?
Solved

Domain Admin AD access

Posted on 2016-10-25
2
Medium Priority
?
37 Views
Last Modified: 2016-10-25
Hi Guys,

We need to lock down AD from a few domain admins as they need very high access but keep changing things they shouldn't.

Would the best option be to not allow write access on AD for the domain admins group and then add everyone that should have that power to the enterprise admins group?

Thanks.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 2000 total points
ID: 41859735
Wrong direction. Take away domain admin access from those who shouldn't have it. *By definition*, domain admins should be able to write to the domain.

Create a new group or groups for those you are about to take domain admin access from, and grant only the minimum necessary permissions' to that group to do what they need. You can still grant pretty high access. Delegated access has been in AD from the start, for example.
0
 

Author Comment

by:Mid-Western Regional Council
ID: 41859747
Yeah i just discussed that. Probably easier make a power user group sort of thing.

Cheers
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question