active directory real defense for domain admins
-
-
Good stuff. I'm typical of a small shop IT manager in that I'm a Domain Admin but am totally unqualified to have such powers and tend to avoid doing anything for fear of breaking something.
I have one question. He recommends setting Domain Admin logon restrictions to Domain Controllers only. So the DA is unable to logon to any other servers or workstations. This makes sense, I guess. However, if not Domain Admin, what kind of other domain account has local admin rights across the domain? For example, if I want to do something on a local workstation that requires admin rights, I currently logon as a DA. If I'm prevented from doing that, what should I logon as?
-
@Carnival-Boy Having a Domain administrator account for the regular support tasks is not generally recommended. what I suggest is to create a normal account for these tasks and you can create a GPO targeted to all Computer Objects (excluding your servers) in your AD and add this account to the Restricted Group then this account will have admin access to all machines.
For more details about the Restricted Group: http://www.windowsecurity.com/articles-tutorials/windows_os_security/Using-Restricted-Groups.html
-
Thanks. I will do that.
-
NTG has a "technician" group for local admin access to workstations.
-
I just followed this:
http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domainTwo minute job and I'm all sorted.
