awarded by participants)
ID: 41815914
Back to the definition of domain admin before taking a snapshot. But do review the other Administrators groups too - Limiting Administrator Rights to Those Rights That Are Actually Required e.g.

- Avoid using the Account Operators group for strictly delegating a "data administration" task, such as account management
- Membership in the Backup Operators group in Active Directory should be limited to those individuals who back up and restore domain controllers.
- Data administrators have no control over the configuration and delivery of the directory service itself; they control subsets of objects in the directory. Using permissions on objects that are stored in the directory, it is possible to limit the control of a given administrator account to very specific areas of the directory
-  Take additional steps to enforce strong administrative credentials, such as requiring smart cards for administrative logon, or requiring two forms of identification, with each form held by a different administrator
This group is automatically added to the corresponding Administrators group in every domain in the forest. It has complete control over all domain controllers and all directory content stored in the domain and it can modify the membership of all administrative accounts in the domain.
 create/delete AD leaf objects (users, groups, workstation-computers, server-computers)
 modify attributes of AD leaf objects (eg user object details like phone, address)
 AD services (sites, subnets, SCPs, trusts, etc)
 GP admins (including Central Store admin)

 Exchange objects (mailboxes, smtp addresses, etc)
 DFS admin

member computer admin rights (eg administer workstations including rejoin to domain, remote control, remote-manage, access logs, access volumes on workstations)

DNS admin

DHCP admin

member server admin (not DC's)

Another is try EnumAccess and AccessChk (Sysinternal) of an actual Domain admin user to see the list of rights it is given by default and that give some sensing of the default permission which can be further limited based on the role of the user.
- to quickly view user accesses to a tree of directories or registry keys in helping you for security holes and lock down permissions where necessary.
- to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services.

Author Comment

ID: 41815971
And sorry, but such a question reads almost like "we have nuclear weapons and we are reviewing the groups of persons that have access to those - what can we do with nuclear weapons, please advise" ;-)

erm.. no it doesn't. I appreciate domain admins have full unrestricted access, but felt it useful to see what kind of administrators get that access in other companies, as surely you could argue nobody really needs domain admin access and could be granted more granular access - but I didn't know if there were specific events whereby someone does need domain admins perhaps for certain types of major incidents to your AD.

Accepted Solution

sAMAccountName earned 200 total points (awarded by participants)
ID: 41816248
Just adding my $.02 to this question.

"Who needs to be in Domain Administrators?"
Short answer:
Only those one or two people who understand Active Directory and the impact their actions can have to the business

Longer answer:
Think of AD as having 2 components;
1. The underlying platform and topology (Domain Controllers, Policies, Schema, Replication configuration etc)
2. Directory Data (Logical containers and objects like OUs, Groups, Users, Computers, Printers etc.)

Domain Admins can CRUD (Create/Read/Update/Delete) everything, including configuration, policies, topology and security.  The list of people who actually need to do this will be very small.  In contrast, the list of people who need to manipulate the data inside the directory may be much larger and include Helpdesk, Deskside, different subgroups of IT, plain old users etc.  Allowing these people to complete tasks related to their role should never depend on adding them to Domain Admins.

As a domain admin, you can delegate abilities to security groups so they can exact change on the data in very specific areas of AD - For instance, you can create a security group and grant that group the ability to unlock user accounts which exist in a specific OU.  You can create a security group which allows Deskside or Helpdesk personnel to add an unlimited number of workstations to the domain.  You can create a group which allows an infrastructure IT team to CRUD DNS records etc.

Using delegation to grant ONLY THOSE PERMISSIONS needed to accomplish something will go a long way in keeping your domain/forest secure

Also, dont just focus on Domain Admins.  There are several builtin groups which should be used sparingly, if at all...  Here is an article about security groups which lists all the default builtin groups in AD and what they are capable of.
AD Security Groups
LVL 64

Assisted Solution

btan earned 135 total points (awarded by participants)
ID: 41816302
Instead of the going for whitelist - knowing what domain admin is able to do, maybe start off the user in a limited user and role based grouping instead and domain admin is the group you should avoid at the default start or minimally restrict to one party instead a blanket to all admin. That is why RBAC will avoid now the exercise you are going thru .. just my few cents worth..
LVL 64

Expert Comment

ID: 41844852
As per advised.

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question