Need limited domain admin rights user account.

Discussion in 'Server Security' started by Mike Bailey, Aug 8, 2005.

  1. Mike Bailey

    Mike Bailey Guest

    I'm a new manager in my comapny and am "tighten" up some of the securtiy
    here. The domain administrator username/password is used too freely here
    and has not changed in years. I want to change that, but at the same time,
    need to give one of my staff most of the privileges she has under the
    administrator. What I *don't* want her to be able to do is take ownership
    of folders, or change the domain administrator password. In our office,
    most users don't have local admins right to their pc's, so we log in as the
    domain admin to make certain changes. She will still need this ability. I
    thought about just creating another user it and adding it as a local admin -
    but that's jsut something else to maintain one each machine. I'd rather
    create a domain user that has the above restirictions, but still has other
    admin rights.

    Any suggestions on how to create this?

    Thanks,
    Mike
     
    Mike Bailey, Aug 8, 2005
    #1
    1. Advertisements

  2. Mike Bailey

    Roger Abell Guest

    One does not "revoke" rights from a Domain Admin.
    One can try for some capabilities, but it will be imperfect and
    they can walk around it if they wanted.

    Rather, the way to go is to define what capabilities a person
    should have and then create an account with those grants of
    user rights, NTFS permissions, AD delegations, etc.
    The best way is to make the grants to a new custom group, and
    give the person(s) new accounts that are members of this group,
    in addition to their normal day-to-day use account.

    Maintaining a WkstnAdmin custom group as a member of the
    machine local administrators group should not be a problem.
    At least, if it is then keeping Domain Admins as members of
    the machine local Administrators group would likely also be.
     
    Roger Abell, Aug 9, 2005
    #2
    1. Advertisements

  3. Mike Bailey

    Mike Bailey Guest

    I basically understand what you are saying, but yet I don't understand it or
    rather what to do. The last paragraph is also hard to understand from the
    wording. Are you saying there to create a custom group that would be added
    to each workstation with local administration rights? Part of my problem is
    that I understand the concept of creating a group to give special
    permissions, and then adding users into that group. I just don't know what,
    or how to give most of the permissions that a Domain Admin would have. I
    guess what would be nice is if someone could say "to create a super user
    that can't take ownership of folders, can't change security settings on
    folders, can't change Administrator passwords, here is what you would do..."

    Mike
     
    Mike Bailey, Aug 9, 2005
    #3
  4. Mike Bailey

    Roger Abell Guest

    Part of what I was trying to say was to first, figure out what it is that
    you do want the custom group to be able to do.
    I guess you do in fact want these accounts to be able to do everything
    except for "can't take ownership of folders, can't change security settings
    on folders, can't change Administrator passwords"

    I was thinking that you would have a shorter, and precise list of what
    the account should be able to do, in which case one can work forward
    toward filling those needs with grants and delegations.

    Given what you have stated, I do not see a way to do that.
    The first two of the three things that should not be possible I can
    see how to take away from Administrators and instead grant only
    to some new group SpecialAdmins that should keep the capabilities.
    The second would be extremely labor filled to do.
    The last however, not changing pwds of admins (but being able to
    change pwd of other accounts) is not obtainable in local machines
    when working backwards from Administrators.

    Anyway, it is vitually certain that restricting Administrators will
    result in some of those admins finding the ways to get around or
    remove the restrictions.
    You need to go the other direction and list all that you do want
    the people to be able to do.
     
    Roger Abell, Aug 10, 2005
    #4
  5. Mike Bailey

    Mike Bailey Guest

    I thought I had found a solution to what I wanted by running the
    Delegate Control Wizard. I was able to to select the Group I wanted to
    use and then gave it the rights to manage user passwords and to add
    computers to the Domain. But, when I went back and looked at the actual
    rights assigned, it added Account Operators I assumed for the password
    management, and then Domain Admins I assume to join computers to the
    domain. That put me right back to where I was trying to get away from
    which was not making the user a Domain Admin.

    Is there a way to give a Group or User the rights to join a computer to
    the domain without making them a Domain Admin?

    Mike
     
    Mike Bailey, Aug 16, 2005
    #5
  6. Mike Bailey

    Mike Bailey Guest

    I also noticed that the Delegation Wizard seemed to have added the Group
    Iwas working on called ITSupport, to every ohter existing Group. Not
    the results I wanted or was expecting.

