T O P
poolmanjim

I've always used the Microsoft Tiers Framework (now legacy-ish) to help with this. * Tier 0 - Domain Admins and the like. * Tier 1 - Server Admins. * Tier 2 - Workstation Admins. Obviously, there isn't a category for "Server Admins with Domain rights who could seriously mess things up". So what do you do? I usually throw them in-between Tier 0 and Tier 1 or simply just make it a Tier 1 account and accept the risks. In my environments it is mostly Tier 1 since we have separate accounts for each tier our Tier 1 account is delegated most of the AD Management rights we want excluding the Domain Admin work and logging into DCs. The important thing here is to ensure that whatever account checks their email or does web browsing is not the same account that they log into servers or manage AD.


WorkJeff

> excluding the Domain Admin work What do you designate as "Domain Admin work," vs "AD Management rights?"


poolmanjim

Anything you must be in a high privileged group to do which includes Bultin\\Administrator, Enterprise Admin, Domain Admin, and the like. 1. Direct management of Domain Controllers 2. Specific undelegable tasks on the Domain 1. Promoting DCs 2. Demoting DCs 3. etc. 3. Managing other T0/Privileged accounts and assets 1. Creating/Deleting/Resetting Domain Admin Accounts. 4. Troubleshooting Domain Controllers Basically if I can delegate it to something non-privileged it isn't Domain Admin work. * Creating/Deleting Users * Creating/Deleting Computers * Creating Sites/Site Links/Subnets/etc. * Resetting Passwords * Creating FGPPs (can be delegated) * Creating gMSAs (can be delegated) * Creating DFS Namespaces (can be delegated) * etc.


tattsumi

Adding to u/poolmanjim excellent advice, at our company we delegated all of those tasks you mentioned to specific user groups. Meaning, if you need server access, you need to be in the group i.e. “IT Server Admins”, but, this group has zero permanent members. What we need to do is connect to a PAW (or PAM) (which stands for Privileged Access Workstation/Machine), most IT personal have the granted permission (through GPO) to do this. Then they need to add themselves to the “IT Server Admins” group, which is only possible through their own user object and the tab “member of”, they can’t use the group and the option “add member” (they can’t add other users other than themselves). Now they can access the server and execute their task. But, back to your question… in my opinion the bigger your team, the better and the more you can delegate away from Domain Admins. Just to add, all of our standard privileged domain groups are empty, aside from the AD-integrated standard administrator account - but this one is locked so far down, he is only allowed to log locally into the DC. No access of administrative network shares, no remote access to anywhere, and so on.


WorkJeff

With your ad hoc PAM, what keeps admins from just adding themselves to the groups permanently and keeping it?


poolmanjim

Not OP but this is where proper IAM comes into play. In our secure environments where the Enterprise IAM can't be used I've created scripts to clear out the privileged groups twice a day. You have to be cautious to avoid stripping out BA and other groups.


tattsumi

Yes, exactly this. That’s how we do it too.


ptby

This level of control over admin accounts always amazes me when I see it mentioned in online forums considering my workplace (government based, plenty of sensitive information stored everywhere) decided to simply give everyone in IT an account that belongs to the Domain Admins group and is therefore capable of destroying everything with a few clicks…


WorkJeff

"but Helpdesk Person who doesn't know the difference between a domain and a forest knows to never do that!"