Solved

Domain Admin AD access

Posted on 2016-10-25
2
30 Views
Last Modified: 2016-10-25
Hi Guys,

We need to lock down AD from a few domain admins as they need very high access but keep changing things they shouldn't.

Would the best option be to not allow write access on AD for the domain admins group and then add everyone that should have that power to the enterprise admins group?

Thanks.
0
Comment
Question by:Midwestern Regional
2 Comments
 
LVL 57

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 41859735
Wrong direction. Take away domain admin access from those who shouldn't have it. *By definition*, domain admins should be able to write to the domain.

Create a new group or groups for those you are about to take domain admin access from, and grant only the minimum necessary permissions' to that group to do what they need. You can still grant pretty high access. Delegated access has been in AD from the start, for example.
0
 

Author Comment

by:Midwestern Regional
ID: 41859747
Yeah i just discussed that. Probably easier make a power user group sort of thing.

Cheers
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question