Solved

Domain Admin AD access

Posted on 2016-10-25
2
23 Views
Last Modified: 2016-10-25
Hi Guys,

We need to lock down AD from a few domain admins as they need very high access but keep changing things they shouldn't.

Would the best option be to not allow write access on AD for the domain admins group and then add everyone that should have that power to the enterprise admins group?

Thanks.
0
Comment
Question by:Midwestern Regional
2 Comments
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 41859735
Wrong direction. Take away domain admin access from those who shouldn't have it. *By definition*, domain admins should be able to write to the domain.

Create a new group or groups for those you are about to take domain admin access from, and grant only the minimum necessary permissions' to that group to do what they need. You can still grant pretty high access. Delegated access has been in AD from the start, for example.
0
 

Author Comment

by:Midwestern Regional
ID: 41859747
Yeah i just discussed that. Probably easier make a power user group sort of thing.

Cheers
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Remove Installed Application 1 45
AD Activation of KMS Key 6 64
Password change 3 25
Migrating from SBS2011 5 10
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now