Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Domain Admin AD access

Posted on 2016-10-25
2
Medium Priority
?
39 Views
Last Modified: 2016-10-25
Hi Guys,

We need to lock down AD from a few domain admins as they need very high access but keep changing things they shouldn't.

Would the best option be to not allow write access on AD for the domain admins group and then add everyone that should have that power to the enterprise admins group?

Thanks.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 2000 total points
ID: 41859735
Wrong direction. Take away domain admin access from those who shouldn't have it. *By definition*, domain admins should be able to write to the domain.

Create a new group or groups for those you are about to take domain admin access from, and grant only the minimum necessary permissions' to that group to do what they need. You can still grant pretty high access. Delegated access has been in AD from the start, for example.
0
 

Author Comment

by:Mid-Western Regional Council
ID: 41859747
Yeah i just discussed that. Probably easier make a power user group sort of thing.

Cheers
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question