Hello all!
We are an IT shop that is working on deploying proper administrative AD delegation on our domain. We are working through the information provided by Microsoft and trying to fit it to a specific scenario and it is not working.
It is my understanding that in a normal scenario you have DCs and member servers. You then have server admins that can have rights to the member servers but not the DCs. This limits exposures to the DCs and then, according to MS, you only ever log into the DCs in a disaster or build out situation. The idea being is you never use the domain admin (DA), enterprise admin (EA), or builtin domain administrators group (BA). You use RSAT's to manage users or other servers from a management server/pc, but never log into the DC unless you absolutely have to.
We have deployed this least-privileged concept to our domain and it is working well for the most part.
The problem we are running into is with a larger customer. They have a primary location that has a couple DC's and some member servers. They also have about 50 locations that have a single server that is a DC/File Server/Print Server. The issue is if we have a stripped down admin account that does not have AD delegation, or only has a few OUs, how do we allow them to log into the DC to manage files and printers without giving too much access. Because in AD there are no local groups they are not local admins. Making them local admins would basically make them active directory administrators, and we do not want that. How can we accomplish this?
Our ultimate goal is this...
Tier 1 admins - These are users that have rights to the workstations. We have implemented this and it is working fine.
Tier 2 admins - These are users that have access to all member servers and some basic administration on the servers. We can accomplish most of this via RSAT and delegation but these users are the ones that will occasionally need access to site servers for file shares and print management but should not have full blown access to AD.
Tier 3 admins - These are very similar to Tier 2 but also have access to the passwords for the DA/EA/BA accounts so they can log into a DC if needed in a disaster scenario or in the instance we are adding a new DC.
It is the Tier 2 admins that are giving me a headache in this scenario because they need site server access but I need to limit the access to AD. Maybe we need to give them the domain access but deny access to the OUs they shouldn't be changing. I am not a fan of that idea though...
Thoughts?
We are an IT shop that is working on deploying proper administrative AD delegation on our domain. We are working through the information provided by Microsoft and trying to fit it to a specific scenario and it is not working.
It is my understanding that in a normal scenario you have DCs and member servers. You then have server admins that can have rights to the member servers but not the DCs. This limits exposures to the DCs and then, according to MS, you only ever log into the DCs in a disaster or build out situation. The idea being is you never use the domain admin (DA), enterprise admin (EA), or builtin domain administrators group (BA). You use RSAT's to manage users or other servers from a management server/pc, but never log into the DC unless you absolutely have to.
We have deployed this least-privileged concept to our domain and it is working well for the most part.
The problem we are running into is with a larger customer. They have a primary location that has a couple DC's and some member servers. They also have about 50 locations that have a single server that is a DC/File Server/Print Server. The issue is if we have a stripped down admin account that does not have AD delegation, or only has a few OUs, how do we allow them to log into the DC to manage files and printers without giving too much access. Because in AD there are no local groups they are not local admins. Making them local admins would basically make them active directory administrators, and we do not want that. How can we accomplish this?
Our ultimate goal is this...
Tier 1 admins - These are users that have rights to the workstations. We have implemented this and it is working fine.
Tier 2 admins - These are users that have access to all member servers and some basic administration on the servers. We can accomplish most of this via RSAT and delegation but these users are the ones that will occasionally need access to site servers for file shares and print management but should not have full blown access to AD.
Tier 3 admins - These are very similar to Tier 2 but also have access to the passwords for the DA/EA/BA accounts so they can log into a DC if needed in a disaster scenario or in the instance we are adding a new DC.
It is the Tier 2 admins that are giving me a headache in this scenario because they need site server access but I need to limit the access to AD. Maybe we need to give them the domain access but deny access to the OUs they shouldn't be changing. I am not a fan of that idea though...
Thoughts?