    Mike
     
    Mike Bailey, Aug 16, 2005
    #6
  7. Mike Bailey

    Roger Abell Guest

    The delegation of control wizard does not add group memberships
    to accounts or (by nesting) groups. It only modifies the ACLs on
    AD objects in order to effect grants to the group (or, bad form, the
    account) to which it is delegating.

    Yes, there is both a group for allowing an account to add computers
    to the domain, and this can also be done with the delegation of
    control wizard. Granting Domain Admin is not needed.
     
    Roger Abell, Aug 17, 2005
    #7
  8. Mike Bailey

    Roger Abell Guest

    What "Delegation Wizard" is this ???
     
    Roger Abell, Aug 17, 2005
    #8
  9. Mike Bailey

    Mike Bailey Guest

    It was the same Delegation of Control wizzard I was speaking about in my
    above post.

    Mike

    Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA
     
    Mike Bailey, Aug 17, 2005
    #9
  10. Mike Bailey

    Mike Bailey Guest

    This is what I did though - I ran the delegation of control wizzard and
    only selected "Reset user passwords and force password change" and "Join
    a computer to the domain". When I looked at the security properties of
    the group this was just performed on, the Domain Users group and been added.

    You said that there is a group for allowing an account to add computers
    the domain without using the Domain Admin - what is that then?

    I have made soem screen shots of the selections I made inthe delegation
    wizard and of the resulting security settings if you would like to see
    them. They are in a Word doc.

    Thanks,
    Mike

    -- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4)
     
    Mike Bailey, Aug 17, 2005
    #10
  11. Mike Bailey

    Roger Abell Guest

    Sorry Mike, I was being brain-dead in saying there was a group for
    adding computers to domain, when I meant that there is a group policy
    setting for that, in the computer tree, local policy / user rights section
    named Add workstations to domain and into which you may add the
    groups whose members will be allow to do this.

    I believe that there was something else going on to cause the group
    change you see and are attributing to an action of the delegation wiz.
    Now, I am not sure what, but it would be first I have heard of that
    wiz altering groups rather than ACLs.
     
    Roger Abell, Aug 18, 2005
    #11
  12. Mike Bailey

    Mike Bailey Guest

    I got to looking and every group in my domain all have the same security
    settings apparently by "default." I don't know what created that
    default, or if what I'm seeing is the "normal" default. It does seem
    that the group I was working with using the delegate control wizard is
    not in every group as I thought I saw - could have sworn it was there
    though! Every group does have the following items listed in the security
    tab. This includes any new groups that I cerate. Is this "normal?"

    Account Operators (domain_name\Account Operators)
    Account Unknown(S-1-5-21-3423703923-74...
    Administrators (domain_name\Administrators)
    Authenticated Users
    Domain Admins (domain_name\Domain Admins)
    Enterprise Admins (domain_name\Enterprise Admins)
    ENTERPRISE DOMAIN CONTROLLERS
    Pre-Windows 2000 Compatible Access (domain_name\...
    SELF
    SYSTEM
    Windows Authorization Access Group (domain_name\...
     
    Mike Bailey, Aug 19, 2005
    #12
  13. Mike Bailey

    Roger Abell Guest

    I believe you are looking at the permission on the group object
    when it is defined in AD.
    This is different from the members in the group, and from the
    memberships of the group in other groups.
    What you are (apparently) looking at is the ACL that controls
    who may access the group object in which ways. For example,
    Domain Admins will have full control over the group while
    plain users will normally have the ability to query the members
    listing for the group, etc..
    Exactly what ACL is assigned onto a newly defined group object
    is impacted by the default SD that exists on the class for group
    obects in the AD Schema, and also on where in AD the new group
    object is being defined (ex. is it within an OU area where there has
    been a delegation of the ability to manage memberships in groups).
     
    Roger Abell, Aug 21, 2005
    #13
  14. Mike Bailey

    Roger Abell Guest

    PS. I should have added, the ACL you are looking at is exactly what
    does get adjusted by the delegation wiz - at least the ACL of the object
    where you are doing the delegation such as of the OU container object.
     
    Roger Abell, Aug 21, 2005
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.