Hi, I am currently preparing to implement Microsoft's Tiered Administration model + PAWs. I have been following the documentation here: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations#phase-1-immediate-deployment-for-active-directory-administrators
Phase 1 results in the creation of several security groups, including a "Tier 0 Replication Maintenance" group but then does not referenceit again. Based on the PowerShell scripts from https://gallery.technet.microsoft.com/Privileged-Access-3d072563 this group is assigned the following rights to various AD partitions/OUs:
- "Manage Replication Topology" (DS-Replication-Manage-Topology)
- "Replicating Directory Changes"
- "Replicating Directory Changes All"
- "Replication Synchronization"
- "Monitor active directory Replication"
Can someone help me understand what the specific capabilities of users in this group would be? It seems to provide a mixture of capabilities wherein users are not Domain Admin equivalents, nor can they add/remove DCs. They are able to replicate password information and similar attributes, and check AD replication data. I'm not certain this kind of group is actually needed in the deployment we are planning but I would like to understand what we would be losing by not including it.
Our long term goal is to remove all users from Domain Admins, only adding them in when DC/AD operations require it. I would like to make sure that the Tier 0 staff are still able to monitor, troubleshoot and possibly resolve AD replication issues without necessarily needing to be added into Domain Admins. Is that the function of this group? As I don't see why it would need "Replicating Directory Changes All" for maintenance since this seems excessive.
Thanks.