4

looking for some suggestions or tips on how to setup our IT admins with delegation and server access. I started at a new organization and saw that every IT staff member is a domain admin. Looks like that allowed everyone to do what they needed to do on the domain and on servers. I have began the process of trying to organize everyone and give them access to what they actually need. Looking for suggestions on how you have all set your environments up? We aren't a huge organization all in one location with 10 to 15 IT staff members at a given time. Here is what I thought of doing.

1: Create 2 New Security Groups. 1 for HelpDesk and 1 for Server Operators. Delegate permissions for Helpdesk to add computers as well as reset passwords. Server Operators would have the same but would also add the group as admins of servers they need to have access to. Would still have 2 domain admins with full control.

2: Give both of those new groups access to all shares so they can assist users with deleted files or any other common tasks.

In the future I'll create App specific admin security groups like CRMAdmins, ExchangeAdmin etc... where I can throw the users in that actually need to maintain and work on those servers.

My worry is that since everyone had full access I may cut access to users while i'm trying to secure this thing down. Any thoughts or suggestions if this is a good path or any ideas on how you lay it out would be appreciated. We are running on Server 2012 domain. Thanks.

OJC
  • 43
  • 3
  • 5
    Is this a directive you've been given by your boss or is this something you're taking on of your own accord? Taking rights, permissions and access away from people who are used to having unrestricted and unfettered access is probably not going to go over very well. I'm not saying that you're wrong in wanting to implement some best practice in this area but I am saying that if you don't have the directive from and approval of management then you're probably going to encounter some pretty strong resistance and opposition. You're not likely to win any friends or build any goodwill. – joeqwerty Apr 17 '16 at 19:04
  • Thanks for the concern but it's been approved by management to improve overall security of the network. This is one part of some changes for the organization like password policy changes and network access management. – OJC Apr 18 '16 at 05:18

1 Answers1

4

We setup role-based access control for various tasks.

For the team that needs to provision accounts/groups/contacts, we created a separate group. That group is assigned permissions at the top of the domain for:

  • Create/Delete User objects
  • Create/Delete Group objects
  • Create/Delete Contact objects

And then an ACE for each object type (User/Group/Contact) at the top of the domain that grants Full Control for those object types.

Similarly for teams that need to join computers, a separate group that provides access to:

  • Create/Delete Computer objects

Granting full control for computer objects may not be desirable, that would be something you would need to evaluate. Also note that some separate control/process for pre-staging computers is recommended. At the very least, the Domain Controllers OU should remove inheritance for permissions, which would prevent those inherited group permissions from modifying domain controllers.

We do something similar for permissions that may be required for Enterprise Admins. Specifically, this would include the ability to add/modify/delete Sites, or DHCP Administration.

That is basically the pattern you would follow. Identify what access they need, test it in a non-production environment, then implement the access controls in production.

It may be non-obvious/worth mentioning that we don't use the Windows builtin groups such as "Domain Admins" for granting access. When you go the route of creating your own role-based access control groups, you don't need to include Domain Admins or Enterprise Admins.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • Thanks for the great info. Really helps in the overall planning on where I need to get this to. Thanks again. – OJC Apr 18 '16 at 05:21