administrative policies

  • Thread starter Thread starter John M
  • Start date Start date
J

John M

Does anyone know or would like to share some polices for using
administrative groups in AD, such as domain admin, administrators etc..
Some best practices we want to put into a policy is admin people's user
accounts are not part of any admin groups, they are just normal users. Each
analyst would have a special domain 'administrative' account, giving only
rights needed. Also some way to limit who gets the accounts, and how they
would get them.

thanks
John
 
This is very good to do, and what I put into place when we migrated our 8000
users to AD.
Basically, no regular day to day account is allowed to be given admin
rights. all administration
is done using the "run as" command, or if necessary temporarily login to it
locally or on a
server using Terminal Server. All administrative accounts are the same as
their regular account,
but with an "a" appended to the end.

Additionally all rights to these accounts are controlled by very granular,
role-based groups, so
by looking at "member of", it's very clear as to what permissions they have.

Steve
 
did you create a written policy for this or just make it a practice? I'd be
interested in seeing one..
 
Below is the applicable section from our Active Directory Operations Guide.
It's not considered "policy", however I may seek to have it put into our
Information Security Policy so it can be enforced better, and be applicable
beyond just AD. For now I just do spot checks and contact an admin if they
have inappropriately granted admin rights to a regular account.

The LAN Administrator's "A" Account
LAN Administrators will have two user accounts in Active Directory. Their
primary user account will be used to log into the domain from their
workstation, authenticate to network resources, and send\receive email.
Their secondary account will be their administrator account used for
performing operational maintenance in their respective OU. This
administrator account will be easily recognizable by the "A" suffix attached
to their user ID. Whenever administrative tasks (e.g. password resets,
adding computers to the domain, changing group memberships, etc) are
required, the LAN Administrator will always use the "A" account. This is
the only account that has administrative permissions.



After LAN Administrators have been given their "A" accounts, they will then
have the ability to create additional "A" accounts in their respective OUs.
LAN Administrators should strictly enforce using the "A" account model, and
not grant administrative rights directly to standard accounts within Active
Directory.



NOTE: There may be situations that warrant logging into a
workstation/server directly with the "A" administrator account, however,
most administrative tasks should be satisfied by using the "Run As" command
(see section 2.4 - Use of the "Run As" Command and Advanced Features).
 
Back
Top