Grant domain admin-like credentials

alexsupertramp
alexsupertramp used Ask the Experts™
on
Hi Experts.   Can I get advice on giving a user domain admin like creds without making them domain admin?   They should have local admin privileges on all servers and can add/remove/change users.    

Two domains, one w2k8 and one w2k12 r2

Thanks in advance

Dave
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You can make a local admin on a server but the such user can change to a Domain Admin.

You are between a rock and a hard place. They are either Administrators or not.

Author

Commented:
i'm not sure you are accurate on that one john.   i believe there is a way to get a user admin rights on an ou via delegate control or group policy.  that's the type of information i'm looking for.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
An Admin can change anything. And what you want done needs admin credentials
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
One practical (but very detailed) solution for is Beyond Trust

https://www.beyondtrust.com/

This is an extension of Group Policies and allows you to define specific tasks that a "user" could do. So you would have to approach from the point of view of detailing the tasks (as opposed to granting overall permission and hoping for the best).
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013
Commented:
Really depends on what you want them to do.

If you want them to have admin rights on all workstations and servers EXCEPT domain controllers, I would recommend creating a couple of groups - "Workstation Admins" and "Server Admins" - place the Workstation Admins group in the local admins group on all workstations.  Place the server ADmins group in all the local admins groups on the servers EXCEPT the domain controllers (which don't have local admins groups).

Users who you want to be server admins, add to the server admins group.  Users who you want to be workstation admins with admin rights on the workstations, you put in the Workstation admins group.

If you want users to have rights to create/modify users in ACtive Directory, you can delagate access for an OU or OUs to a particular group.  If you want more customized access rights, create special domain groups ("Domain Controller Managers" for example) and customize the user rights assignment for that group.  Then put the users in the group.  It's potentially time consuming to setup, but all very possible...
You can make a local admin on a server but the such user can change to a Domain Admin.

Making someone a local admin on your member computers (client or server) does not give give the ability to elevate to a domain admin. You are confusing a standalone or member servers local SAM with AD. Domain\Administrators (scope = domain) is not equivalent to Server\Administrators (scope = host).

i'm not sure you are accurate on that one john.   i believe there is a way to get a user admin rights on an ou via delegate control or group policy.  that's the type of information i'm looking for.

Correct, delegation is achieved via group policy. There is a detailed article here on the Microsoft wiki. As far as delegating out rights for user, group, computer, and other object management within AD. You can do this via either the delegation wizard (see this article here), or by modifying the advanced security of the OU and applying that permission to objects of a certain type (Computer, User, etc.), or via scripting (PowerShell, batch, etc.). If you're just starting out with delegating out rights, use the delegation wizard via Active Directory Users and Computers. I always recommend testing changes in a pre-production environment before making changes to your production AD environment. The good news, is no matter what you do, a domain admin can always undo it ... just might be painful.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018
Commented:
Totally disagree with the first few comments by JH and you do not need to buy 3rd party tool

Follow my process to create global admins ("...local admin privileges on all servers...")
https://www.experts-exchange.com/articles/29596/Securing-Active-Directory-Administrators-Groups.html

Finer delegation can be done like this and extended with Delegwiz.inf ("...add/remove/change users...")
https://www.experts-exchange.com/articles/29366/Delegation-the-proper-way.html

As for local admins, you can set passwords via
https://www.experts-exchange.com/articles/31583/Active-Directory-Securely-Set-Local-Account-Passwords.html
https://www.experts-exchange.com/articles/30617/How-to-manage-local-account-passwords-from-Active-Directory-without-LAPS.html
or LAPS

After that consider having tiers. DAs should not login to servers interactively because password hashes can be harvested
https://www.experts-exchange.com/articles/29515/Active-Directory-Simple-Tier-Isolation.html

Aditional motivation not to give people Domain Admins. So, in essence, all users that currently have DA is able to get password hashes for all users. I would do audit and get people weak passwords to change their passwords
https://www.experts-exchange.com/articles/29569/How-to-extract-hashes-from-IFM-backup.html

Author

Commented:
Thanks for your solutions.  I used the delegation wizard in conjunction with the restricted groups gpo and it seems to be working will for our new staff.   I also appreciate the additional granular info from Shaun.  I will review this as well.

Author

Commented:
Hi everyone.  I have come across a problem where the person with delegated privileges cannot move a workstations from the "computer" group, which is the default group machines land in when added to the domain, to a different OU.     Such as in my screen shot, i need all workstations mobed into the "ldi-pcs" folder so that group policies can take effect.    The "computer" ou is not available in GPO manager to link a GPO to.  Any idea on how to resolve this?

I have also manually given him full control through the "security" tab for "computers" in ADUC.
aduc_computers.png
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
All PCs need to be in ldi-pcs? Why not just use redircmp and set it to the default?

Author

Commented:
that's good advice shaun.  i did end up resolving it for now by giving him full control over the "computers" OU.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial