Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


who needs domain admin rights

Posted on 2016-09-26
Medium Priority
Last Modified: 2016-10-15
We are doing a review of members of powerful AD groups, e.g domain admins. Can you provide some examples into the types of admin/management tasks whereby a user requires domain admin permissions? I.e. what tasks require the use of domain admin rights. Seeing some examples of the types of task that would require domain admin permissions, would help us identify whether some on our list of members are valid or should be removed.
Question by:pma111
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Assisted Solution

sXmont1j6 earned 220 total points (awarded by participants)
ID: 41815889
Domain admin's have the ability to do pretty much everything on a network.  More than likely, those users can be Removed, especially if they are using those accounts for everyday activities
LVL 56

Assisted Solution

McKnife earned 220 total points (awarded by participants)
ID: 41815892
Domain administrators administer the whole domain. They are local admins on all systems. They can administer all AD objects, GPO, certificates, passwords. Anything. So only make someone domain admin if he should have unlimited access. As simple as that.

And sorry, but such a question reads almost like "we have nuclear weapons and we are reviewing the groups of persons that have access to those - what can we do with nuclear weapons, please advise" ;-)
LVL 36

Assisted Solution

Kimputer earned 220 total points (awarded by participants)
ID: 41815897
Usually, ONLY the highest IT member/team has domain admin rights. That's because even the CEO/CTO/COO of any big companies, has nothing to do with it (they may have the admin/password at all times, archived somewhere, or locked in a safe, because it's their environment after all, but usually they should do NOTHING with it except for in emergencies).
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

LVL 65

Assisted Solution

btan earned 540 total points (awarded by participants)
ID: 41815914
Back to the definition of domain admin before taking a snapshot. But do review the other Administrators groups too - Limiting Administrator Rights to Those Rights That Are Actually Required e.g.

- Avoid using the Account Operators group for strictly delegating a "data administration" task, such as account management
- Membership in the Backup Operators group in Active Directory should be limited to those individuals who back up and restore domain controllers.
- Data administrators have no control over the configuration and delivery of the directory service itself; they control subsets of objects in the directory. Using permissions on objects that are stored in the directory, it is possible to limit the control of a given administrator account to very specific areas of the directory
-  Take additional steps to enforce strong administrative credentials, such as requiring smart cards for administrative logon, or requiring two forms of identification, with each form held by a different administrator
This group is automatically added to the corresponding Administrators group in every domain in the forest. It has complete control over all domain controllers and all directory content stored in the domain and it can modify the membership of all administrative accounts in the domain.
 create/delete AD leaf objects (users, groups, workstation-computers, server-computers)
 modify attributes of AD leaf objects (eg user object details like phone, address)
 AD services (sites, subnets, SCPs, trusts, etc)
 GP admins (including Central Store admin)

 Exchange objects (mailboxes, smtp addresses, etc)
 DFS admin

member computer admin rights (eg administer workstations including rejoin to domain, remote control, remote-manage, access logs, access volumes on workstations)

DNS admin

DHCP admin

member server admin (not DC's)

Another is try EnumAccess and AccessChk (Sysinternal) of an actual Domain admin user to see the list of rights it is given by default and that give some sensing of the default permission which can be further limited based on the role of the user.
- to quickly view user accesses to a tree of directories or registry keys in helping you for security holes and lock down permissions where necessary.
- to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services.

Author Comment

ID: 41815971
And sorry, but such a question reads almost like "we have nuclear weapons and we are reviewing the groups of persons that have access to those - what can we do with nuclear weapons, please advise" ;-)

erm.. no it doesn't. I appreciate domain admins have full unrestricted access, but felt it useful to see what kind of administrators get that access in other companies, as surely you could argue nobody really needs domain admin access and could be granted more granular access - but I didn't know if there were specific events whereby someone does need domain admins perhaps for certain types of major incidents to your AD.

Accepted Solution

sAMAccountName earned 800 total points (awarded by participants)
ID: 41816248
Just adding my $.02 to this question.

"Who needs to be in Domain Administrators?"
Short answer:
Only those one or two people who understand Active Directory and the impact their actions can have to the business

Longer answer:
Think of AD as having 2 components;
1. The underlying platform and topology (Domain Controllers, Policies, Schema, Replication configuration etc)
2. Directory Data (Logical containers and objects like OUs, Groups, Users, Computers, Printers etc.)

Domain Admins can CRUD (Create/Read/Update/Delete) everything, including configuration, policies, topology and security.  The list of people who actually need to do this will be very small.  In contrast, the list of people who need to manipulate the data inside the directory may be much larger and include Helpdesk, Deskside, different subgroups of IT, plain old users etc.  Allowing these people to complete tasks related to their role should never depend on adding them to Domain Admins.

As a domain admin, you can delegate abilities to security groups so they can exact change on the data in very specific areas of AD - For instance, you can create a security group and grant that group the ability to unlock user accounts which exist in a specific OU.  You can create a security group which allows Deskside or Helpdesk personnel to add an unlimited number of workstations to the domain.  You can create a group which allows an infrastructure IT team to CRUD DNS records etc.

Using delegation to grant ONLY THOSE PERMISSIONS needed to accomplish something will go a long way in keeping your domain/forest secure

Also, dont just focus on Domain Admins.  There are several builtin groups which should be used sparingly, if at all...  Here is an article about security groups which lists all the default builtin groups in AD and what they are capable of.
AD Security Groups
LVL 65

Assisted Solution

btan earned 540 total points (awarded by participants)
ID: 41816302
Instead of the going for whitelist - knowing what domain admin is able to do, maybe start off the user in a limited user and role based grouping instead and domain admin is the group you should avoid at the default start or minimally restrict to one party instead a blanket to all admin. That is why RBAC will avoid now the exercise you are going thru .. just my few cents worth..
LVL 65

Expert Comment

ID: 41844852
As per advised.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question