Domain Admins Group -- Trying to trim membership

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I am being requested to analyze the current 15 - 20 members of the
Domain Admins group with the goal of reducing membership in this
group to an absolute minimum. But it seems at first blush that mem-
bership in this group is necessary to maintain various functionalities.

Is this a common problem in the Windows Server world? Anyone have
similar experiences to share or any advice on attacking this issue?

Thanks!
Tom
 
Well hopefully Uncle Joe will reply also as he is one of the world experts
on this topic. My two cents is that the risk of a misconfiguration or
security breach rises almost exponentially with the number of domain admins
you have so it makes sense to have a rather small group of only the most
very trusted and competent people being domain admins.

In general almost all Active Directory management tasks can be delegated to
a qualified regular domain user by managing AD object permissions. Such
tasks could be creating and managing user and computers accounts, creating
and managing groups, creating and managing OUs, and editing Group Policy. Of
course there are things that only domain level administrators can do but
those tasks such as managing privileged users/group, fsmos, global catalog
servers, installing hardware/software on domain controllers, dcpromoing a
server, installing a Certificate Authority, etc. usually are not done every
day or even every week and domain admins need something to do. An existing
domain controller can also be dcpromoed to a regular server if you need non
domain admins to service it. In a larger network I would think that domain
controllers are only domain controllers running DNS and not also a print,
file, DHCP/wins, or remote access server which make it easier to not want to
allow other users to configure. There is a group called DNS administrators
you can add users to if you need them to manage DNS and not be a domain
level administrator. The white paper in the link below may be helpful. ---
Steve

http://www.microsoft.com/downloads/...a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
 
What specific issues are you running into?

I took a DA group that had over 100 members and trimmed it to three
analysts and a manager all sitting within 15 feet of each other with
users and DCs all over the world. This was in a Fortune 5 company with
~375 DCs and 250,000 users, 100k or so groups, hundreds of thousands of
machines, etc.

Trimming down is going to require processes to change and admins to
become more knowledgeable about what they are doing. It may also mean
that the folks who are DAs will pick up some additional
responsibilities. However, it shouldn't be overwhelming though you may
get death threats. I removed my address from the GAL for some time when
I was doing it because people all over the world were telling me they
couldn't do their job without that access. It was all crap of course and
once I scoped that down to the 3 people our Domain Issues pretty much
all disappeared and now that group does 99.99% requests and very rarely
is actually fixing things.

The first question I ask when going into a location that has too many
DAs is who are the 3-5 people who will be fixing the forest when shit
really hits the fan? Those are the people who get the DA and EA
accounts. Everyone else gets normal user accounts with delegated rights
and no permissions to the DCs whatsoever. You work through the things
that the no-Admins need to do and make sure it makes sense. For
instance, if someone has to add drivers to a DC, make them an Enterprise
Admin if you are going to allow it because regardless of what you give
them, changing/adding core level system binaries means they can do
whatever they want anyway. If there is something that absolutely must be
done by a DA, the 3-5 people get the task and whoever used to do it
requests it from them. This is generally a small pool of tasks and if
you just left it at that, your 3-5 DAs wouldn't have much to do. And in
fact, the DAs at the company I mentioned before are some of the calmest
coolest most relaxed DAs I have met in the last 3 or so years of meeting
big enterprise DAs. I go to lunch with them on a regular basis for
lunches that go several hours and their pagers never go off. They VERY
rarely have issues outside of 9-5 to deal with as well.


joe


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
It is an honorary title I bestow on those that have great wisdom,
experience, and knowledge and unselfishly share with others such as yourself
and Uncle Roger :) --- Steve
 
Tom Glasser said:
I am being requested to analyze the current 15 - 20 members of the
Domain Admins group with the goal of reducing membership in this
group to an absolute minimum. But it seems at first blush that mem-
bership in this group is necessary to maintain various functionalities.

Is this a common problem in the Windows Server world? Anyone have
similar experiences to share or any advice on attacking this issue?
Click to expand...

IMO it is an all too common problem in the world of the administration
of Windows Server. It is not inherent in Windows Server nor AD, but
in the ineffective use of the available capabilities.

Have each justify as to what the account is used for that requires
Domain Admin. Then, you will likely find 90% of that can be
accomplished with account that are not admin but have delegations,
and/or membership in custom groups that are used to receive other
grants (admin on client machine). If you really want to drive the
point home, then have each outline what else is done with the
account (beyond what they said as justification for its being a
Domain Admin) and then show the risks from those uses of the
accounts
 
Back
Top